What’s the deal with GDPR?

by Gina Burgess

By now you’ve most likely heard something about GDPR (General Data Protection Regulation). This is an European Union law that goes into effect on May 25, 2018. So what does a law in Europe have to do with global online business? I’m so glad you asked!

It only affects you if you do business with or your website is visited by a citizen of the European Union. But it is a good thing for all of us outside the EU. This gives us much more control over how our private information is used by any and everyone on the Internet. Really!

This is from Randy Ingermanson’s Part 2 blog about the GDPR… You can read Part 1 here.

    • Don’t be so sure you’re not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:

      • Do you have a contact form that lets people email you?
      • Do you have an email newsletter list?
      • Do you allow people to post comments on your blog or your website?
      • Are you an affiliate of Amazon or Apple iBooks or any other online store?
      • Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
      • Do you track visitors to your site with Google Analytics or some other tracking tool?
      • Do you have any sort of cookies on your site?
      • Do you have a Facebook “pixel” on your site?
      • Do you use Feedburner for your blog?
      • Do you use a spam protection service, such as Akismet?

Any one of these makes you liable in the GDPR.

The first thing to make sure you have is a privacy policy. Any forms you have that take information for blog sign ups, newsletter sign ups and the like, needs to notify the person filling out that form that says something like: By filling out this form you are sharing your name and contact information freely so that I can send you emails that contain news and promotional information about my business.

If you blog with Blogger, you don’t have to worry because Blogger doesn’t share any personal information about your followers with you the blogger. If you blog with WordPress, they have this stuff covered and you should have received an email telling you what to do. In fact, most organizations around the net have made changes to comply such as Mail Chimp, and other contact managers. It’s only scary if you stick your head in the sand.

Here is the link to some frequently asked questions about GDPR from the GDPR.org (horse’s mouth so to speak) It’s written in easy to read and understand English. The fact is, most of the businesses around the globe won’t be affected if they take the time to comply.

Just know that if you have just one complaint from just one person, or you don’t comply when just one EU or UK person asks you to remove their information from your data base, you can be heavily fined. You do have 30 days to comply, though.

Remember, I am not a lawyer, this is not legal advice. I’m just sharing how I understand this GDPR stuff.

The way I understand it is the person needs to give consent before their information is saved to your list/database/website database/etc., therefore if they are notified before they fill out the contact form, then they fill out the contact form, that is consent. Therefore, if you put verbiage such as the notification above on your contact form, and you have evidence that the person filled out that form (a notification email that comes to you that tells you so and so just signed up for your newsletter, etc. should suffice for small businesses). Don’t delete those notifications.

Being a small business, you don’t have to have a designated Data Processing Officer.

If the personal information is necessary to complete or fill a contract, you don’t have to have direct consent such as editors editing a manuscript, or authors giving an ARC or using Beta readers, or something of that nature.

GDPR gives people the right to access how their personal information is being used. If you do this in your privacy policy, you don’t have to worry about this.

You can read a whole lot more about it on Wikipedia (be sure to check the references for legitimacy.)

So what do you think? Is this better or worse?

 

 

12 thoughts on “What’s the deal with GDPR?”

  1. What I don’t understand is how the European Union can have jurisdiction over US citizens. How can their laws apply to others outside the EU? By what process would they fine somebody and get them to pay?

    1. Cara, this is difficult for me to understand as well. It has something to do with trade agreements and international law agreements. Maybe someone else can explain it for us.

  2. So does this mean I cannot sell my printed books to anyone in the EU or UK or Ireland (countries where they speak English…my books are not in any other language), and does this mean no one in the EU or UK or Ireland where they speak and read English can download my FREE PDF e-book ‘The Prodigal Band’?-Deb Lagarde, OmegaBooks

    1. No, no, Deborah. It doesn’t mean that at all. The GDPR just means that when you gather emails from your fans for your email list, they have the right to ask to be removed from your list, to know how you use their information and store it in your database. That’s mainly it. It has nothing to do with how or where you sell your books. Just how you gather personal information used to promote your books 😉

  3. My blog is on Word Press, designed for me by Tamy, but I don’t have an email from Word Press telling me how to do this, and I don’t know how to add text to my Squeeze Page. Gina? Tom? Anybody? I want to hold your hand; I want to hold your hand, yeah….

    1. Hi Whitney! Since your page was designed by Tamy, have you emailed her to see what she is doing about getting her clients’ webpages GDPR compliant? Do that first, then email me if you need me, okay? We are currently working to secure a super IT guy, but it’s going to take a little while to get everything settled.

  4. Excellent guidance, Gina. That was my first inclination, but my husband suggested going through you first. Thank you so much. I will keep you posted on this which feels to me like a scary (and stupid) requirement. xoxoxo

  5. NOT TRUE! No foreign government as ANY jurisdiction over American citizens doing business on American soil. We have something here in the United States called sovereignty. If you’re a business, and you have offices in a foreign country, then, you may be subject to the law in the country you’re doing business in. However, as an author living in Arizona, the EU has NO SAY WHATSOEVER in how I conduct my business, nor am I bound by any EU regulations. The European Union has no jurisdiction in the United States. They cannot come into my country and arrest me or fine me for doing something legal within the United States.

    1. Hi Gayle,

      I understand your concern. One thing to realize is that we are living in an Internet connected world, and cyberspace is a global entity. The U.S. and the E.U. have a data transfer agreement that is similar to a treaty that is a lawful agreement to comply with various Internet and cyber laws implemented by each other.

      The U.S. Government is complying with GDPR. Just do a Google search about it. This law will affect companies doing business globally much more than it will authors. It was the topic of several questions in the Mark Zuckerberg’s Congressional hearing https://www.law.com/legaltechnews/2018/05/04/facebooks-gdpr-challenge-and-the-conundrum-of-consent/

      Forbes Magazine states: Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do. But to your point: To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

      Here’s another excerpt to your point: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#75ea37476ff2

      So, it is very real, and it is very necessary to comply, but applies only when the person giving their personal information live and are in the EU when submitting their personal data. This is why I don’t think that the small businesses will be affected nearly as much as big corporations.

      There are a lot of scare tactics going around the Net, just remember that if you have a book written in German and you are targeting a German market, then you are smack in the middle of this regulation.

  6. Good news! Tamy graciously added a privacy page, but assures me that this GDPR reg is really for companies doing A LOT of business overseas. It looks a lot like the Privacy Page that The Authors Community has recently added. Anyone can see what Tamy did on mine by going to my website at http://www.RecoveryintheBible.com and clicking on the page called Privacy Policy.

Comments are closed.