| Apart from weekly 99-word stories and checking the edits for my forthcoming anthology, I’ve rather neglected my own fiction in recent weeks. Partly because it’s planting and sowing season in my vegetable garden (a.k.a. feeding the slugs); partly because I’ve been grappling with the new General Data Protection Regulations which will become EU law later this week. |  |
For many of us, the most we’ve heard of GDPR is in the torrent of emails requesting us to confirm our willingness to continue receiving communications from organisations that hold our email addresses. Some will have felt relieved at a perceived opportunity to stop the spam (although I doubt it will work that way). Some might be irritated by the demands on their time (even if it only takes a couple of clicks); others amused at the pleas for a continued relationship or threats of missing out. Some, like me, who operate an email newsletter, might have been anxiously wondering about their own obligations.
I think there’s a herd mentality afoot: if other people are asking recipients to resubscribe, shouldn’t I do likewise? Yet this seems to be a herd without a leader: a procession of kids leaving the town of Hamelin without a piper at the front. Or one of those dreadful chain letters that infected our school days before the digital age. Should I resist?
Because there are risks in sending that please-opt-in email. Like Theresa May calling a snap general election last year to strengthen her hand in the Brexit negotiations, it could backfire. Just as going to the people reduced her majority to the extent that she had to strike a deal with a party that cares so much about its electorate it fights to deny them the reproductive rights available in the rest of the UK, either through apathy or irritation, the numbers can go down. Some sources quote a miserly 10% response rate; that can’t be good for small businesses or the economy as a whole.
Besides, I believe my newsletter address list is already GDPR compliant. When I set it up, although tempted to include everyone with whom I’d ever been in email correspondence, MailChimp’s automation system required me to confirm I had permission, and I couldn’t lie. I can proudly say that everyone on my list has either subscribed through the sign-up form on my website or given me permission at an event. So what’s there to worry about, Anne?
I think there’s a herd mentality afoot: if other people are asking recipients to resubscribe, shouldn’t I do likewise? Yet this seems to be a herd without a leader: a procession of kids leaving the town of Hamelin without a piper at the front. Or one of those dreadful chain letters that infected our school days before the digital age. Should I resist?
Because there are risks in sending that please-opt-in email. Like Theresa May calling a snap general election last year to strengthen her hand in the Brexit negotiations, it could backfire. Just as going to the people reduced her majority to the extent that she had to strike a deal with a party that cares so much about its electorate it fights to deny them the reproductive rights available in the rest of the UK, either through apathy or irritation, the numbers can go down. Some sources quote a miserly 10% response rate; that can’t be good for small businesses or the economy as a whole.
Besides, I believe my newsletter address list is already GDPR compliant. When I set it up, although tempted to include everyone with whom I’d ever been in email correspondence, MailChimp’s automation system required me to confirm I had permission, and I couldn’t lie. I can proudly say that everyone on my list has either subscribed through the sign-up form on my website or given me permission at an event. So what’s there to worry about, Anne?
Well, what if I’m mistaken? I don’t want to lose 90% of my subscribers, but I want to play fair. Then there are the fines, quoted in millions of euros, for messing up. Unlikely as it is that the full force of the law would descend on a Z-list author’s news delivered no more than four times a year to a few dozen recipients, standing apart requires a level of self-belief I tend to associate with people who’ve been encouraged to know their own minds since infancy.
Wouldn’t education be a failsafe route to getting it right? By sheer serendipity, just as I was starting to worry, I received an email from FutureLearn, not asking me to opt in, but inviting me (and thousands of others) to join a course on GDPR. Okay, it took time I didn’t have, with headache-inducing technical terminology, but surely it would be worth the effort? Sadly, although I’ve definitely learnt something, the lecturers from the University of Groningen seemed to have bigger issues in mind than newsletter subscription confirmations.
My next step was Twitter where, among the jokes from people who clearly didn’t share my own anxieties, I found this post on GDPR myths from the Information Commissioner’s Office blog. Hurrah! Refreshing consent is not strictly necessary. I can sit tight! Yet I found the following paragraph confusing:
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
To my understanding, these are the circumstances in which we should seek consent. So the confusion continues!
Wouldn’t education be a failsafe route to getting it right? By sheer serendipity, just as I was starting to worry, I received an email from FutureLearn, not asking me to opt in, but inviting me (and thousands of others) to join a course on GDPR. Okay, it took time I didn’t have, with headache-inducing technical terminology, but surely it would be worth the effort? Sadly, although I’ve definitely learnt something, the lecturers from the University of Groningen seemed to have bigger issues in mind than newsletter subscription confirmations.
My next step was Twitter where, among the jokes from people who clearly didn’t share my own anxieties, I found this post on GDPR myths from the Information Commissioner’s Office blog. Hurrah! Refreshing consent is not strictly necessary. I can sit tight! Yet I found the following paragraph confusing:
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
To my understanding, these are the circumstances in which we should seek consent. So the confusion continues!
If you are subscribed to my newsletter, you’ll have seen how I’ve managed it: explaining that the list is GDPR compliant but asking subscribers to reconfirm in order that I can demonstrate that this is the case. I don’t know if this is the perfect compromise or a fudge that will irritate my readers even more.
Unfortunately, with four days to go, I’m still not totally ready for GDPR. There’s more stuff to read, and a website privacy policy to write. Regarding the latter, although templates are available, they might not meet my standards of good writing. It’s tricky: as the data controller – the one who invites you to leave a digital trail in my corner of cyberspace – the buck stops with the website or newsletter author, although the data processors must also comply with GDPR. Although I agree that’s the right way round, it doesn’t feel as if I’m in charge of any of the technical stuff, and I imagine there are many others who feel the same. I don’t fully understand the mechanics of the various platforms that host my words, and it would be a shame if the only people who could move confidently through cyberspace were people fluent in both law and computer code.
Hopefully, everything will settle down eventually. I’m assuming, given recent exposés of some of the bigger players’ shocking disregard for privacy, GDPR will operate for the general human good. But, as when waging war against tyrants, ordinary people can find themselves casualties. I can’t believe that the threats to small businesses – in terms of the time required and potential loss of revenue in losing contact with some customers – is in the spirit of the law. But, hey, making things up is my raison d’être. Let’s hope this story has a happy ending.
Unfortunately, with four days to go, I’m still not totally ready for GDPR. There’s more stuff to read, and a website privacy policy to write. Regarding the latter, although templates are available, they might not meet my standards of good writing. It’s tricky: as the data controller – the one who invites you to leave a digital trail in my corner of cyberspace – the buck stops with the website or newsletter author, although the data processors must also comply with GDPR. Although I agree that’s the right way round, it doesn’t feel as if I’m in charge of any of the technical stuff, and I imagine there are many others who feel the same. I don’t fully understand the mechanics of the various platforms that host my words, and it would be a shame if the only people who could move confidently through cyberspace were people fluent in both law and computer code.
Hopefully, everything will settle down eventually. I’m assuming, given recent exposés of some of the bigger players’ shocking disregard for privacy, GDPR will operate for the general human good. But, as when waging war against tyrants, ordinary people can find themselves casualties. I can’t believe that the threats to small businesses – in terms of the time required and potential loss of revenue in losing contact with some customers – is in the spirit of the law. But, hey, making things up is my raison d’être. Let’s hope this story has a happy ending.
RSS Feed
