GDPR is nearly here

The title makes it sound like a book, but the GDPR (General Data Protection Regulation) is much more sinister (and good) than many dark fantasy book out there. It is interesting to see that while I was aware of the new GDPR law for several months already, many of the authors I spoke to were completely oblivious about this change coming from the European Union (but with some serious worldwide impact). In short, the GDPR is a law to protect the personal information of individuals and giving them more control over who uses that information and for what reason. Mainly aimed at the large mega corps like Facebook and Google, the impact of the law reaches far further than that and not complying to the law can cause all sorts of problems, including fines that can run into the millions of USD or 4% of the yearly net profit of a company.


While it is great news for consumers, the new law, which will come into effect on the 25th of May, has companies scrambling to get everything in order. It is a costly change, as you have to explain in clear normal language (English or otherwise understood) that people need to give explicit consent of their personal information being used and for what reasons. Companies also need to have it documented how long information will be stored and if any information will be shared with other parties. Consent will need to be re-requested every so often, depending on the logic behind the time period in which the information is stored. And should information be stored, any person can request to receive an overview of which info is stored about them and if need be demand it to be deleted without a trace while providing proof that it was actually deleted. How you can provide proof of something NOT present in your database anymore without it still being there as traceable information is beyond me, but then again nobody said that laws should be logical.

The new law also prohibits profiling on the personal information, meaning marketing agencies are feverishly looking for new ways on how to reach their target groups. This is the reason Facebook has now clearly requested if you wish to receive targeted advertisement. Without your consent they can not show ads focused on let’s say: white male, between 30 and 40, living in Europe. Which is great for the people trying to protect themselves from profiling (hello! I’m one of them), but makes it difficult for those wishing to advertise to reach proven target groups that might find your (fantasy) books an interesting and fun read (hello! That’s me too :)).

Like I said, many companies are working overtime to reach out to their current contacts, as they need them to provide consent before the 25th of May. Millions of dollars in costs are spend by hundreds of thousands of companies to get everything in order. And even if the law is EU based, it impacts any company that has personal information stored from any EU resident. Which pretty much means, with the ease of global consumership, that every company in the world will need to have their ducks in a row. But, at the same time it is already known that many of the countries have absolutely no budget to effectively check if the companies within their borders are GDPR compliant.


For those writing and trying to make it in a world where thousands of new books are released every day, the GDPR is yet another obstacle to keep in mind. If an author has his/her own mailing list. This mailing list will need to be contacted before the 25th of May to request full consent on storing name and email address for the purpose of sending out newsletters. And every so often a new consent request will have to be sent out, and those readers ignoring this request or those simply not responding will need to be removed from the list. This also means that you will need a way to track when the last date of consent was for those contacts in your mailing list.

Apart from that, any reader should have an easy way to be deleted from the list. Not just unassigned (meaning they simply will not receive the newsletter anymore, but their data will still be there) but really deleted…without a trace…including for example any comments they might have left on your site.
When using mailing list services like Bookbub or Fussy Librarian, things are a bit easier as that particular service is the one that needs to be in GDPR compliance and not the author him/herself. But such services costs money and advertising through them does not always bring you to the point of ROI (return of investment). Besides, with your own mailinglist you can be confident that the people on it are interested in your books and it does not cost you anything if you want to reach out to your fans.

My newsletter (wait, there was a newsletter?)

In these last few years, I have never really done much with my own newsletter mailinglist. I didn’t actively promote it, nor did I sent many emails out. As I can barely find time to write, I rather worked on my books instead of trying to find interesting material to put in a newsletter. Many authors swear by having their own mailing list, but all this time it felt like it just wasn’t for me. So to keep things easy under the new GDPR law, and make a more definitive decision on the topic for myself, I have decided abandon the idea of building a newsletter mailinglist. Instead, I will focus on the blog whenever I can, interact with fans on social media and use services like Bookbub (in addition to my own website) to keep readers up to date on new releases.

Are you an author that has decided to tackle the GDPR head-on? Or perhaps as a reader you are still struggling with understanding the concept? Maybe the company you work for is pulling its hairs trying to figure out how to reach all the supply companies they worked for in the last 15 years? Feel free to share your thoughts in the comments below or reach out on social media.

– A.J. Norfield

Leave a Reply