New personal data laws coming soon – are you ready?

How the EU GDPR will affect your work as editor

GDPR for editors

Businesses across Europe are busy preparing for the introduction of a new data privacy law that will come into effect on 25 May 2018. This new law, known as the EU General Data Protection Regulation (GDPR), will impact how Elsevier staff and our community of editors work worldwide. We want to take this opportunity to help you understand what GDPR is, how it applies to you, what action you may need to take, and where you can find out more.

What is GDPR?
As a starting point, we’d like to highlight that most of this legislation is already written into current privacy law. Elsevier’s existing privacy principles outline the key tenets of good data protection to which all those who come into contact with personal data should already be adhering. Elsevier believes that following good data protection and privacy practices is key to ensuring the trust of our editors, authors, reviewers, and customers. GDPR simply represents an opportunity for us to improve further on our practices, delivering excellent data governance in all that we do.

GDPR means making changes to how we manage personal data.

What exactly is “personal data”? Personal data is information relating to an individual, who can be identified (now or later) from that and other information. This includes somebody’s name, as well as any data that could lead to a name such as an IP address.

When it comes to handling information relating to an "identified" or "identifiable" person, according to GDPR the data must be:

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and, where necessary, kept up to date
  5. Retained only for as long as necessary
  6. Processed in an appropriate manner to maintain security

What do I need to do as an editor?

These might not sound like issues that would impact your role, but we’d like to take a couple of examples of common activities where you might find yourself requesting or handling personal data as an editor, and to share some tips and considerations for how to approach these scenarios in future.

Example 1: Requesting a report on authors or reviewers from your journal manager via email.

  • Only ask for personal data that you absolutely need. For example, if you just want to know average turnaround time for reviewers, the reviewers’ names are not needed.
  • Understand that it is no longer acceptable to send unprotected excel files with personal data via email – where it is necessary to transfer such information, it will need to be uploaded to a secure location or password protected.
  • Once the data has been used for its intended purpose, you should delete it.
  • Consider carefully with whom to share the data (if sharing is indeed necessary) and where/how to store the data to restrict access to only those who need it.
  • If sending an email to multiple recipients, include the recipients in the “Bcc” field so personal details are concealed from other recipients.

Example 2: Researching and contacting reviewers and authors based on internet searches.

  • Always check the terms & conditions of the sites from which you are sourcing any data to ensure they don’t prohibit using the personal data in this way.
  • Keep a record of the source of the data e.g. website URL.
  • Consider whether the individual might reasonably expect to be contacted, and have a process in place in the event the recipient asks not to be contacted again.

If you have any questions about GDPR, please don’t hesitate to reach out to your Elsevier Publisher.
We also ask you to be vigilant, and if you receive a privacy complaint or a data subject request , you should forward it to Elsevier’s Data Protection Officer at immediately (or to your Publisher  who will ensure this is passed on). We are establishing procedures and making changes in our editorial systems to ensure we can act swiftly in the event any data subject (i.e. a person who can be identified by personal data) exercises their enhanced rights to make a subject access request, to request erasure (“the right to be forgotten”) or to request rectification. GDPR stipulates strict time limits relating to how long an organisation should respond to these types of data subject requests so it is important that you pass on any communications of this nature as soon as possible.

Where can I find out more?

  • You may like to review Elsevier’s Privacy Principles and this information regarding Elsevier and the General Data Protection Regulation.
  • We of course need to take actions to make sure that our editorial systems are GDPR compliant, and we will be updating you on GPDR-related developments to EES and EVISE via the regular release notes you receive from your journal manager or usual contact. We have also briefed our internal staff so they will be familiar with the above information.


Written by

Helen Gainford

Written by

Helen Gainford

Helen Gainford is Director, Privacy and Data Protection, RELX General Counsel.  A member of the RELX Group Data Protection and Privacy team (DPP), Helen provides advice, training and guidance on privacy and data protection for the Elsevier business globally. Helen joined DPP in 2015 after 16 years at Elsevier. Helen holds the ISEB certification in Data Protection from BCS, The Chartered Institute for IT, and the CIPP/E, CIPP/US and CIPM credentials from the International Association of Privacy Professionals (IAPP).

Related stories


comments powered by Disqus