EU GDPR statement


I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my newsletter, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

If you are reading this and believe there’s something else I should be doing or something that I am doing incorrectly, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and as a sole trader, I’m just doing my best to comply with the regulations as I understand them.

To create this document, I have used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are my responses to the headed points in that document.

  1. Awareness

I am a sole trader so there is no one else in my organisation to make aware.

  1. The information I hold:
  • Email addresses and names of people who have emailed me and to whom I have replied – automatically saved in Gmail. Note that there is an autoforwarding service switched on for all email addresses received that forwards mail to my Gmail account.
  • Email addresses and names of people who have signed up to my mailing list via the opt-in link on my author website– held in Mailchimp

I do not share this information with anyone. Ever.

  1. Communicating privacy information

I am taking the following steps:

  1. I have put this document on my websites, with a link from my sign-up section for new subscribers.
  2. I have created a website post before the end of April 2018, drawing attention to this document.
  3. Before the end of April, I will contact my Mailchimp database and link to this document. I will remind them of what they signed up to, alert them to any changes and remind them that they can unsubscribe at any time and their data will be deleted.
  1. Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

If they unsubscribe themselves from the Mailchimp list, their data is automatically deleted.

  1. Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

  1. Lawful basis for processing data
  • If people have emailed me, they have given me their email address. I do not actively add it to a list but Gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
  • If people have opted into my Mailchimp list (by subscribing to my author newsletter) they have actively opted in, in the knowledge that they will receive the following:
    • occasional (approx 4-6 times a year) newsletters and occasional bits of news
  1. Consent

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has initiated contact with me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.


  1. Children

I don’t have contact with children directly, usually. If contact occurs, I’d check for parental consent for both the contact and the data holding as described above.


  1. Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer and web-host, my MailChimp and other relevant accounts. If I learn that any of those accounts are compromised I would take steps to re-secure them immediately.


  1. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.


  1. Data Protection Officers


I have appointed myself as the Data Protection Officer.


  1. International

My lead data protection supervisory authority is the UK’s ICO.