MY GDPR STATEMENT OF COMPLIANCE
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my newsletter, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.
If you are reading this and believe there’s something else I should be doing or something that I am doing incorrectly, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and as a sole trader, I’m just doing my best to comply with the regulations as I understand them.
To create this document, I have used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are my responses to the headed points in that document.
I am a sole trader so there is no one else in my organisation to make aware.
- The information I hold:
- Email addresses and names of people who have emailed me and to whom I have replied – automatically saved in Gmail. Note that there is an autoforwarding service switched on for all email addresses received that forwards mail to my Gmail account.
- Email addresses and names of people who have signed up to my mailing list via the opt-in link on my author website– held in Mailchimp
I do not share this information with anyone. Ever.
- Communicating privacy information
I am taking the following steps:
- I have put this document on my websites, with a link from my sign-up section for new subscribers.
- I have created a website post before the end of April 2018, drawing attention to this document.
- Before the end of April, I will contact my Mailchimp database and link to this document. I will remind them of what they signed up to, alert them to any changes and remind them that they can unsubscribe at any time and their data will be deleted.
- Individuals’ rights
On request, I will delete data.
If someone asked to see their data, I would take a screenshot of their entry/entries.
If they unsubscribe themselves from the Mailchimp list, their data is automatically deleted.
- Subject access requests
I aim to respond to all requests within 24 hours and usually much sooner.
- Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but Gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
- If people have opted into my Mailchimp list (by subscribing to my author newsletter) they have actively opted in, in the knowledge that they will receive the following:
- occasional (approx 4-6 times a year) newsletters and occasional bits of news
Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has initiated contact with me.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
I don’t have contact with children directly, usually. If contact occurs, I’d check for parental consent for both the contact and the data holding as described above.
- Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer and web-host, my MailChimp and other relevant accounts. If I learn that any of those accounts are compromised I would take steps to re-secure them immediately.
- Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
- Data Protection Officers
I have appointed myself as the Data Protection Officer.
My lead data protection supervisory authority is the UK’s ICO.