I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my newsletter, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.
If anyone reading this understands GDPR better than me and believe there’s something else I should be doing, please let me know. I value the security of information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders.
To create this document, I consulted the Society of Authors, read the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now”, and took the online advice of author Nicola Morgan.
I am a sole trader so there is no one else in my organisation to make aware.
2. The information I hold:
- Email addresses of people who have emailed me and to whom I have replied – automatically saved in Gmail.
- Email addresses and names of people who have signed up to my mailing list via the opt-in link on my website – held in Mailchimp.
- Email addresses, postal addresses (for physical items) and names of people who have bought something from my website. Orders are saved by default in PayPal, which is securely password-protected.
- I do not share this information with anyone.
- If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.
I have put this document on my website and blog, with a link from my sign-up section for new subscribers.
4. Individuals’ rights
On request, I will delete data. If someone asked to see their data, I would take a screenshot of their entry/entries. If they unsubscribe themselves from the Mailchimp list, their data is automatically deleted.
5. Subject access requests
I aim to respond to all requests within 24 hours and usually much sooner.
6. Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but Gmail will save it. I will not add it to any database or spreadsheet unless they ask me to or gives me explicit and detailed permission.
- If people have opted into my Mailchimp list (by subscribing to my newsletter) they have actively opted in, in the knowledge that they will receive my quarterly newsletters.
- If people have bought something from my website, their postal and email addresses are saved in my orders folder in two places: my PayPal account and my HMRC files. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about the order. I will delete their email addresses and postal addresses after one year.
Once I’ve contacted everyone with a reminder of the Terms and Conditions of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me. Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
My work is not specifically aimed at children but young people may email me. I will not know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but Gmail would save it in my account). Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
9. Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer, Mailchimp, Google and Dropbox accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
10. Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
11. Data Protection Officers
I have appointed myself as the Data Protection Officer, in the absence of anyone else.
My lead data protection supervisory authority is the UK’s ICO.