MY GDPR STATEMENT OF COMPLIANCE
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have given me your email address (by using the Contact Me link of my website), you should read this to reassure yourself that I am looking after your data responsibly.
If any of you understand this compliance issue better than me and believe there’s something else I should be doing, do let me know. I value the security of your information very much and I will never intentionally breach the rules. However, the rules are designed for organisations; authors like me are sole traders just doing our best to keep up.
1 Awareness
I am a sole trader so there is no one else in my organisation to make aware.
2 The information I hold
Email addresses of people who have emailed me and to whom I have replied – automatically saved in two password-protected inboxes. Data given voluntarily such as names, postal addresses (for sending physical items like books) and names of contacts in schools – recorded in my inboxes and, for a very brief period, in a password-protected computer document. I do not share this information with anyone.
3 Communicating privacy information
I have put this document on my website.
I have added a link on my “Contact Me” page.
4 Individuals’ rights
On request, I will delete data.
5 Subject access requests
I aim to respond to all requests within 24 hours.
6 Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but my two email accounts will save it automatically. I will not add it to any database unless someone asks me to do so or gives me explicit and detailed permission.
- If a website visitor has bought something from me, their postal and email addresses are saved in my two inboxes. I may copy their names and postal addresses to a Word document for the purposes of printing labels or making invoices. I do not use their data for anything other than contacting them about the order and I will delete those Word details once the transaction is complete.
7 Children
Young people often email me but I will not know their ages unless they tell me. I will not deliberately keep their email address (but my two email accounts will save them automatically). Since I am not “processing” their data, I am not required to ask for parental consent. Indeed, I have no way of contacting parents directly. I reply to the emails and do not contact them again unless they email me again for further information.
8 Data breaches
I have done everything I can to prevent these, by strongly password-protecting my computer and email accounts. If any of those latter organisations were compromised I would take steps to follow their advice immediately.
9 Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
10 Data Protection Officers
I have appointed myself as the Data Protection Officer, in the absence of anyone else.
11 International
My lead data protection supervisory authority is the UK’s ICO.
