I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have given me your email address (by using the Contact Me link of my website), you should read this to reassure yourself that I am looking after your data responsibly.

If any of you understand this compliance issue better than me and believe there’s something else I should be doing, do let me know. I value the security of your information very much and I will never intentionally breach the rules. However, the rules are designed for organisations; authors like me are sole traders just doing our best to keep up.

1 Awareness

I am a sole trader so there is no one else in my organisation to make aware.

2 The information I hold

Email addresses of people who have emailed me and to whom I have replied – automatically saved in two password-protected inboxes. Data given voluntarily such as names, postal addresses (for sending physical items like books) and names of contacts in schools – recorded in my inboxes and, for a very brief period, in a password-protected computer document. I do not share this information with anyone.

3 Communicating privacy information

I have put this document on my website.

I have added a link on my “Contact Me” page.

4 Individuals’ rights

On request, I will delete data.

5 Subject access requests

I aim to respond to all requests within 24 hours.

6 Lawful basis for processing data

  • If people have emailed me, they have given me their email address. I do not actively add it to a list but my two email accounts will save it automatically. I will not add it to any database unless someone asks me to do so or gives me explicit and detailed permission.
  • If a website visitor has bought something from me, their postal and email addresses are saved in my two inboxes. I may copy their names and postal addresses to a Word document for the purposes of printing labels or making invoices. I do not use their data for anything other than contacting them about the order and I will delete those Word details once the transaction is complete.

7 Children

Young people often email me but I will not know their ages unless they tell me. I will not deliberately keep their email address (but my two email accounts will save them automatically). Since I am not “processing” their data, I am not required to ask for parental consent. Indeed, I have no way of contacting parents directly. I reply to the emails and do not contact them again unless they email me again for further information.

8 Data breaches

I have done everything I can to prevent these, by strongly password-protecting my computer and email accounts. If any of those latter organisations were compromised I would take steps to follow their advice immediately.

9 Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

10 Data Protection Officers

I have appointed myself as the Data Protection Officer, in the absence of anyone else.

11 International

My lead data protection supervisory authority is the UK’s ICO.

Back to top

Website design by Digitalplot