MY GDPR STATEMENT OF COMPLIANCE
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply.
If you have given me your email address (by emailing me, commenting on my blog or subscribing to my wordpress website, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.
If any of you understand this even better than me and believe there’s something else I should be doing, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules.
However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.
Based on my reading of the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” here are my 12 answers.
I am a sole trader so there is no one else in my organisation to make aware.
2 The information I hold:
- Email addresses of people who have emailed me and to whom I have replied – automatically saved in yahoo.
- Email addresses, IP addresses, and names of people who have signed up to my mailing list via the opt-in form on my website– filling out this form sends an email from WordPress to my email, the details are automatically saved in yahoo and email and names are transferred by me to MailerLite.
Please note, I do not share this information with anyone. Ever.
3 Communicating privacy information
I have put this document on my website and included the link
- on my sign-up form for my newsletter.
- on my contact page.
Before May 25th, I will contact my MailerLite database. I will remind them of what they signed up to and remind them that they can unsubscribe at any time and their data will be deleted. I will also direct them to this document.
4 Individuals’ rights
- On request, I will delete or amend data.
- If someone asked to see their data, I would take a screenshot of their entry/entries.
- If they unsubscribe themselves from the MailerLite list, their data is automatically deleted.
5 Subject access requests
I aim to respond to all requests within 24 hours.
6 Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but yahoo will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
- If people have opted into my MailerLite list they have actively opted in, in the knowledge that they will receive occasional newsletters and updates, which always carry a link where they can unsubscribe. I actively add names and email addresses to MailerLite but with express permission when someone opts-in. Emails are automatically save to yahoo.
- If people have commented on my site/blog or become a follower through their WordPress account, I do not use their data for anything other than contacting them about the comment they posted.
Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.
However, consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
I have never received any email from children but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but yahoo would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
9 Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer, MailerLite, Yahoo and WordPress accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
10 Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
11 Data Protection Officers
I have appointed myself as the Data protection Officer, in the absence of anyone else.
My lead data protection supervisory authority is the UK’s ICO.