My EUGDPR Compliance statement

I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

  1. Awareness

I am a sole trader so there is no one else in my organisation to make aware.

  1. The information I hold:
  • Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.

I do not share this information with anyone.

  1. Communicating privacy information

I am taking the below steps:

  1. I have put this document on my website.
  2. I have added a link to my contact page.
  3. Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

  1. Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

  1. Lawful basis for processing data
  • If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
  1. Consent

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.

  1. Children

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

  1. Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer, Google and accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.

  1. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

  1. Data Protection Officers

I have appointed myself as the Data protection Officer, in the absence of anyone else!

  1. International

My lead data protection supervisory authority is the UK’s ICO.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s