I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.
I am a sole trader so there is no one else in my organisation to make aware.
- The information I hold:
- Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.
I do not share this information with anyone.
- Communicating privacy information
I am taking the below steps:
- I have put this document on my website.
- I have added a link to my contact page.
- Individuals’ rights
On request, I will delete data.
If someone asked to see their data, I would take a screenshot of their entry/entries.
- Subject access requests
I aim to respond to all requests within 24 hours and usually much sooner.
- Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
- Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer, Google and accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
- Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
- Data Protection Officers
I have appointed myself as the Data protection Officer, in the absence of anyone else!
My lead data protection supervisory authority is the UK’s ICO.