I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules that take effect on May 25, 2018. This document explains how I comply. If you have given me your email address by emailing me or subscribing to my newsletter, please read this to reassure yourself that I am looking after your data responsibly. I highly value the security of your information and will never intentionally breach the rules.
I am a sole trader so there is no one else in my organisation to make aware.
The information I hold:
Email addresses of people who have emailed me and to whom I have replied. These are automatically saved in Gmail, Microsoft Outlook, iCloud and in emails redirected from my website by my Internet Service Provider (ISP) Heart Internet.
Email addresses and names of people who have signed up to my newsletter mailing list via the opt-in link on my website are held securely by iContact. I never share this information with anyone.
I have access to databases of followers on Twitter, Pinterest, Facebook, Instagram and YouTube. I am the data controller but not the data processor of these databases. I use strong passwords and two factor authentication on these sites.
I have access to data processed by Google Analytics to learn about how people use my website. This includes information such as page views, length of visit, referral sources and geographical location by country. This general information helps me to improve my website and services. I am the data controller but not the data processor of this information. I do not collect information about individual users. I use strong passwords and two factor authentication with Google.
Communicating privacy information
I am taking four steps:
- I have put this document on my website, with a link from my sign-up form for new subscribers and on the main Contact menu.
- I have added a link to my email signature.
- I have posted a link to this document on Facebook, Instagram, Twitter, Pinterest and YouTube.
On request, I will delete data.
If someone asks to see their data, I will send them a screenshot of their entry/entries.
If they unsubscribe themselves from my iContact mailing list, their data is automatically deleted.
For all other databases above, Data Subjects have their own accounts and can move themselves and I will no longer have access to their data, which is controlled by the data processor. I understand that the data processor will remove data that is made no longer available to me by the data subject.
Subject access requests
I aim to respond to all requests within 24 hours.
Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but Gmail, Microsoft Outlook and iCloud will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
If people have subscribed to my iContact newsletter list, they have actively opted in with the knowledge that they will receive occasional emails.
Followers of my newsletter have opted in and are given Unsubscribe reminders with each email.
People may comment on my Facebook, Instagram, Twitter and Pinterest posts and YouTube videos and I may comment back. This is standard practice. I can only see the data they make publicly available.
Once I’ve contacted everyone with a reminder about the Terms & Conditions of my holding their data, I regard this consent as confirmed for one year or until the person asks me to remove their data. I have never harvested email addresses. Any person on my lists has contacted me.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I do not deliberately keep their email address (but Gmail, Microsoft Outlook and iCloud would save it in my account). As I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and do not contact them again.
As I take children’s privacy extremely seriously, I do request young people only to contact me using a ‘screen name’ rather than their real name or, preferably, for them to send me their question or comment via their parent or guardian. In any case, I reply once and then delete the email.
Young people may sometimes comment on my social media posts or videos. I don’t know their ages unless they tell me. If they mention their ages I will immediately delete their comment.
I have done everything I can to prevent this by strongly password-protecting and firewalling my computer and website as well as protecting my accounts with two step authentication where possible. If any of those organisations were to be compromised, I will take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s (Information Commissioner’s Office UK) code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
Data Protection Officers
I am not a major organisation so I do not need to appoint a Data Protection Officer.
My lead data protection supervisory authority is the UK’s Information Commissioner’s Office (ICO).
If you have any questions about the information above, please contact me.