MY GDPR STATEMENT OF COMPLIANCE
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have given me your email address, by emailing me, you should read this to reassure yourself that I am looking after your data responsibly.
I value the security of your information highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders doing our best to keep up.
To create this document, I read the ICO booklet “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” for guidance and based this document on this, here are my answers.
I am a sole trader, so there is no one else in my organisation to make aware.
The information I hold:
The only information I hold are those supplied by people who have contacted me via this website or directly by email, these are automatically saved in my email client software.
I do not share this information with anyone.
I have a highly trusted computer support company service my computer. They are required to work only on my computer and in order to do so have access to my website data and my passwords. Breaching data protection rules would be against the terms of their company policy as they also have to comply fully with the new regulations.
Communicating privacy information:
I have taken the following steps:
- I have put this document on my website on my contact page.
- I have added a privacy statement to email signature.
On request, I will delete data.
If someone asks to see their data and once I have confirmed their identity, I will take a screenshot of their entry/entries and forward.
Subject access requests
I aim to respond to all requests within 5 working days.
Lawful basis for processing data:
If people have emailed me, they have given me their email address. I do not actively add it to a list but my email client software will save it.
All information supplied to me has been freely given by those contacting me, be this an individual for information or a client/supplier in order to meet business obligations. If an individual, client or supplier wishes their data to be removed it will be, as long as this does not impact on my legal obligations e.g. business accounts
Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but my email client software would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
I have done everything I can to prevent this, by strongly password-protecting my computer, phone, other related digital devices as well as my cloud service accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments:
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
Data Protection Officers:
I have appointed myself as the Data Protection Officer.
I am based in the UK therefore my lead data protection supervisory authority is the UK’s ICO.