My EU GDPR Statement of Data Protection Compliance
I have read the Information Commissioner’s Office Guidelines for compliance with the new General Data Protection Regulation (GDPR) rules, and the following explains how I comply with this. If you have given me your email address (by subscribing to my blog and or contacting me via my contact form, for example), you should read this to reassure yourself that I am looking after your data responsibly. I value the security of your information extremely highly, and will never intentionally breach the rules; the rules are designed for large organisations, and most authors are sole traders, but we are doing our best to keep up.
I am a sole trader, so there is no one else in my organisation to make aware.
The Information I hold.
Email addresses of people who have contacted me via my contact form, via email, or via e-book orders, are automatically saved. I do not share this information with anyone – ever. I am the data controller but not the data processor for these external databases. I always use strong passwords.
Communicating privacy information.
I have attached this information to the ‘About’ section of my WordPress site, and will also send it to my WordPress followers via email on request.
On request, I will delete data. If someone asks to see their data, I will take a screenshot of their entry/entries and send it to them.
Subject access requests.
I will aim to respond to all requests within 24 hours, although there are some times when I am away from home, and will not see requests until my return.
Lawful basis for processing data.
If people have emailed me, or contacted me via my ‘Contact’ form, they have given me their email address. I do not add this to a list, database or spreadsheet, but my email server will automatically save it.
If in the future I set up an email list, I will ensure that those people who wish to be on my list receive reminders about the terms and conditions of my holding their data, and I will regard this consent as confirmed for a year. Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their information to be removed.
I only know the ages of the people who email me, or otherwise contact me, if they tell me, and I only have their word for that. If I become aware that a child has contacted me, I will reply to the email but not contact them again. Since I am not ‘processing’ their data, I am not required to ask for parental consent.
I have done everything I can to prevent this, by password-protecting my lap-top, my mobile phone, my WordPress account and the accounts I use within organisations such as Twitter and Facebook. If the organisations with whom I have accounts are compromised, I will take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments.
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
Data Protection Officers.
I am not a major organisation so I do not need to appoint a Data Protection Officer.
My data protection supervisory authority is The Norwegian Data Protection Authority (datatilsynet.no).