I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have given me your email address (by using the Contact Me link of my website), you should read this to reassure yourself that I am looking after your data responsibly.

If any of you understand this compliance issue better than me and believe there’s something else I should be doing, do let me know. I value the security of your information very much and I will never intentionally breach the rules. However, the rules are designed for organisations; authors like me are sole traders just doing our best to keep up.

1 Awareness

I am a sole trader so there is no one else in my organisation to make aware.

2 The information I hold

Email addresses of people who have emailed me and to whom I have replied – automatically saved in one password-protected inbox. Data given voluntarily such as names, postal addresses (for sending physical items like books) and names of contacts in schools – recorded in my inboxes and, for a very brief period, in a password-protected computer document. I do not share this information with anyone.

3 Communicating privacy information

I have put this document on my website.

I have added a link on my “Contact Me” page.

4 Individuals’ rights

On request, I will delete data.

5 Subject access requests

I aim to respond to all requests within 24 hours.

6 Lawful basis for processing data

  • If people have emailed me, they have given me their email address. I do not actively add it to a list but my two email accounts will save it automatically. I will not add it to any database unless someone asks me to do so or gives me explicit and detailed permission.

7 Children

Young people often email me but I will not know their ages unless they tell me. I will not deliberately keep their email address (but my two email accounts will save them automatically). Since I am not “processing” their data, I am not required to ask for parental consent. Indeed, I have no way of contacting parents directly. I reply to the emails and do not contact them again unless they email me again for further information.

8 Data breaches

I have done everything I can to prevent these, by strongly password-protecting my computer and email accounts. If any of those latter organisations were compromised I would take steps to follow their advice immediately.

9 Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

10 Data Protection Officers

I have appointed myself as the Data Protection Officer, in the absence of anyone else.

11 International

My lead data protection supervisory authority is the UK’s ICO.