GDPR Statement of Compliance
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my website, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.
My primary business is as a sole trader and I have no other employees. I manage author events through my limited company, Burning Candle Ltd.
The information I hold:
Email addresses of people who have emailed me and to whom I have replied – automatically saved in Mail, Mailchimp (if subscribed) my host email provider 1and1.com and occasional emails redirected from my Website by my Service Provider (SP) 1and1.com.
Email addresses, postal addresses (for physical items) and names of people who have bought or won something from my website or social media.
I do not share this information with anyone. If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.
Email addresses, postal addresses (for physical items) and names of people who have enquired or booked me for school events, festivals or shows. This data is automatically shared with Authors Abroad Ltd who are my booking agents and have their own data protection policy.
I have a YouTube account, Twitter feed, Instagram account and 2 Facebook pages where viewers may comment. I generally reply, But I hold no data about them. This data is held by YouTube, Twitter, Instagram and Facebook. I use Strong passwords on all my social media channels and Two factor authorisation.
I have access to databases of followers on Twitter, YouTube, Facebook and Instagram. I am the data controller but not the data processor of these databases – I use strong passwords and two factor authentication on these sites.
Communicating privacy information:
I have put this document on my website, with a link on every page.
On request, I will delete data.
If someone asked to see their data, I would take a screenshot of their entry/entries and send it to them.
Subject access requests
I aim to respond to all requests within 48 hours and usually much sooner.
Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but Mail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
If people have enquired or booked me for school events, festivals or shows, their postal and email addresses and contact details are saved on file and a tour database. This is standard practice for organising tours. Their data is used for contacting them about the event, pre- and post-event book orders and follow-up promotion relating to my books and future touring. This data is not shared with any other organisations, except Authors Abroad Ltd who are my booking agents for touring.
If people have bought or won something from my website, through Square online shop, their postal and email addresses are saved on file. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order.
People comment on my YouTube Videos, Twitter and Facebook accounts and I comment back. This is standard practice. I can only see what data they make publicly available.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.
Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but Mail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
Young people also comment on my YouTube videos, Facebook, Instagram or Twitter. I don’t know their ages unless they tell me. If they mention their ages I immediately delete their comment once I am aware of the post. Otherwise – not knowing their ages, but maybe guessing, I answer their questions honestly – this is common practice.
I have done everything I can to prevent this, by strongly password-protecting my computer and website as well as Google, Dropbox, Twitter, YouTube, Facebook and Instagram with two step authentication. If any of those organisations were compromised I would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
Data Protection Officers
I am not a major organisation so I do not need to appoint a Data protection Officer.
My lead data protection supervisory authority is the UK’s ICO