PRIVACY NOTICE and GDPR STATEMENT OF COMPLIANCE
The statement applies to two separate lists of email contact information:
Both these lists are processed by Mailchimp
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply and I hope will reassure you that I am looking after your data responsibly. The form of this document is structured round the ICO booklet Preparing for the General Data Protection Regulation – 12 Steps to Take Now.
Step 1: Awareness
I am a sole trader. There is no one else in my organisation to make aware.
Step 2: The information I hold:
Email addresses of people who have emailed me and to whom I have replied are automatically saved in gmail.
Email addresses, given names and surnames names supplied through the opt-in link on my website are held in Mailchimp
Historical records of email addresses, given names and surnames names collected before 25th May 2018 are stored in an encrypted file on my home computer network.
I do not share data with any other third party. If in future I should consider sharing data with another party, then I will seek permission from people for that specific purpose using an active opt-in methodology.
I do not pass on random requests for another person’s email address to anyone unless they are both known closely to me. I always check with the person whose email address is requested first.
Step 3: Communicating privacy information
I am taking two steps:
I have put this document on my website, with a link from my sign-up section for new subscribers.
I am Paul Charles William Beatty of 91 Station Road, Marple, Stockport SK6 6NY, UK. Contact made about matters of concern in this document should be made using my personal email firstname.lastname@example.org
I have created a Newsletter article and a note to The Storyteller’s Place members which will go to the subscribers to those lists on 1st June 2018. It will remind them of what they signed up to; that they can unsubscribe at any time and that their data will be deleted on request.
Step 4: Individuals’ rights
On request, I will delete data. If someone asked to see their data, I would take a screenshot of their entry/entries. If they unsubscribe themselves from the Newsletter Mailchimp list, their data is automatically deleted.
Step 5: Subject access requests
I aim to respond to all requests within 48 hours and usually much sooner.
Step 6: Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
If people have opted into my Newsletter Mailchimp list (by subscribing to my new or old websites) they have actively opted in, in the knowledge that they will receive approximately bimonthly Newsletters and occasional bits of news, as well in the case of The Storyteller’s Place reminders about the next meeting.
The email to be sent on 1st June 2018 will remind historical subscribers that they can unsubscribe.
Step 7: Consent
Once I’ve contacted everyone with a reminder about the terms and conditions of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed within a year of 25th May 2018 and each year thereafter.
Step 8: Children
Registration by a child would be possible on either list and would not be verifiable by me, and in any case, I would have to accept their word for it. However, since I do not process their data I am not required to ask for parental permission. If it became evident that a member of either list were below the age of 16, I would and have contacted parents and would reserve the right to remove them from the list.
Step 9: Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer network for Mailchimp, Google, Dropbox and OneDrive accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
Step 10: Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and believe that I am using best practice.
Step 11: Data Protection Officers
I have appointed myself as the Data Protection Officer, in the absence of anyone else!
Step 12: International
My lead data protection supervisory authority is the UK’s ICO.