GDPR (General Data Protection Regulation):
Last updated 27th March 2018.
MY GDPR STATEMENT OF COMPLIANCE BY HUW POWELL:
As an author, I’ve read the Information Commissioner’s Office (ICO) guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This statement explains how I comply. If you’ve contacted me, please be assured that I look after your data responsibly. I value the security of your information and will never intentionally breach the rules. In response to the ICO booklet Preparing for the General Data Protection Regulation - 12 Steps to Take Now:
1. Awareness - I work alone and therefore there is no one else in my organisation to make aware.
2. The information I hold - this is mostly email addresses of people who have emailed me and to whom I’ve replied, which are automatically saved by the email server. It may also include names, phone numbers and addresses included in the emails. I also maintain a contacts list and an events log which include names, dates and contact details. These are password protected spreadsheets stored on a password protected computer in my office. I do not share this information with anyone.
3. Communicating privacy information - I have included this statement on my website and will respond to all queries about data held.
4. Individuals’ rights - on request, I will delete any held data (e.g. emails). If someone asks to see their data, I can send them a screenshot.
5. Subject access requests - I aim to respond to all requests within 24 hours where possible.
6. Lawful basis for processing data - if people email me, they are giving me their email address and any information contained in the email. These emails may be kept for a period of time in my inbox for reference, however they will not be shared with anyone else without prior consent from the sender.
7. Consent - I have never harvested email addresses, nor would I. Anyone on my lists has contacted me and therefore provided their contact details willingly.
8. Children - young readers sometimes contact me about my books, however I would not necessarily know their age (unless they tell me). I wouldn’t deliberately keep their contact details and I don’t “process” their data, therefore I’m not required to ask for parental consent. It’s likely that I’ll reply to their email, but avoid further contact.
9. Data breaches - I’ve done everything I can to prevent this by password protecting my computer and any documents. If any data is compromised, I’ll take the necessary steps to notify people and rectify accordingly.
10. Data Protection by Design and Data Protection Impact Assessments - I’ve familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party to ensure that I’m using best practice.
11. Data Protection Officers - I’ve appointed myself as the Data protection Officer.
12. International - my lead data protection supervisory authority is the ICO in the UK.
