The General Data Protection Regulations (GDPR) will govern the way companies of all sizes manage and are responsible for the personal information they store and use. It is designed to give people more control over the information that is held about them, and to provide a legal framework to protect that control.
The new legislation is necessary because the way personal information is stored and used has been completely transformed over the past few decades. Existing legislation across Europe, including our own Data Protection Act 1998, has fallen behind as innovative ways to collect and exploit personal records have evolved, especially online.
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address, you should read this to reassure yourself that I am looking after your data extremely responsibly.
If any of you understand this even better than me and believe there’s something else I should be doing, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.
I have used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are my answers.
Awareness
I am a sole trader so there is no one else in my organisation to make aware.
The information I hold:
Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.
I do not share this information with anyone. Ever.
If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.
Communicating privacy information
I am taking five steps:
I have put this document on my website.
I have added a link to my email signature.
I have added a link to my contact page.
Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer, Google and Dropbox accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
Data Protection Officers
I have appointed myself as the Data protection Officer.
International
My lead data protection supervisory authority is the UK’s ICO.
Katharine Quarmby 