Rachael Bird – Freelance Writer
UK GDPR Compliance Statement
This document explains how I comply with the Information Commissioner’s Office guidelines for the new General Data Protection Regulation (GDPR).
If you have given me your email or postal address you should read this to reassure yourself that I am looking after your data in a responsible way.
These are my answers in response to the sections in the document: “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.”
I am the only person involved in my business so there is nobody else to make aware of the GDPR guidelines.
2. The information I hold:
• Email addresses of people who have emailed me and to whom I have replied – automatically saved in Microsoft Outlook.
• Postal addresses of anyone I have invoiced for payment for my work.
• I do not currently have a mailing list.
• I do not currently sell anything through my website.
I do not share this information with any third party.
3. Communicating privacy information
I am taking three steps:
1. I have put this document on my website.
2. I will add a link to my email signature.
3. I have added a link to my contact page.
4. Individuals’ rights
On request, I will delete data.
If someone asks to see their data, I will take a screenshot of their entry/entries.
5. Subject access requests
I will aim to respond to all requests within 24 hours.
6. Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but Microsoft Outlook will automatically save it. I will not add it to any database or spreadsheet unless I am given permission.
If I start a mailing list or online shop in the future, I will ensure I have full consent to keep personal data on my records.
My business (Rachael Bird – Freelance Writer) is entirely separate from any teaching I do. If anyone connected to my teaching contacts me via the contact details on my business website, I will not respond.
I will not be processing any data in relation to children.
9. Data breaches
My computer is strongly password protected as well as my WordPress website and Microsoft email accounts.
If any of these external organisations are compromised, I will ensure I take the necessary steps to follow their advice immediately.
10. Data Protection by Design and Data Protection Impact Assessments
I have looked at whether I need to carry out any DPIAs (Data Protection Impact Assessments) following the guidance in the document: “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” .
‘A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect individuals; or
• where there is processing on a large scale of the special categories of data.’
I do not hold any data which is of high risk to individuals.
I do not conduct profiling operations.
I do not process any categories of data on a large scale.
11. Data Protection Officers
I am the Data Protection Officer as I am the only person involved in my business.
My lead data protection supervisory authority is the UK’s ICO.