My EU GDPR Statement OF Data Protection Compliance

I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document explains how I comply. If you have given me your email address (by emailing me, or subscribing to my website, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are individuals simply doing our best to keep up.

My business is Limited company registered in the UK.

The information I hold:
Email addresses of people who have emailed me and to whom I have replied, predominantly redirected via my website, hosted by
I may also hold your emails in gmail and iCloud if I have subsequently written to you using those services.
Email addresses and names of people who have signed up to my mailing list via the double opt-in link on my website, held by
I do not share this information with anyone. Ever. If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.
I have a YouTube account where viewers may comment. I sometimes reply, but I hold no data about them. This data is held by YouTube. I use Strong passwords on my YouTube Channels and Two factor authorisation.
My wordpress website holds a database of followers. This is held and run by Automatic with their JetPack plugin which I believe to be fully compliant. I am not the data processor.
My wordpress website also uses social media sharing functionality created by Heateor. The following is a summary of how your data may be used:

We embed Facebook Comments plugin to allow you to leave comment at our website using your Facebook account. This plugin may collect your IP address, your web browser User Agent, store and retrieve cookies on your browser, embed additional tracking, and monitor your interaction with the commenting interface, including correlating your Facebook account with whatever action you take within the interface (such as “liking” someone’s comment, replying to other comments), if you are logged into Facebook. For more information about how this data may be used, please see Facebook’s data privacy policy:

We use a Twitter Tweet widget at our website. As a result, our website makes requests to Twitter’s servers for you to be able to tweet our webpages using your Twitter account. These requests make your IP address visible to Twitter, who may use it in accordance with their data privacy policy:

We use a GooglePlus widget at our website. As a result, our website makes requests to Google’s servers for you to be able to share our webpages using your GooglePlus account. These requests make your IP address visible to Google, who may use it in accordance with their data privacy policy:

We use Pinterest Save widget at our website to allow you to pin images to Pinterest from our webpages. These requests may track your IP address in accordance with their data privacy policy:

We use Reddit Badge widget at our website which may log information when you interact with the widget. This may include your IP address, user-agent string, browser type, operating system, referral URLs, device information (e.g., device IDs), pages visited, links clicked, user interactions (e.g., voting data), the requested URL and hardware settings, in accordance with their privacy policy:

We use an Instagram widget at our website. As a result, our website makes requests to Instagram’s servers for you to be able to tweet our webpages using your Instagram account. These requests make your IP address visible to Instagram, who may use it in accordance with their data privacy policy:


Communicating privacy information:
I am taking three steps:
• I have put this document on my website, with links on the home and contact pages.
• I have added a link to my email signature.
• All subscribers have to double opt-in to my mailings, and in doing so receive a link to this GDPR information.

Individuals’ rights:
On request, I will delete data.
If someone asks to see their data, I will take a screenshot of their entry/entries and send it to them.
If they unsubscribe themselves from the MailChimp mailing list, their data is automatically deleted.
For all other databases above, Data Subjects have their own accounts and can move themselves and I will no longer have access to their data which is controlled by the data processor. I understand that The data processor will remove data that is made no longer available to me by the data subject.

Subject access requests:
I aim to respond to all requests within 48 hours and usually much sooner.

Lawful basis for processing data:
If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail and icloud will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
 If people have opted into my MailChimp list (by subscribing) they have actively opted in, in the knowledge that they will receive occasional emails.
 Followers of my WordPress Website have opted in and are given unsubscribe reminders with each email.
 People comment on my YouTube Videos and I comment back. This is standard practice. I can only see what data they make publicly available.

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.
Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.

Young people sometimes email me but I don’t know their age unless they tell me and I only have their word for that. I would not deliberately keep their email address (but gmail and iCloud would save it in my account.) Since I am not processing their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
Young people also comment on my YouTube videos, instagram or twitter. I don’t know their ages unless they tell me.  Not knowing their ages, but maybe guessing, I answer their questions honestly and sensitively.

Data breaches:
I have done everything I can to prevent this, by strongly password-protecting my computer and website as well as MailChimp, Google, Dropbox, Twitter, Facebook, Instagram and all accounts with strong passwords and two-step authentication. If any of those organisations were compromised I would take steps to follow their advice immediately.

Data Protection by Design and Data Protection Impact Assessments:
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

Data Protection Officers:
I am not a major organisation so I do not need to appoint a Data protection Officer.

My lead data protection supervisory authority is the UK’s ICO.

After that, you still want to subscribe to my newsletter? Please go ahead!