GDPR STATEMENT OF COMPLIANCE FOR CATHERINE COOPER
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, or from a purchase, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.
I am a sole trader so there is no one else in my organisation to make aware.
2 The information I hold:
- Email addresses, postal addresses and names of contacts in schools who have booked school visits.
- Email addresses, postal addresses, and names of people who have emailed me or bought something from me.
I do not share this information with anyone. Ever.
If someone randomly asks for another person’s email address, I always check with the other person first. Email addresses or contact addresses are never given out to anyone without the addressee’s written permission.
3 Communicating privacy information
If at anytime you wish for your contacts to be deleted from my address book, please contact me either by email or letter.
4 Individuals’ rights
On written request, I will delete data.
If someone asked to see their data, I would take a screenshot of their entry/entries.
5 Subject access requests
I aim to respond to all requests within 24 hours and usually much sooner.
6 Lawful basis for processing data
- If people have emailed me, they have given me their email address. I do not actively add it to a list but the email is automatically saved. I will not add it to any database or spreadsheet.
- If people have bought something from me, their postal and email addresses are saved on the orders. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order.
I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.
Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address but a copy of the correspondence is automatically saved in the sent folder. Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.
9 Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer and accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.
10 Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
11 Data Protection Officers
I have appointed myself as the Data protection Officer, in the absence of anyone else.
My lead data protection supervisory authority is the UK’s ICO.