Select Page


I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, or from a purchase, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

1 Awareness

I am a sole trader so there is no one else in my organisation to make aware.

2 The information I hold:

  • Email addresses, postal addresses and names of contacts in schools who have booked school visits.
  • Email addresses, postal addresses, and names of people who have emailed me or bought something from me.

I do not share this information with anyone.  Ever.

If someone randomly asks for another person’s email address, I always check with the other person first.  Email addresses or contact addresses are never given out to anyone without the addressee’s written permission.

3 Communicating privacy information

If at anytime you wish for your contacts to be deleted from my address book, please contact me either by email or letter.


4 Individuals’ rights

On written request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries. 

5 Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

6 Lawful basis for processing data

  • If people have emailed me, they have given me their email address. I do not actively add it to a list but the email is automatically saved.  I will not add it to any database or spreadsheet.
  • If people have bought something from me, their postal and email addresses are saved on the orders.  This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order.

7 Consent

I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

8 Children

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address but a copy of the correspondence is automatically saved in the sent folder. Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

9 Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer and accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.

10 Data Protection by Design and Data Protection Impact Assessments 

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

11 Data Protection Officers

I have appointed myself as the Data protection Officer, in the absence of anyone else.

12 International

My lead data protection supervisory authority is the UK’s ICO.