My GDPR Statement of Compliance

The following is prepared after seeking advice from the Society of Authors in August 2018 who kindly referred me to Nicola Morgan’s web site from which the following has been used as a template. Nicola has told the Society that she is happy for her site to be used as long as credit is given and acknowledgement made.

Credit to Nicola Morgan via the Society of Authors, August 2018


I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

If any of you understand this even better than me and believe there’s something else I should be doing, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are either sole traders or very small businesses just doing our best to keep up.

To create this document, I used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.

Here are my relevant answers

  1. Awareness

I am a sole authority with my wife in a registered partnership so there is no one else in my organisation to make aware. I do not employ any staff.

  1. The information I hold:
  • Email addresses of people who have emailed me and to whom I have replied – automatically saved in password protected Exchange.
  • I do not have a regular mailing list for newsletters etc
  • I do not sell any products on my web site
  • I do not share information with anyone without the sender’s permission.

If someone randomly asks for another person’s email address, I always check with the other person first.

  1. Communicating privacy information

I am taking these steps:

  1. I have put this document on my website
  2. I have added a link to my email signature whenever this is used.
  3. I have added a link to my contact page.
  1. Individuals’ rights

On request, I will delete data.

  1. Lawful basis for processing data

If people have emailed me, they have given me their email address. I do not actively add it to a list but Exchange will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission to do so.

  1. Consent

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.

  1. Children

I do not accept emails from children. If anyone has any concerns over the protection of children they should contact ChildLine or the NSPCC and not me.

  1. Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer

  1. Data Protection by Design and Data Protection Impact Assessments 

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

  1. Data Protection Officers

I have appointed myself as the Data protection Officer, in the absence of anyone else!

  1. International

My lead data protection supervisory authority is the UK’s ICO.

 Al Aynsley-Green 14th October 2018