MY STATEMENT OF COMPLIANCE WITH THE GENERAL DATA PROTECTION REGULATIONS
On May 25th 2018, new privacy laws were introduced in the European Union. This has been done to ensure that businesses who hold personal information about individuals must fully protect that data. These laws apply to some extent to authors like myself, because people frequently get in touch with me about my books. Therefore, I am legally obliged to comply with the new regulations and explain how I deal with any ‘data’ that I receive and what I’m doing to keep it safe. The following statement is very tedious, I’m afraid, and may not make an awful lot of sense to the vast majority of people who contact me. But it has to be done. So here goes.
I have studied the Information Commissioner’s Office (ICO) guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. They, the ICO, have suggested twelve steps that should be taken in preparation for compliance with the new rules. Those steps are arranged under the headings below. I am implementing them all to the best of my knowledge and ability.
I write as Chris d’Lacey, but my business name is Wayward Creations, which I run in partnership with my wife, Jay d’Lacey. She is fully aware of GDPR and has read and approved this statement.
- INFORMATION I HOLD
I hold information on paper and digitally.
PAPER: Relevant paper records are mostly invoices required for taxation purposes or statements of monies earned. The only people who see my paperwork are my accountants and my wife.
LISTS: On my computer, I have a contact list of friends and other associates in Microsoft Outlook. I don’t share this list with anyone. I have recently gone through it to remove any old or irrelevant addresses and/or any contacts I simply can’t remember. It’s fair to say that one of the best things about GDPR is that it has encouraged me to do some general ‘housekeeping’ on my PC.
I also have a list, in the form of an Excel spreadsheet, of the names and contact details of members of the writers’ group I occasionally attend. This is shared among the group by common consent and updated annually.
EMAILS: I receive emails in connection with my writing almost every day. They basically fall into one of three broad categories:
- a) From people who work in the publishing business e.g. my editors, agent, PR associates, etc. I tend to retain emails from these sources (and by default their email addresses) purely because I may need to refer back to those messages or people from time to time. I cannot imagine that anyone in the industry would be concerned about this. I never share this information with anyone outside the industry. If I do ever forward a message, it would be to someone connected to the message who needs to be copied in.
- b) From schools (or festivals, etc.) enquiring about an author visit. As part of the dialogue, I will inevitably receive the email address of whomever organises the visit. Sometimes, a school will approach me as much as a year in advance (e.g. to secure me during World Book Day week). It follows that I can be ‘holding’ their data for some length of time. When a school visit is concluded, I do tend to keep the email dialogues. There are various reasons for this, mainly to do with tax requirements. I charge a fee for visits and therefore have to raise invoices for them. Invoices contain the address of the school and the name of the individual with whom I liaised when planning the visit. I am legally obliged to keep invoices for the length of time laid down by HMRC, which at the time of writing is seven years. I also find it useful to keep event dialogues so that I can easily check where I’ve been and when, and how much I’ve previously charged, or who I spoke to, etc. I am, however, currently winding down the number of visits I take on and from May 25th 2018 I will securely archive all completed events and digital invoices, other than those in the current tax year. I never share event details with anyone outside the institution I’m visiting, unless the school/festival requires promotional material. In those cases I will normally supply the event organiser with the email address of my PR contact.
- c) Messages from fans. These come digitally via a contact address on my website, or on paper, forwarded by my publishers. I read paper fan mail, reply to it and dispose of it. Similarly, I read all fan messages that are emailed to me, reply to them when I have the time and then delete them (including my replies). In the past, I have kept some messages for personal reasons. These would be messages that have been particularly complimentary, or have told moving or inspiring anecdotes connected to readers’ experiences of the books. These I have now looked through and somewhat sadly deleted. I have taken quotes from many of them, which I plan to highlight, anonymously, on my website. (This is common practice for publishers, who like to use strapline quotes within books.) I never share any fan details with anyone else.
In this modern world, I communicate by email with many different sources. Frankly, this statement would fill the space of a novel if I started to list every individual, company, workman or organisation I’ve had contact with and whose email address I might have somewhere on my PC.
I assume that any emails I send or receive are stored somewhere by my service provider. Talk to BT if you want an answer to that one.
- COMMUNICATING PRIVACY INFORMATION
I have put this document on my website and my blogs.
I have added a link to my email signature to say that this statement is available to be read.
I will message a link to this document on my Twitter account.
I will post a link to this document on Facebook.
- INDIVIDUALS’ RIGHTS
On request, and within reason (see section 5), I will inform any individual of any data I hold relevant to them. I will then delete said data, if requested, unless I am legally bound to keep it.
- SUBJECT ACCESS REQUESTS
I will aim to respond to all requests as soon as is humanly possible, certainly within a month. In accordance with GDPR ruling, I will refuse any request I consider to be unfounded or malicious or excessive, and may charge a fee based on a calculation of my earnings.
- LAWFUL BASIS FOR PROCESSING DATA
I don’t ‘process’ data in the sense of creating databases of email addresses and so forth. In fact, I rarely refer to my mailing list (see section 2) these days, because as anyone who uses an email program will know, the program itself stores addresses and suggests a list of contacts based on the first letters typed in the ‘Send To’ box. Check the Microsoft GDPR for that one. I group emails into relevant folders – but then who doesn’t? The only ‘processing’ we truly do at Wayward Creations is to keep our accounts in order and answer any emails we receive.
At the time of writing I have two active WordPress blogs. I used to allow comments on my posts, but I have stopped this practice now, purely because I don’t know how WordPress ‘processes’ such ‘data’. I never created any lists or data from the blogs, but it was possible – for me at least – to see the email address of any person who left a comment. Whether anyone else who visited the blog could see another individual’s address, I couldn’t say. Until I know for sure, I’m afraid I have no choice but to close the commenting facility. Some people reading this will know that for years I had a blog called Zookie’s Notepad, which had several hundred followers. Again, I have no idea if any of those followers could interact or how Google ‘processed’ that data. But on May 24th Zookie’s Notepad will be removed from the web. Sad, but it has run its course. I did also have a YouTube ‘channel’, which, I think, half a dozen people ‘subscribed’ to, whatever that means. I hold no information on those ‘subscribers’ and have deleted my YouTube channel before this statement was made public.
My take on this is as follows: if you email me, effectively you’ve freely given me consent to hold your address throughout the course of our dialogue. I’ve already said above that I like to keep dialogues (see also section 9). But if anyone is unhappy about that, I will gladly delete any dialogue, unless I’m required by law (e.g. for tax purposes) to keep it. And in that case I would do everything in my power to minimise and protect the information I hold.
I don’t offer any online services to children other than the provision of an email address on my website, through which they can contact me, should they wish to. Fans, including adults, email me all the time. Unless they tell me their age or give some indication of it (e.g. style of writing, or “I’m a fourth grader at such and such a school”), it’s impossible to know how old they are. I simply answer their questions and move on. Sometimes, a young person will write requesting an autographed photo or a signed book. Ninety-nine percent of those requests come from far overseas – usually America or Australia. In those cases, I ask for a parent to contact me, supplying consent and a postal address. I won’t do this if I’m reasonably certain an adult is writing to me – again, style of writing, content, etc. usually defines this. In any circumstance, it goes without saying that for a children’s author the protection of children is paramount. I take every reasonable precaution with fan mail and treat my fans with the utmost respect. Postal addresses are deleted as soon as I receive confirmation that the book, photo or postcard I’ve sent has arrived safely.
- DATA BREACHES
GDPR or no GDPR, I do everything in my power to protect myself from hackers, phishers and other potential intruders. I have good antiviral software on my computer, and anything I’ve archived to a memory stick goes in a very secure place. My PC itself is password-protected. I am, like most of us, on some of the popular social media platforms. If any of those organisations were compromised I would take steps to follow their advice immediately.
- DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
- DATA PROTECTION OFFICERS
Under GDPR rules, I do not need to appoint a “Data Protection Officer”. Within Wayward Creations, I take responsibility for data protection.
My lead data protection supervisory authority is the UK’s ICO.