GDPR compliance and privacy statement
The new General Data Protection Regulations (GDPR) come into force on 25 May 2018. All businesses are required to confirm their compliance with the regulations and I am therefore doing so in this post and the associated Privacy Statement.
These features of my business lead me to understand some aspects of the GDPR are not relevant to my business.
• I am and have always been (and intend to remain) a sole trader with no employees
• I do not have a mailing list
• I do not collect data from my website apart from sign-ups to receive blog posts by email
How do I collect data?
I collect data in three ways
• Data on clients themselves to enable me to fulfil my obligations to the HMRC
• Work files which may include data on the client and their client or subject / research participant or (electronic audio files (‘tapes’) and Word or PDF files (together, ‘work files’)
• Email data via my WordPress website when a reader requests to receive my blog posts via email
What data do I collect?
I only ask for data from my clients that I need to fulfil my obligations to the UK tax authority (HMRC) which encompasses name, address and email data. This comes into the category of data collected on a lawful basis at the request of the authorities. I have to include a name and address on my invoice and that is the only personal data I request from my clients.
For a new client, I actively ask them to accept my terms and conditions before proceeding, and this document falls under my terms and conditions. Existing clients have agreements with me already or have agreed to versions of my terms and conditions existing when they became a client.
Data containing identifiable details for clients and their own clients / research participants may be included in the work files. Although this comes under the heading of ‘sensitive data’ I do not actively collect this data and it is used solely for the purpose of completing the client’s work.
Data on email addresses from people who wish to read my WordPress blog posts via email is collected by WordPress and I do nothing further with it.
In all cases, this data is collected on an opt-in only basis:
• Clients contact me and I retain their information once a client-provider relationship is established
• Clients send me their work files and their clients / research subjects have agreed to have the work files processed by me / a third party in general / the client and their associates
• Readers opt in to read my blog posts via email and I am unable to opt anyone in on their behalf
Where do I store data?
The information I collect from clients is stored in my email system. My invoices to them and any work files they have sent me are stored in my digital filing system (on my password-secured PC with anti-virus protection behind a firewall and on two external storage (not cloud) systems which will be upgraded to being encrypted within the next year.
Data on WordPress email subscribers is kept only within WordPress.com’s system and I do not download or otherwise access it. I am advised that WordPress will be issuing GDPR compliance statements themselves and readers will be able to access this via WordPress.com.
How long do I keep data for?
I have to retain the information I keep on clients for five years from the date of my tax return (see the example dates given on HMRC’s website).
I typically retain audio files for one month and work files for up to two years, unless I have signed an NDA with my client to do otherwise. Tapes and files are deleted after this time and a new back-up is started regularly to make sure this data is also removed from my external data storage devices.
I retain style sheets for clients for the length of the client relationship. If I do not hear from the client, I keep the sheet for a maximum of three years, after which I will delete the style sheet and other files.
Reader email information is retained by WordPress while they are subscribing to my blog posts. I understand that WordPress.com will be issuing a statement on how they use this data in due course.
How does a client remove data (right to get data deleted)?
Regarding invoices, if a client wishes me to delete all emails and invoices from my files, after the period stated above, I will do this upon receipt of an email request from the client.
Regarding work files, if a client wishes me to delete them, I will do this upon receipt of an email request from the client. If a third party client’s client or research participant requests this, they must do so to my client who will pass the request on to me.
Regarding blog post email alerts, there is an unsubscribe link at the bottom of each email received, allowing the reader to unsubscribe at any point.
I understand this to fulfil the requirement that opting out has to be as easy as opting in.
Right of access
Clients have the right to check what data I have stored for them and I will provide information on this within 48 hours of their request. Third parties must request this from their contact rather than from me.
Right to get data corrected
If a client finds I have incorrect data for them, upon their request by email I will amend that data. See note on third parties above.
Right to data portability
I do not hold any complicated data outside of a client’s name, address and email address and work files. If a client wishes to obtain this data to move it to another supplier, I will provide all data to them within 48 hours. See note on third parties above.
How do I share data and what do I share?
I do not share any client data with any third parties except when specifically and overtly requested to by the client. This would only occur if I was passing overflow work to a colleague. In this situation, I will contact my client with my colleague’s name, email address and website (which are all publicly available), with their consent, and may pass non-sensitive data on pricing and invoicing procedures back to my colleague, with my client’s consent.
No data is used for marketing or selling purposes.
I do not share any data with any other editors, proofreaders, businesses or third parties (with the exception of HMRC (the UK tax authority) if they request to see all my files for audit as this is a legal requirement).
It is my understanding that the above statements mean that as a sole trader, I will be compliant with the GDPR.
If you have any questions about what I do with data or want confirmation on any further elements before agreeing to work with me, please do not hesitate to ask.
This is an EU regulation and I will be compliant with it as long as the UK remains within the EU. It is expected that the UK will implement similar rules upon exit from the EU, and I will update this statement as and when I need to and will expect my clients to check this statement regularly for updates.
I am grateful to the ICO for providing detailed information on the GDPR and Kate Haigh for posting on this topic and providing a good model for other editors; all errors are my own and I have researched the topic independently.