GDPR Compliance Statement

GDPR Compliance Statement

I’m Jon Reed, and this is my personal blog. My other websites have their own policies, which you should read if you interact with me on any of those sites:

I have read the Information Commissioner’s Office guidelines for compliance with the new EU General Data Protection Regulation (GDPR) rules, and this page explains how this blog, jonreeed.co.uk, complies.

This page is structured according to the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” (this is a useful read if you’re grappling with GDPR yourself). In structuring this page I have also taken inspiration from Nicola Morgan’s GDPR Compliance Statement – which has been highlighted as a good example for authors by the Society of Authors.

Who is this statement for?

If you have given me your email address (for example by emailing me, signing up to a mailing list, subscribing to my latest blog posts via Feedburner, booking a place on one of my workshops via Eventbrite, or creating an account on Basecamp as a workshop participant), please read this to reassure yourself that I am looking after your data extremely responsibly. Those activities really relate to my other sites – especially Reed Media – but I’m listing them here too.

1. Awareness

jonreed.co.uk is a blog, and my personal website. It is, however, owned and operated by my business, Reed Media Limited, a company registered in England and Wales No. 5696728, whose registered address is: Reed Media Ltd, KD Tower, Plaza Suite 9, Cotterells, Hemel Hempstead, Herts, HP1 1FW, UK. I am the sole director of the company, and there is no one else in my organisation to make aware. I do not have any staff, colleagues, associates or freelancers who have access to my website data, email lists or any of my passwords.

2. The information I hold

1. Regular email. Email addresses of people who have emailed me and to whom I have replied. These are automatically saved in Apple Mail, the program I use to access my emails.

2. MailChimp. Email addresses and names of people who have signed up to my mailing lists via opt-in links on my other websites (Reed Media, Publishing Talk, Get Up to Speed). I do not currently have an email list for jonreed.co.uk – but I may in future.  These lists are held in MailChimp. All my mailing lists are double opt-in, meaning that, after someone signs up, they get an email asking them to confirm that they really did sign up before any further emails are sent. They are also all GDPR compliant, with tick boxes for ‘Marketing Permissions’ and the ability to segment lists to email only those who have given their explicit permission for email marketing.

3. Feedburner. Email addresses of people who have subscribed to the jonreed.co.uk blog feed via Feedburner. This is a service provided by Google which enables people to get the latest blog posts of a particular blog via email. It’s delivered via the RSS feed of my blog. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else. This service is not currently promoted on the site – but has been in the pastis

4. Paper.li. Email addresses of people who have subscribed to paper.li newsletters for Publishing Talk and Get Up to Speed. I use paper.li to generated automated online newspapers that are then shared on Twitter, including The Publishing Talk Daily, The #WriterWednesday Weekly and #HowToGetPublished Weekly for Publishing Talk, and The Online Marketing Weekly for Get Up to Speed. People may subscribe to receive these newsletters by email if they wish. This is a service provided by paper.li. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

5. Eventbrite. I use Eventbrite to sell tickets to (Reed Media / Publishing Talk) workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

6. Basecamp. Names, email addresses and passwords of people who have created an account and logged into Basecamp to access PDF resources from a (Reed Media) workshop. Passwords are not visible to me. This is purely to allow the account to be created, so the workshop participant can access the materials, and for purposes relating to the workshop itself, such as asking questions on a message board. I do not use this data for any other purpose outside the scope of the workshop. I might use it to contact the participant regarding any follow-up queries they may have, for example. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants  want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

7. WordPress Comments. In order to post a comment underneath a blog post, you will need to supply a name and email address. You may optionally supply a web address, which your name will link to. Your email address is not shown publicly, but can be seen by an Administrator (me) in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying your identity as a commenter. If your comment is approved, it will appear with the name you supply, which will link to any web address you have supplied.

8. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks, through Reed Media or Publishing Talk), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

9. Social Media. I can see information from social media activity such as when you ‘like’ my Facebook Pages or join my Facebook groups, join my LinkedIn groups, connect with me on LinkedIn or follow me on Twitter at @jonreed, @reedmedia, @publishingtalk or @getuptospeed. But I do not record, store or harvest this information, or use it for any purpose other than engaging with you on social media. This data is held by the respective social networks you are a member of, and you should familiarize yourself with their privacy settings and policies.

No email addresses are shared with anyone. I hate spam, and will not send you any unsolicited marketing. I will only send you emails or other marketing messages where you have signed up to receive these. Marketing emails you have signed up to will always include an ‘unsubscribe’ link, should you decide that you no longer wish to receive them.

3. Communicating privacy information

I am taking four steps:

  1. I have put this page on the jonreed.co.uk website, and will add a link from any sign-up forms for new subscribers if I create a MailChimp for this site in future.
  2. I will add a link to my email signature for any emails I send from jonreed.co.uk.
  3. I will add a link to my Contact page.
  4. I will add a link to the footer of this website.

 4. Individuals’ rights

  • On request, I will delete data.
  • If someone asked to see their data, I would take a screenshot of their entry/entries.
  • If someone unsubscribes themselves from a MailChimp list, their data is automatically deleted.

5. Subject access requests

I will aim to respond to all requests within 24 hours.

6. Lawful basis for processing data

1. Regular emails. If people have emailed me, they have given me their email address. I do not actively add it to a list but Apple Mail will save it, and I may save it to the Contacts app on my iPhone if it is someone I am likely to be in regular contact with. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.

2. MailChimp email lists. MailChimp is the email service provider I use for email marketing. It is GDPR compliant. All my email signup forms have specific GDPR consent boxes provided by MailChimp. If people have opted into my MailChimp lists they have actively opted in, as all my lists are double opt-in.

Rather than repeat the extensive details here, for full details of the various email lists and their contents and consents, please see the separate GDPR Compliance Statements for Reed Media, Publishing Talk and Get Up to Speed with Online Marketing.

All existing subscribers for all lists were emailed before 25th May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to the relevant GDPR Compliance Statement page. Only people who have re-consented will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists and will receive no further emails, unless they choose to re-subscribe at a future date.

Any subscribers who do NOT tick the ‘Email’ box in the Marketing Permissions will be deleted from the list within one year, and usually within three months. This gives ample time for the subscriber to update their preferences if they wish. A list-cleaning exercise to remove any non-consented subscribers will take place around 25 May each year regardless.

3. Feedburner. People can subscribe to receive the latest jonreed.co.uk blog posts using a Google service called Feedburner. This uses the website’s RSS feed to email those who have signed up to receive the blog feed in this way. This is a double-opt in procedure, and there is an ‘unsubscribe’ link in every email sent. This service is not currently promoted on the site, but has been in the past and may be in the future.

4. Paper.li. People can subscribe by email to receive the latest Publishing Talk paper.li online newspapers, including The Publishing Talk Daily, The #WriterWednesday Weekly and #HowToGetPublished Weekly for Publishing Talk, and The Online Marketing Weekly for Get Up to Speed. This is a service provided by paper.li. There is an ‘unsubscribe’ link in every email sent. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

4. Eventbrite. I use Eventbrite to sell tickets to (Reed Media / PublishingTalk) workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

5. Basecamp. Basecamp is a project management site. I use it to share PDF resources with (Reed Media) workshop participants, and it is also useful for communicating joining instructions and answers to follow-up questions with a group. Users need to enter a name, email address and password to access the service. These are only used for the purposes of delivering the workshop and related resources. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

6. WordPress comments. The jonreed.co.uk website is built on WordPress, a popular Content Management System (CMS). One feature is the ability for blog readers to submit comments on blog posts. In order to post a comment underneath a blog post, a reader will need to supply a name and email address. They may optionally supply a web address, which their name will link to. Their email address is not shown publicly, but can be seen by an Administrator (me) in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying someone’s identity as a commenter. If a comment is approved, it will appear with the name supplied, which will link to any web address supplied.

7. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks through Reed Media or Publishing Talk), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

7. Consent

I have taken steps to refresh consents. Before 25 May 2018 I contacted all my MailChimp databases with ‘re-confirmation’ emails, which invited people to re-consent to receive emails from me by updating their preferences. These now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails, and a reminder that they can unsubscribe at any time. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists.

I am doing this even though the original lists were double opt-in and clear about the purpose of the list, because I want to ensure full compliance with the new GDPR regulations, because some lists had previously been mailed infrequently (3-4 times per year), and because I only want people on my lists who absolutely, definitely want to hear from me.

Once someone has re-consented, I regard this consent confirmed until the person asks me to remove the data, or until I run a new re-confirmation campaign. I have never harvested email addresses, nor would I. Anyone on my lists has actively opted in via a double opt-in list.

I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed in every email.

8. Children

Neither jonreed.co.uk nor any of my pther websites are aimed at children. To the best of my knowledge, the youngest people who engage with my Reed Media, Publishing Talk or Get Up to Speed, or sign up to my mailing lists, are higher-education students.

9. Data breaches

I have done everything I can to prevent this, by strongly password protecting my computers, MailChimp, Dropbox, Basecamp, Eventbrite and other accounts. I also use two-factor authentication where available, for example for MailChimp and Dropbox. If any of those organisations were compromised I would take steps to follow their advice immediately.

The only personal data that is held on the jonreed.co.uk website itself is that of commenters (names, email addresses, comments). Email addresses are never visible to website visitors, and are only used in the ‘back end’ for administrative purposes. The blog is not currently very active, and there are very few comments. Any data breach would therefore be low-imact (and would only really impact me!)

The website is built on WordPress, a robust platform that has strong password protected logins and uses reCAPTCHA to deter automated software and bots. I keep WordPress updated to the latest version. Any hacking or other compromise to the site would also be immediately noticed by my hosting provider, who would alert me and advise me on steps to take.

10. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

11. Data Protection Officers

I have appointed myself, Jon Reed, as the Data Protection Officer (DPO), in the absence of anyone else.

12. International

My lead data protection supervisory authority is the UK’s ICO.

Updates

This page will be updated from time to time. Please check back frequently to see any updates or changes to this GDPR Compliance Statement. If there are any substantial changes I will announce them by email, on social media and in a blog post.

Contact

Questions, comments and requests regarding this GDPR Compliance Statement are welcome, and should be addressed to privacy@jonreed.co.uk.

Further information

Please also read my Privacy Policy and Cookie Policy.