My EU GDPR Statement OF Data Protection Compliance

I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my website, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.

My business is a partnership with my wife, Mrs Rayner. I have made her aware of the GDPR.

The information I hold:
Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail and iCloud and occasional emails redirected from my Website by my Service Provider (SP)
Email addresses and names of people who have signed up to my mailing list via the opt-in link on my website– held by Mad
Email addresses, postal addresses (for physical items) and names of people who have bought something from my website. Orders are processed by which is securely password-protected. I have deleted all customers and have placed a message and link to this document at the top my Sales Page.
I do not share this information with anyone. Ever. If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.
I have several YouTube accounts where viewers may comment. I generally reply, But I hold no data bout them. This data is held by YouTube. I use Strong passwords on my YouTube Channels and Two factor authorisation. processes data and payments for me for my Patrons. I have no access to payment information, but do have email and some postal addresses. These have all been given voluntarily.
I have access to databases of followers on Twitter, Facebook and Instagram. I am the data controller but not the data processor of these databases – I use strong passwords and two factor authentication on these sites.
My wordpress website holds  a database of followers. This is held and run by Automatic with their JetPack plugin which I believe to be fully compliant. I am not the data processor. Automatic have a privacy statement here.

Communicating privacy information
I am taking ten steps:

  • I have put this document on my website, with a link from my sign-up section for new subscribers and on the main about menu.
  • I have added a link to my email signature.
  • I have added a link to my contact page.
  • I have created a website article which will go to all subscribers on April 3rd 2018 with links to the document and the privacy statement of Automatic
  • I have contacted my Madmimi mail list database and show directed them to this document. I have reminded them that they double-opted into the list. I will alert them to any changes and remind them that they can unsubscribe at any time and their data will be deleted. The unsubscribe message is included in every mailing.
  • I have made a post to all my viewers on My YouTube channels giving a link to this article.
  • I have made a post with a link to this page to my Patrons on Patreon
  • I have made  a link to this document on Twitter.
  • I have made a link to this document on Instagram.
  • I have posted the link on Instagram
  • I have made a link to this document on Face book

Individuals’ rights
On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries and send it to them.

If they unsubscribe themselves from the MadMimi mailing list, their data is automatically deleted.

For all other databases above, Data Subjects have their own accounts and can move themselves and I will no longer have access to their data which is controlled by the data processor. I understand that The data processor will remove data that is made no longer available to me by the data subject.

Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

Lawful basis for processing data
If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail and icloud will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
If people have opted into my MadMimi list (by subscribing) they have actively opted in, in the knowledge that they will receive occasional emails.
If people have bought something from my website, their postal and email addresses are saved by This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order. I will delete their email addresses and postal addresses after one year.
Followers of my WordPress Website have opted in and are given unsubscribe reminders with each email.
People comment on my YouTube Videos and I comment back. This is standard practice. I can only see what data they make publicly available.MY patrons on Patreon have knowing volunteered their information and payment details because they have agreed to be my patrons. This is standard practice. I only contact them in pursuance of the aims of my Patreon page – Teaching – talking about and promoting the art of drawing.

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail and iCloud would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

Young people also comment on my YouTube videos, instagram or twitter. I don’t know their ages unless they tell me. If they mention their ages I immediately delete their comment. otherwise – not knowing their ages, but maybe guessing, I answer their questions honestly and may sometimes make drawing videos based on subjects they have suggested, in which case I may mention them in a video in thanks – this is common practice.

Data breaches
I have done everything I can to prevent this, by strongly password-protecting my computer and website as well as MadMimi, Google, Dropbox, Twitter, Ecwid, Facebook, Instagram and Patreon accounts with two step authentication. If any of those organisations were compromised I would take steps to follow their advice immediately.

Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

Data Protection Officers

I am not a major organisation so I do not need to appoint a Data protection Officer.

My lead data protection supervisory authority is the UK’s ICO. And after Brexit? Who Knows!