My EU Statement Of Data Protection Compliance

I care about your data and am fully EUGDPR compliant. If you are worried about what I might do with your email address, please read the following statement. If you can’t be bothered (I don’t blame you – it’s incredibly boring) then please trust me: I will never spam you, add your email address to a database (unless you ask me to) and that’s a promise!



I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me) you should read this to reassure yourself that I am looking after your data extremely responsibly.

If any of you understand this even better than me and believe there’s something else I should be doing, do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.



I am a sole trader so there is no one else in my organisation to make aware. Hilton Creativity maintain my website, but have no access to emails.


The information I hold:

Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail and iCloud.

Email addresses, postal addresses and names of contacts in schools recorded in word documents on a password-protected computer.

I do not share this information with anyone.

If someone randomly asks for another person’s email address, unless both are known closely to me, I check with the other person first.


Communicating privacy information

I have put this document on my website.

I have added a link to my contact page.

I have made a link to this document on Twitter

I have made a link to this document on Facebook.


Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.


Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.


Lawful basis for processing data

If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail or iCloud will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.



Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind people who have contacted me that they can ask for their data to be removed.



Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.


Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer, Google and iCloud accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.


Data Protection by Design and Data Protection Impact Assessments 

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.


Data Protection Officers

I am not a major organization, so I do not need to appoint a Data Protection Officer. If I do, it will be me!



My lead data protection supervisory authority is the UK’s ICO.


Thank you for your patience and understanding!