I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, or subscribing to my website or newsletter via my website or during events, for example), please read this to be reassured that I’m looking after your data extremely responsibly.

I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for large corporations and as a sole trader and a working author, I’ll do my best to comply.


I’m a sole trader and freelance author. Apart from writing, I visit schools, libraries, bookshops and literature festivals. I assure you that I’m fully aware of the above mentioned regulation and its requirements.

The information I hold:

  • Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail, (our mail and web service provider) and iCloud and (a newsletter service).
  • Email addresses and names of people who have signed up to my mailing list via the opt-in link on my website held by
  • Email addresses, postal addresses and names of people who I’ve worked with over the years, in my professional capacity. These are held as lists in our email servers as above.
  • My Facebook Author page has subscribers who have liked the page. But I hold no personal information about these followers. These are managed and processed by Facebook as per their own policies of usage.
  • My Instagram page has subscribers who follow my posts. But I hold no personal information about these followers. These are managed and processed by Instagram / Facebook as per their own policies of usage.
  • My YouTube account may contain viewer comments. But I hold no data about viewers or commenters. These are managed and processed by YouTube as per their own policies of usage.
  • I have access to the followers of my Twitter account @csoundar. While I’m the data controller of this account, I do not process this data. Anyone who do not wish to follow, can un-follow at any time as per Twitter’s regular procedures.
  • My wordpress website and holds a database of followers. This is held and run with JetPack plugin (by Automatic) who we believe are fully Compliant. I’m not the data processor in this case either. Automatic have a privacy statement here.

As a professional writer, I do not share any of the above information with anyone.

Communicating privacy information

  • This document will be available from the link Privacy Policy from and
  • I’ll will also communicate this to existing subscribers to my mailing list and remind them that they can unsubscribe at any time. The unsubscribe message is also included in every mailing. When they unsubscribe, their data is automatically deleted.
  • I’ll post this post this message on our YouTube, Twitter, Instagram and Facebook accounts as well. If anyone unsubscribes / unfollows, their data is automatically deleted.
  • On request, I will delete any data held.
  • If someone asked to see their data, I would take a screenshot of their entry/entries and send to them.

Subject access requests

I’m a sole trader, freelance writer who often travels for work. I will aim to respond to all requests within a reasonable timeframe – not more than 7 days and usually much sooner.

Lawful basis for processing data

If people have emailed me or contacted me via the website, they have given us their email address. If anyone has subscribed to my mailing list or followed me on any of the social media platforms they have actively opted in, in the knowledge that I will contact them occasionally.

I do not actively add it to a list except for the various instances listed above and will not do so without valid permission.


Once I’ve communicated our privacy terms of holding data, I regard this consent as confirmed for a year, or until the person asks us to remove the data. I will remind my subscribers/followers to review their subscription / follows regularly.


I’m not normally contacted by children and do not correspond with them through our various social media presence. However I do not know the ages of my followers on social media platforms and will rely on the platform to apply their parental consent policies. Any request for parental consent will be handled by the data processor in each case.

Data breaches

I protect the data we hold by strong passwords across the digital platforms I use. If any of those platforms were compromised I would take steps to follow their advice immediately.

Data Protection by Design and Data Protection Impact Assessments

We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that we are using best practice.

Data Protection Officers

I’m not a major organisation and so do not need to appoint a Data protection Officer.


As I’m a UK citizen and based in the UK, my lead data protection supervisory authority is the UK’s ICO as of 25th May 2018.