I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. The document that follows explains how I comply. If you have sent me an email or contacted me through any medium, including, for example, a platform such as ProZ, and disclosed any personal information subject to the above-mentioned regulation (such as your full name, email address or phone number), please keep reading to be reassured that I am looking after your data responsibly.
The following sections have been based on the ICO booklet, “Preparing for the General Data Protection Regulation: 12 Steps to Take Now” and other information provided by the ICO, such as their “GDPR consent guidance”.
Awareness
I am self-employed and have no partners or employees, so there is nobody else to be made aware of the new regulation.
The information I hold:
- Names and email addresses of people who have emailed me. These have automatically been saved on Microsoft Exchange, Outlook (desktop application) and my phone (only for a week).
- Names, email addresses, phone numbers, websites and/or work addresses of people who have emailed me. Such personal information would be contained within their email signatures, which they have chosen to display. These data have automatically been saved on Microsoft Exchange, Outlook (desktop application) and my phone (only for a week).
- Names and email addresses of people who have contacted me through the translation platform ProZ if they have chosen to disclose them within their message (to prevent spam, ProZ automatically generates an email address which only works for communication within their platform). These have automatically been saved on Microsoft Exchange, Outlook (desktop application) and my phone (only for a week).
- Names and email addresses of people who have contacted me through the form on my website. These have automatically been saved on Microsoft Exchange, Outlook (desktop application) and my phone (only for a week).
I do not share this information with anybody. If a person or organisation were to ask for the details of another, I would always ask for latter’s permission before sharing any personal data.
Communicating privacy information
I am taking four steps:
- I have created a new page on my website (“GDPR Compliance web page”) where I have posted this document in full.
- I have added a link to the GDPR Compliance web page on the contact section of my website.
- I have added a link to the GDPR Compliance web page on my email signature.
- I have added a link to the GDPR Compliance web page on my ProZ profile.
Individuals’ rights
I will delete data on request unless I need to keep certain information for legal purposes in processes such as invoicing and tax returns.
If somebody asks to see their data, I will take a screenshot of how it appears on my computer and send it to them.
Subject access requests
I aim to respond to all requests within 24 hours and usually much sooner.
Lawful basis for processing data
If people have contacted me, they have often given me their name, email address, phone number and/or other personal information. I do not actively add these details to any database, but they are automatically saved in my Microsoft Exchange email account, Outlook (desktop application) and my phone (only for a week). I will not export this information to any other place unless I am legally required to save it. The following points list all those instances in which I export emails or save personal information outside Microsoft Exchange, Outlook or my phone:
- Purchase Orders: They need to be saved as evidence that a work contract has been established between an individual/organisation/agency and me. These are mostly automatically generated and do not contain any personal information but can occasionally be sent from an individual and therefore, display their full name, email address and/or other personal data.
- Estimates: They need to be kept as evidence in case a client defaults on a payment or pays the incorrect amount. These include the name and work address of the client’s organisation/agency and the first name of the contact person, but they could include the full name of the client if they are an individual.
- Invoices: They need to be kept as evidence for tax purposes and in case a client defaults on a payment or pays the incorrect amount. These include the name and work address of the client’s organisation/agency, but they could include the full name of the client if they are an individual.
All these instances fall into one of the alternatives to consent which constitute another lawful basis to processing personal data and which can be found in the ICO’s “GDPR consent guidance”.
Consent
As explained in the previous section, when people contact me to request my availability, commission a translation job or send me a purchase order, they are not giving me explicit consent to process their information. However, these instances are covered by at least one of the alternatives to consent which constitute another lawful basis to processing personal data. I have copied below the relevant points from the ICO’s “GDPR consent guidance” which apply in my case:
If you are looking for another lawful basis, these are set out in Article 6(1). In summary, you can process personal data without consent if it’s necessary for:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
Children
I have never been contacted by children and it is unlikely that I ever will. I always research every potential client who contacts me, and I would immediately delete any request coming from children.
Data breaches
I have done everything I can to prevent this, by strongly password-protecting my website and protecting my Microsoft 365 account and phone with two step authentication. I have also protected my laptop with the Windows 10 PIN, which is tied to the specific device on which it was set up, meaning that even if somebody had my PIN, they could still not access the contents of my laptop remotely. If any of the organisations running these services were compromised, I would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and believe that I am using best practice.
Data Protection Officers
I am not a major organisation, so I do not need to appoint a Data Protection Officer.
International
My lead data protection supervisory authority is the UK’s ICO.