GDPR, privacy and me – and you

Running a business of any kind means you will have information – data – about your clients and contacts and their projects. It has always been important to take care of that data, but changes to the EU-wide data protection rules (GDPR) have made this a hot topic. If you contact me, here’s how I will keep your details and protect your work.

This post explains the actions Melanie is taking to comply with the GDPR, and states her business Privacy and Data Protection Policy.

Being prepared

‘Lend a hand’ was the motto I learned during my short stint as a member of the Brownies (aged 8). I took that to heart and have been lending a hand ever since: it’s what editors are good at. But I also learned the Scouts’ motto – Be prepared – which has also stood me in good stead.

Over recent months I’ve been getting prepared for the introduction of the GDPR, on 25 May 2018. I started reading up about it last year, as part of the preparations for my research project proofreading2020. The topic is also on my work-related radar because I will be delivering a seminar at the SfEP Conference in September titled ‘Don’t panic: How to stay calm in a crisis’. That will certainly overlap some aspects of the GDPR and data protection.

But even without those prompts, it would have been difficult to avoid knowing that something is happening.

If you’ve ever signed up to any online services – from home-delivered groceries to business improvement newsletters – you will have received numerous emails over recent months asking you to confirm your data preferences. (I received another one while I was in the process of typing that sentence!) The changes have been discussed at length in forums and groups where editors, proofreaders and writers/journalists share notes on business practices and CPD. The problem is, there is not a simple answer to the basic question: ‘What am I supposed to do?’

Think about it for a moment and it’s understandable: there are so many businesses, organisations and individuals who are ‘data processors’, and so many different ways in which we hold and process data that a one-size-fits-all policy simply isn’t practical. Even the Information Commissioner’s Office, which is charged with overseeing compliance, acknowledges this right at the beginning of its Guide to the General Data Protection Regulation (GDPR), saying it is ‘a living document and we are working to expand it in key areas’.

As part of my research I also learned, during an interesting meeting of my NUJ branch, that journalists are exempt from some parts of the regulations because they need to protect the confidentiality of their sources (e.g. the need to ‘cleanse’ data – because you may need to contact someone again in the future). But freelancers who need to promote themselves through conventional marketing techniques are not exempt. For them, the implication is that it’s necessary to keep two separate contact lists or address books: one for people who are ‘sources’ and one for marketing-type activities.

Thankfully I do not, never have done and probably never shall do work that comes under the category ‘investigative journalism’; there are many data protection complexities surrounding that type of work.

For me, the simple solution was to work through the Data protection self assessment toolkit and some helpful blog posts then put in place the steps described below.

The GDPR is primarily about personal information, but its introduction has stirred me to implement a more rigorous procedure to protect all my files.

Protecting your work

My editorial training and experience – particularly my time as a civil servant – turned me into a filing fiend. I keep versions, notes and everything else to do with all my projects, and even though my work mostly arrives by email these days I still keep lots of papery things and I still print some work out. (It’s a great strategy for taking a fresh view when proofreading.) I also keep paper copies of contracts, receipts, invoices (all kept for seven years, minimum), daily diary and lots of other bits and pieces.

Paperwork is filed away, and every now and then I filter out old materials. If the paper is blank on one side I may put it in my scrap box for reuse, providing what’s already on it is not confidential. Everything else gets shredded.

Digital files are a separate problem, though. I have always kept everything: all the versions. Having an ‘audit trail’ is a good habit I don’t want to break. It can be useful when reviewing my own practice and procedures (CPD) or to be able to go back to a project completed five years ago to check what changes were made in a second edition, or whether a certain story was covered in client X’s newsletter. I have been able to help clients out by checking things in my archive. Some clients, though, ask for materials to be deleted and of course I am happy to comply with that (see Privacy and Data Protection Policy, below).

Protecting personal data

In general, I collect/store:

  • name, email address, postal address if you provided one, phone numbers, job title

If I have paid you for a service, I will also have details of how to send the payment (e.g. information needed for BACS transfer)

My website collects the minimum information possible, namely:

Over the 18 years I’ve been running my own business I’ve been contacted by hundreds of clients, suppliers and colleagues, and that means I have their contact details. I sometimes use that contact information at a later date (e.g. to say I’m available for work, or to put a colleague in touch with a potential client, or to ask a supplier to provide a service). These informal business-to-business communications are what makes the economy flow.

Under the GDPR you are now able to contact me to ask what personal information I hold about you and to ask me to delete it. That’s fine: can do, no problem.

  • Please simply contact me using the details at the top of this website, if necessary.

Slightly more complicated, though, are the ‘marketing’ messages I may send out. I currently manage three channels, and I’ve now updated my processes to make them GDPR compliant:

  • I used to run an email newsletter that had about 2000 recipients (Get Sust!) and until November 2010 I handled the mailings direct from my computer. The recipients were all correctly opted in (and therefore theoretically it’s a GDPR-compliant list). But that was a long time ago, so I had a lot of old contact details in my address book. Many of those have now been deleted, and the Home page for the Get Sust! website gives updated information about the newsletter.
  • My research project, proofreading2020, is currently generating a separate list of contacts but because that was launched a few weeks ago with GDPR looming, I have been able to incorporate the necessary permissions in order to compile a new, separate mailing list to keep people up to date with the project.
  • I maintain one ‘marketing’ email list that I use a couple of times a year to send an informal newsletter to say hello and let current/past clients, suppliers and colleagues know what I’ve been up to or alert them to specific projects or activities. The newsletter is generated through MailChimp. If you are on that list, you will receive an alert from me before 25 May asking you to confirm you’re happy to receive these or to ‘unsubscribe’.

There are other ways we can keep in touch if you don’t want to join my formal mailing list: LinkedIn, Twitter, my SfEP Directory entry, my Facebook business page and various other online directories (e.g. NUJ).

Privacy and Data Protection Policy

Here is my 2018 Privacy and Data Protection Policy, which can also be accessed from the link in the footer of my website pages.

Version 1.0 May 2018.

Data Protection

  1. All project-related files for ‘live’ projects are stored on a password-protected computer that only I control.
  2. All emails for ‘live’ projects are stored on a password-protected computer that only I control.
  3. Files are backed up regularly to an external hard drive which is stored in a secure location and is also password protected.
  4. All project-related files and all emails for ‘completed’ projects are stored in a password-protected archive.
  5. I do not use cloud storage for client materials unless by prior arrangement (e.g. for the purpose of sharing files with clients or colleagues via Dropbox or Google Docs).
  6. I have taken steps to protect the security of information on my mobile phone and external hard drives.
  7. I have a security procedure in place that ensures all personal data is irretrievably wiped from all old devices before I dispose of them.

Personal Data

  1. I collect your personal data (as defined under the GDPR) so that I can: provide you with a service; respond to your enquiries; keep you up to date with new services/availability.
  2. I keep your data while you are a client and after your project is completed (for tax purposes).
  3. I collect your data directly (i.e. when you provide your details or join my mailing list).
  4. I do not share your personal data with third parties unless I have asked for your permission to do so.
  5. I will not sell, lease or distribute your personal information to third parties unless I am compelled by law to do so.
  6. You can opt out of any marketing communications at any time by emailing me or using an unsubscribe link.
  7. All new and existing clients are made aware of my Privacy and Data Protection Policy via links in my main email signature: (a) to this Policy; and (b) to join or unsubscribe from my newsletter mailing list (which is hosted by a GDPR-compliant provider).