GDPR Compliance Statement

GDPR Compliance Statement

I’m Jon Reed, the author of Get Up to Speed with Online Marketing (2e, Pearson Business, 2013). I have read the Information Commissioner’s Office guidelines for compliance with the new EU General Data Protection Regulation (GDPR) rules, and this page explains how this book blog, Get Up to Speed (www.getuptospeed.biz), complies.

This page is structured according to the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” (this is a useful read if you’re grappling with GDPR yourself). In structuring this page I have also taken inspiration from Nicola Morgan’s GDPR Compliance Statement – which has been highlighted as a good example for authors by the Society of Authors.

Who is this statement for?

If you have given me your email address (for example by emailing me, signing up to a mailing list, subscribing to the latest Get Up to Speed blog posts via Feedburner, booking a place on one of my workshops via Eventbrite, or creating an account on Basecamp as a workshop participant), please read this to reassure yourself that I am looking after your data extremely responsibly.

1. Awareness

Get Up to Speed (www.getuptospeed.biz) is a blog, and the website for my book Get Up to Speed with Online Marketing. It is essentially a book blog – but is owned and operated by my business, Reed Media Limited, a company registered in England and Wales No. 5696728, whose registered address is: Reed Media Ltd, KD Tower, Plaza Suite 9, Cotterells, Hemel Hempstead, Herts, HP1 1FW, UK. I am the sole director of the company, and there is no one else in my organisation to make aware. I do not have any staff, colleagues, associates or freelancers who have access to my website data, email lists or any of my passwords.

2. The information I hold

1. Regular email. Email addresses of people who have emailed me and to whom I have replied. These are automatically saved in Apple Mail, the program I use to access my emails.

2. MailChimp. Email addresses and names of people who have signed up to my mailing lists via opt-in links on the Get Up to Speed website. These lists are held in MailChimp. All my mailing lists are double opt-in, meaning that, after someone signs up, they get an email asking them to confirm that they really did sign up before any further emails are sent. They are also all GDPR compliant, with tick boxes for ‘Marketing Permissions’ and the ability to segment lists to email only those who have given their explicit permission for email marketing.

3. Feedburner. Email addresses of people who have subscribed to the Get Up to Speed blog feed via Feedburner. This is a service provided by Google which enables people to get the latest blog posts of a particular blog via email. It’s delivered via the RSS feed of my blog. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

4. Paper.li. Email addresses of people who have subscribed to our paper.li newsletter The ONline Marketing Weekly.  I use paper.li to generated an automated online newspaper that is then shared on Twitter. People may subscribe to receive this newsletter by email if they wish. This is a service provided by paper.li. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

5. Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

6. Basecamp. Names, email addresses and passwords of people who have created an account and logged into Basecamp to access PDF resources from a workshop. Passwords are not visible to me. This is purely to allow the account to be created, so the workshop participant can access the materials, and for purposes relating to the workshop itself, such as asking questions on a message board. I do not use this data for any other purpose outside the scope of the workshop. I might use it to contact the participant regarding any follow-up queries they may have, for example. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants  want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

7. WordPress Comments. In order to post a comment underneath a blog post, you will need to supply a name and email address. You may optionally supply a web address, which your name will link to. Your email address is not shown publicly, but can be seen by an Administrator (me) in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying your identity as a commenter. If your comment is approved, it will appear with the name you supply, which will link to any web address you have supplied.

8. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

9. Social Media. I can see information from social media activity such as when you ‘like’ the Get Up to Speed Facebook page, join the LinkedIn group or follow @getuptospeed on Twitter. But I do not record, store or harvest this information, or use it for any purpose other than engaging with you on social media. This data is held by the respective social networks you are a member of, and you should familiarize yourself with their privacy settings and policies.

No email addresses are shared with anyone. I hate spam, and will not send you any unsolicited marketing. I will only send you emails or other marketing messages where you have signed up to receive these. Marketing emails you have signed up to will always include an ‘unsubscribe’ link, should you decide that you no longer wish to receive them.

3. Communicating privacy information

I am taking eight steps:

  1. I have put this page on the Get Up to Speed website, and have added a link from sign-up forms for new subscribers.
  2. I will write a blog post about the importance of GDPR. This post will link to this page.
  3. I will add a link to my email signature for any emails I send from getuptospeed.biz.
  4. I have added a link to the Get Up to Speed Contact page.
  5. I have added a link to the footer of the Get Up to Speed website.
  6. I will share a link to this page on key Get Up to Speed social media accounts, including Twitter, Facebook and LinkedIn.
  7. I contacted my MailChimp database on 22 May 2018 with a ‘re-confirmation’ email, which invited people to re-consent to receive emails from me by updating their preferences, which now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails.
  8. In every email I remind people of what they signed up to, how they signed up, alert them to any changes (for example there is now a monthly update). I also include an ‘unsubscribe’ link in every email and remind them that they can unsubscribe at any time and their data will be deleted.

 4. Individuals’ rights

  • On request, I will delete data.
  • If someone asked to see their data, I would take a screenshot of their entry/entries.
  • If someone unsubscribes themselves from a MailChimp list, their data is automatically deleted.

5. Subject access requests

I will aim to respond to all requests within 24 hours.

6. Lawful basis for processing data

1. Regular emails. If people have emailed me, they have given me their email address. I do not actively add it to a list but Apple Mail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.

2. MailChimp email lists. MailChimp is the email service provider I use for email marketing. It is GDPR compliant. All my email signup forms have specific GDPR consent boxes provided by MailChimp. If people have opted into my MailChimp lists they have actively opted in, as all my lists are double opt-in. Subscribers do so in the knowledge that they will receive the following:

  • For the Get Up to Speed 5-Day Email Course:
    • a one-page PDF social media marketing plan template
    • five email tutorials delivered by autoresponder over the following five days explaining how to fill it in
    • very occasional updates (up to 3 times a year) about any workshops on online marketing I run for small businesses that may be of interest
    • any major updates relating to the website or book (such as if there was a new edition available).
  • For the Get Up to Speed Online Course list:
    • a notification once an online course based on Get Up to Speed with Online Marketing is available.

All existing subscribers were emailed on 22 May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to this page. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists and will receive no further emails, unless they choose to re-subscribe at a future date.

From 25 May 2018, subscribers to my Get Up to Speed 5-Day Email Course will still receive the PDF download they have requested on subscribing to the list – but they will ONLY receive the subsequent five email turorials if they have ALSO checked the ‘Email’ box in the Marketing Permissions section of MailChimp’s new GDPR compliant signup forms. MailChimp provides email list segmentation tools to enable this.

Any subscribers who do NOT tick the ‘Email’ box in the Marketing Preferences will be deleted from the list within one year, and usually within three months. This gives ample time for the subscriber to update their preferences if they wish. A list-cleaning exercise to remove any non-consented subscribers will take place around 25 May each year regardless.

The Get Up to Speed Online Course list is intended purely to announce (if and) when an online course relating to the Get Up to Speed with Online Marketing book becomes available. It exists for readers to register their interest in such a course, and will not be used for any other marketing purpose. This list will also be re-consented before 25 May 2018.

3. Feedburner. People can subscribe to receive the latest Get Up to Speed blog posts using a Google service called Feedburner. This uses the Get Up to Speed website’s RSS feed to email those who have signed up to receive the blog feed in this way. This is a double-opt in procedure, and there is an ‘unsubscribe’ link in every email sent.

4. Paper.li. People can subscribe by email to receive our paper.li online newspaper The Online Marketing Weekly. This is a service provided by paper.li. There is an ‘unsubscribe’ link in every email sent. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

5. Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

6. Basecamp. Basecamp is a project management site. I use it to share PDF resources with workshop participants, and it is also useful for communicating joining instructions and answers to follow-up questions with a group. Users need to enter a name, email address and password to access the service. These are only used for the purposes of delivering the workshop and related resources. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

7. WordPress comments. The Get Up to Speed website is built on WordPress, a popular Content Management System (CMS). One feature is the ability for blog readers to submit comments on blog posts. In order to post a comment underneath a blog post, a reader will need to supply a name and email address. They may optionally supply a web address, which their name will link to. Their email address is not shown publicly, but can be seen by an Administrator (me) in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying someone’s identity as a commenter. If a comment is approved, it will appear with the name supplied, which will link to any web address supplied.

8. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

7. Consent

I have taken steps to refresh consents. On 22 May 2018 I contacted all my Get Up to Speed MailChimp subscribers with ‘re-confirmation’ emails, which invited people to re-consent to receive emails from me by updating their preferences. These now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails, and a reminder that they can unsubscribe at any time. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists.

I am doing this even though the original list was double opt-in and clear about the purpose of the list, because I want to ensure full compliance with the new GDPR regulations, because this list has previously been mailed infrequently (3-4 times per year), and because I only want people on my lists who absolutely, definitely want to hear from me.

Once someone has re-consented, I regard this consent confirmed until the person asks me to remove the data, or until I run a new re-confirmation campaign. I have never harvested email addresses, nor would I. Anyone on my lists has actively opted in via a double opt-in list.

I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed in every email.

8. Children

Get Up to Speed is not aimed at children. It is aimed at readers (or potential readers) of my business book. To the best of my knowledge, the youngest people who read the book, engage with the site or sign up to mailing lists are higher-education students.

9. Data breaches

I have done everything I can to prevent this, by strongly password protecting my computers, MailChimp, Dropbox, Basecamp, Eventbrite and other accounts. I also use two-factor authentication where available, for example for MailChimp and Dropbox. If any of those organisations were compromised I would take steps to follow their advice immediately.

The only personal data that is held on the Get Up to Speed website itself is that of commenters (names, email addresses, comments). Email addresses are never visible to website visitors, and are only used in the ‘back end’ for administrative purposes. The blog is not currently very active, and there are very few comments. Any data breach would therefore be low-imact (and would only really impact me!)

The website is built on WordPress, a robust platform that has strong password protected logins and uses reCAPTCHA to deter automated software and bots. I keep WordPress updated to the latest version. Any hacking or other compromise to the site would also be immediately noticed by my hosting provider, who would alert me and advise me on steps to take.

10. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

11. Data Protection Officers

I have appointed myself, Jon Reed, as the Data Protection Officer (DPO), in the absence of anyone else.

12. International

My lead data protection supervisory authority is the UK’s ICO.

Updates

This page will be updated from time to time. Please check back frequently to see any updates or changes to this GDPR Compliance Statement. If there are any substantial changes I will announce them by email, on social media and in a blog post.

Contact

Questions, comments and requests regarding this GDPR Compliance Statement are welcome, and should be addressed to privacy@getuptospeed.biz.

Further information

Please also read my Privacy Policy and Cookie Policy.

Google Analytics Alternative