I’m Jon Reed, the founder and sole company director of Reed Media. I have read the Information Commissioner’s Office guidelines for compliance with the new EU General Data Protection Regulation (GDPR) rules, and this page explains how Reed Media complies.
This page is structured according to the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” (this is a useful read if you’re grappling with GDPR yourself). In structuring this page I have also taken inspiration from Nicola Morgan’s GDPR Compliance Statement – which has been highlighted as a good example by the Society of Authors. This is particularly worth looking at if you are an author, sole trader or freelancer.
Who is this statement for?
If you have given me your email address (for example by emailing Reed Media, signing up to a mailing list, buying a ticket to a workshop via Eventbrite, subscribing to the latest Reed Media blog posts via Feedburner, creating an account on Basecamp as a workshop participant, or signing up as a WordPress ‘User’ of the website), or if we have ever built a website for you, please read this to reassure yourself that I am looking after your data extremely responsibly.
Reed Media Limited is a company registered in England and Wales No. 5696728, whose registered address is: Reed Media Ltd, KD Tower, Plaza Suite 9, Cotterells, Hemel Hempstead, Herts, HP1 1FW, UK. I am the sole director of the company, and there is no one else in my organisation to make aware.
I do not have any staff, colleagues, associates or freelancers who have access to my website data, email lists or any of my passwords. I have one highly trusted asssociate consultant, with whom I occasionally work on consultancy projects. He is an experienced digital media professional, and fully aware of GDPR and its impact.
2. The information we hold
1. Regular email. Email addresses of people who have emailed us and to whom we have replied. These are automatically saved in the programs we use to access our emails, such as Apple Mail.
2. MailChimp. Email addresses, names and any self-identified descriptors such as sector you work in (e.g. “charity”, “education”, “publishing”) and size of your organization (e.g. “sole trader”, “2-10 employees”) or PDFs downloaded when they signed up (e.g. “Create a Social Media Marketing Plan”) of people who have signed up to our mailing list via opt-in links on the Reed Media website. These lists are held in MailChimp. All our mailing lists are double opt-in, meaning that, after someone signs up, they get an email asking them to confirm that they really did sign up before any further emails are sent. They are also all GDPR compliant, with tick boxes for ‘Marketing Permissions’ and the ability to segment lists to email only those who have given their explicit permission for email marketing.
We have two other websites with MailChimp email lists. These are covered by separate GDPR Compliance Statements and Privacy Policies. Please see Publishing Talk and Get Up to Speed with Online Marketing for details.
3. Clients. We may keep details of current clients – names, email addresses, company you work for, and projects we have worked on – on a spreadsheet. This may also include notes such as the last contact we had with you. This is purely for the purpose of helping us to keep track of projects and provide a good service to you. We do not add these email addresses to marketing lists, or use them to contact you about anything unrelated to our current of future work for you.
4. Feedburner. Email addresses of people who have subscribed to the Reed Media blog feed via Feedburner. This is a service provided by Google which enables people to get the latest blog posts of a particular blog via email. It’s delivered via the RSS feed of our blog. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would we ever harvest emails from this list to email subscribers about anything else.
5. Eventbrite. We use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. We only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. We may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from us after an event they attend, they will need to sign up to a MailChimp mailing list.
6. Basecamp. Names, email addresses and passwords of people who have created an account and logged into Basecamp to access PDF resources from a workshop. Passwords are not visible to me. This is purely to allow the account to be created, so the workshop participant can access the materials, and for purposes relating to the workshop itself, such as asking questions on a message board. I do not use this data for any other purpose outside the scope of the workshop. I might use it to contact the participant regarding any follow-up queries they may have, for example. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.
7. WordPress Contributors. Names, email addresses, passwords and biographies of people who have registered with the Publishing Talk website as a Contributor. This only applies to associate consultants with whom I work closely (currently only one!), who may also contribute blog posts to the site.
8. WordPress Comments. In order to post a comment underneath a blog post, you will need to supply a name and email address. You may optionally supply a web address, which your name will link to. Your email address is not shown publicly, but can be seen by an Administrator in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying your identity as a commenter. If your comment is approved, it will appear with the name you supply, which will link to any web address you have supplied.
9. PayPal. If someone buys something from us through PayPal (such as Eventbrite tickets), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.
10. Social Media. We can see information from social media activity such as when you ‘like’ our Facebook page, join our LinkedIn group or follow us on Twitter. But we do not record, store or harvest this information, or use it for any purpose other than engaging with you on social media. This data is held by the respective social networks you are a member of, and you should familiarize yourself with their privacy settings and policies.
With the exception of publicly visible Contributor names and biographies on blog post bylines, provided with explicit consent by any Contributors, and commenter names and websites voluntarily provided, none of this information is shared with anyone.
No email addresses are shared with anyone. We hate spam, and will not send you any unsolicited marketing. We will only send you emails or other marketing messages where you have signed up to receive these. Marketing emails you have signed up to will always include an ‘unsubscribe’ link, should you decide that you no longer wish to receive them.
3. Communicating privacy information
I am taking eight steps:
- I have put this page on the Reed Media website, and will add a link from sign-up forms for new subscribers.
- I will write a blog post about the importance of GDPR. This post will link to this page.
- I have added a link to my email signature and requested that any associates who use a Reed Media email address do so.
- I have added a link to the Reed Media Contact page.
- I have added a link to the footer of the Reed Media website.
- I will share a link to this page on key Reed Media social media accounts, including Twitter, Facebook and LinkedIn.
- I contacted our MailChimp database on 21 May 2018 with a ‘re-confirmation’ email, which invited people to re-consent to receive emails from us by updating their preferences, which now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails.
- In every email I remind people of what they signed up to, how they signed up, alert them to any changes (for example that there is now a monthly update). I also include an ‘unsubscribe’ link in every email and remind them that they can unsubscribe at any time and their data will be deleted.
4. Individuals’ rights
- On request, I will delete data.
- If someone asked to see their data, I would take a screenshot of their entry/entries.
- If someone unsubscribes themselves from a MailChimp list, their data is automatically deleted.
- Any blog Contributors can see their biographies on the website, and can email me corrections and updates any time. I will aim to update this on the site within 24 hours.
5. Subject access requests
I will aim to respond to all requests within 24 hours.
6. Lawful basis for processing data
1. Regular emails. If people have emailed us, they have given us their email address. We do not actively add it to a list, but Apple Mail (or other email software used to access emails) will save it. We will not add it to any database or spreadsheet unless someone asks us to or gives us explicit and detailed permission.
2. MailChimp email lists. MailChimp is the email service provider we use for email marketing. It is GDPR compliant. All our email signup forms have specific GDPR consent boxes provided by MailChimp. If people have opted into our MailChimp lists they have actively opted in, as all our lists are double opt-in. Subscribers do so in the knowledge that they will receive the following:
- A free PDF ebook, Create a Social Media Marketing Plan
- Occasional updates about workshops, ebooks and other resources that may be of interest.
From 25 May 2018, subscribers to our MailChimp email lists will ONLY be emailed if they have actively checked the ‘Email’ box in the Marketing Preferences section of MailChimps new GDPR compliant signup forms. MailChimp provides email list segmentation tools to enable this.
All existing subscribers were emailed on 21 May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to this page. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists and will receive no further emails, unless they choose to re-subscribe at a future date.
From 25 May 2018, subscribers to Reed Media MailChimp email lists will ONLY be emailed if they have actively checked the ‘Email’ box in the Marketing Preferences section of MailChimp’s new GDPR compliant signup forms. MailChimp provides email list segmentation tools to enable this.
For new subscribers, if they sign up to an email list (say, to download a PDF ebook or other free resource) but do NOT check the ‘Email’ box under Marketing Preferences, not only will they NOT be emailed again (beyond an automated link to the download they have explicitly requested), they will be deleted from the list within one year, and usually within three months. This gives ample time for the subscriber to update their preferences if they wish. A list-cleaning exercise to remove any non-consented subscribers will take place around 25 May each year regardless.
3. Clients. It is a normal part of doing business, and a legitimate interest, to keep an ‘address book’ of active clients, and potential future ones. Our client lists are people with whom we have a relationship, a contract, or expect to have a contract. We may store details of names, email adresses and companies on a spreadsheet. We take steps to keep these secure, and would never harvest them for email campaigns (e.g. by adding them to MailChimp lists). Details of previous or current clients are kept for as long as we have a relationship with that client. Details of prospects are not kept long term, unless they subsequenty become an active client and we maintain an ongoing relationship with them.
4. Feedburner. People can subscribe to receive the latest Reed Media blog posts using a Google service called Feedburner. This uses the Reed Media website’s RSS feed to email those who have signed up to receive the blog feed in this way. This is a double-opt in procedure, and there is an ‘unsubscribe’ link in every email sent.
5. Eventbrite. We use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. We only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. We may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.
5. Basecamp. Basecamp is a project management site. We use it to share PDF resources with workshop participants, and it is also useful for communicating joining instructions and answers to follow-up questions with a group. Users need to enter a name, email address and password to access the service. These are only used for the purposes of delivering the workshop and related resources. We may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.
6. WordPress. The Reed Media website is built on WordPress, a popular Content Management System (CMS). One feature is the ability to add ‘Users’ with different permissions levels. A name and email address is required to set up a new user account. Email addresses are never shared with anyone, and are not publicly visible on the site. They are used only for account creation. Contributor names and biographies are publicly visible on the site, and given by the Contributor with their explicit consent. This only applies to associate consultants with whom I work closely, and who contribute occasional posts to the site.
7. PayPal. If someone buys something from us through PayPal (such as Eventbrite tickets), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.
I have taken steps to refresh consents. On 21 May 2018 I contacted all my Reed Media MailChimp subscribers with ‘re-confirmation’ emails, which invited people to re-consent to receive emails from me by updating their preferences. These now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails, and a reminder that they can unsubscribe at any time. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists.
I am doing this even though the original list was double opt-in and clear about the purpose of the list, because I want to ensure full compliance with the new GDPR regulations, because this list has previously been mailed infrequently (4-6 times per year), and because I only want people on my lists who absolutely, definitely want to hear from me.
Once someone has re-consented, I regard this consent confirmed until the person asks me to remove the data, or until I run a new re-confirmation campaign. I have never harvested email addresses, nor would I. Anyone on my lists has actively opted in via a double opt-in list.
I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed in every email.
Reed Media is not aimed at children. It is a business-to-business website.
9. Data breaches
I have done everything I can to prevent this, by strongly password protecting my computers, MailChimp, Dropbox, Basecamp, Eventbrite and other accounts. I also use two-factor authentication where available, for example for MailChimp and Dropbox. If any of those organisations were compromised I would take steps to follow their advice immediately.
The only personal data that is held on the Reed Media website itself is that of Contributors (usernames, passwords, names, email addresses, biographies) and commenters (names, email addresses, comments). Email addresses are never visible to website visitors, and are only used in the ‘back end’ for administrative purposes. In the event of a data breach, I would alert Contributors (currently only one, a close colleague!) and reset passwords.
The website is built on WordPress, a robust platform that has strong password protected logins and uses reCAPTCHA to deter automated software and bots. I keep WordPress updated to the latest version. Any hacking or other compromise to the site would also be immediately noticed by my hosting provider, who would alert me and advise me on steps to take.
10. Data Protection by Design and Data Protection Impact Assessments
11. Data Protection Officers
I have appointed myself, Jon Reed, as the Data Protection Officer (DPO), in the absence of anyone else.
My lead data protection supervisory authority is the UK’s ICO.
This page will be updated from time to time. Please check back frequently to see any updates or changes to this GDPR Compliance Statement. If there are any substantial changes I will announce them by email, on social media and in a blog post.
Questions, comments and requests regarding this GDPR Compliance Statement are welcome, and should be addressed to firstname.lastname@example.org.