Your information and privacy

A new set of rules and regulations came into effect in May 2018. Rules and regulations that are designed to help protect your privacy and to control who has access to your personal information.

Today we are talking more about those rules.

Before you groan and close down the browser, please bear this in mind:

These rules are here for your protection.

And…

You now have more rights available to help you control access to your data

This is a good thing.

So, today, let’s look at some of these new rules, what it means for you, and what I have done/will be doing to make sure your information is safe.

Jump to:

GDPR

The General Data Protection Regulations (GDPR) are the EU-wide rules that came into effect on 25 May 2018.

As an individual, if you’re dealing with a business, website, or organisation within the EU then these regulations protect you.

Not only that, if you’re dealing with a non-EU business or website but you are an EU citizen, then these regulations still protect you.

Your rights

As an individual, you have new or improved rights, when it comes to your personal information:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The right to be informed

You need to be told about who is collecting your personal data, why they are doing it, what they will do with it, who it will be shared with, and for how long it will be kept.

You must be told this at the point your data is collected.

On my website I have a Privacy Policy that is available at the bottom of every page. This tells you what personal data I might collect while you are visiting my website. Here on www.jonstubbington.com I have also added markers within the website highlighting when some of your personal data could be collected.

There is additional information further down this article about what sorts of things I collect via this website.

If you choose to do business with me, I will let you know about the information I will be collecting in order for us to carry out that business contract.

The right of access

You have to be allowed access to your personal data so that you are aware of what is held by any business or organisation, and so you can verify the lawfulness of the processing.

This has to be provided free-of-charge, within one month of you requesting it.

If you want to know what data I hold about you, please email me at jon@jonstubbington.com, requesting a report on your personal data. Alternative contact options are available here.

The right to rectification

If any of the personal data I hold about you is wrong, or is incomplete, you have the right to ask for this to be corrected.

Generally, this should be corrected free-of-charge, within one month of you requesting it.

If you think I have any of your details wrong and you need them to be corrected, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to erasure

All EU individuals are now provided with access to 80s synthpop duo Andy Bell and Vince Clarke.

Or… if you would like the more prosaic version, you now have the right to have your personal data removed (erased). This is also known as “The right to be forgotten”.

In reality, businesses may refuse to delete your data if there is a valid reason for keeping it. For example, I need to keep certain records for up to 7 years in order to meet my tax reporting requirements. As such, I cannot delete it, even if you ask me to. You still have the right to make this request, of course, and businesses must comply if there is no reason for them to keep your personal data any longer.

If you would like to make a request to have your personal data deleted, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to restrict processing

This is an alternative to erasing your data. You can request that a business retains your personal data but stops processing it.

“Processing” means whatever it is that the business does with your data. This will vary from business-to-business, and should have been laid out clearly for you under your right to be informed about why your personal data is being held and how a business plans to use it.

Restrictions are usually put in place for a temporary period.

If you would like to make a request to have your personal data restricted, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to data portability

This one doesn’t really apply to me or my services.

It does apply where you have given a business or organisation your permission for them to process your information and they do this in an automated way. This right allows you to request that all your personal data be downloaded so that you can give it to another organisation. Or, if it’s technically possible, for that data to be transferred straight to the other organisation.

This could apply, perhaps, if you were switching mobile phone providers and you wanted all your data downloaded so it could be passed to your new phone provider.

The right to object

Even after you have given your permission for a business or organisation to start collecting and using your personal data, you still have the right to object at any time.

This is particularly relevant when it comes to direct marketing. If you have given your permission for a business to contact you with marketing material, you can object to this at any time in the future. That business must comply with your request straightaway.

If you are in receipt of marketing material from me and would like to be removed from my mailing lists, please email me at jon@jonstubbington.com. Alternative contact options are available here.

Automated decision making

This one doesn’t really apply to me or my services.

It applies where a business is making automated decisions about you (approving or declining something, for example) or is using the data it holds about you to profile you in some way.

Data I hold because you visited my website

By visiting my website you are potentially allowing certain personal information to be collected. This is true of most websites you visit.

Cookies

Cookies consist of portions of code installed in your browser to help make the website work and to provide services. All websites are required to warn you about these when you first visit and you have the option to not allow cookies to be stored on your computer.

My Cookie Policy is available at the bottom of every page. This includes information about how you can set your browser preferences to help control whether cookies are stored or not.

Google Analytics

Like many websites, I use Google Analytics in order to monitor and analyse the visitors that come to my website. This helps me to work out which sections of the site people are responding to and which bits they don’t like.

I am not allowed to provide any personal information about you to Google as part of this service.

Under the new GDPR rules, the definition of personal information has been expanded to also include your IP address (the internet address of your computer). To make sure this information is not collected, my websites automatically alter the information they collect to make your IP address anonymous. Therefore, you can be reassured that no personal information about you is collected or passed to Google as part of the analytics I run on my websites.

Other websites should also be taking these precautions if they are using Google Analytics. You are also able to install a Google tool that stops Google Analytics working on any website you visit.

Other tools on my website

In order to give you a better experience when using my website, I have various tools installed. For example, if you want to leave a comment under a blog post then there is a facility to do that. Please be aware that these tools often collect personal information about you. In the example of a comment, your name and possibly your WordPress.com username (if applicable) will be collected and both stored by my website and displayed to other users.

Privacy Policy

My website Privacy Policy is available at the bottom of every page on www.jonstubbington.com.

These policies lay out in more detail the different tools that are used on my website and how they can collect information from you. If you continue to interact with my website then please be aware that some personal information about you may be being collected and used, as explained in the Privacy Policy.

Data I have access to through other websites

I do not control the data that is entered into or collected through other websites.

If we communicate via Facebook, for example, then our use of the Facebook website and app is governed by Facebook’s Privacy Policy.

Sometimes, I have access to your personal information in order to complete a business transaction. For example, if you buy one of my prints through my Etsy shop, then your use of the Etsy website is governed by Etsy’s Privacy Policy. However, in order to post your print to you, I am provided with your name and address information. If you have an Etsy account, I am also given your Etsy username so we can message each other if necessary.

Where I am given this information, I am required to keep it safe and secure and to use it in accordance with the GDPR rules. I am also only allowed to use your personal information to carry out that particular transaction. This means that I cannot take your address and use it to send you marketing material about me and my products. I can only use it to send you the print that you have ordered.

Data I hold because we are working together

If I am working on something with you or for you, then I will collect and hold some information about you.

This is to allow me to complete the work for you, and to allow me to meet my obligations as far as holding appropriate business records.

As a minimum I will record your name and email address so that we can communicate about this order. In most cases, I will also record your address information, so that I can correctly identify which country you live in and so that I can post any physical items to you (where appropriate).

This information is gathered using the “lawful basis for processing contracts”. This means that you have asked me to provide a quote for work or we have entered into an agreement for me to do work for you, and I need this information in order to fulfil that agreement.

It also means that I will only use your information in order to fulfil that agreement. I will not use your information for other purposes, such as signing you up to a mailing list.

How long will I keep information about you?

In most cases, I will keep hold of your information for six years after the end of the current tax year. This is so that I can meet my obligations here in the UK for holding business records for tax purposes. After that time, your information will be removed.

Where is your information kept?

This section has been updated in December 2020 as the UK leaves the European Union. It also reflects the invalidation of the EU-US Privacy Shield.

In most cases, you have to give explicit consent before your personal information can be transferred outside of the EEA. From 2021, the UK is outside of the EEA. If you are in the EEA, please bear that in mind if you choose to send me your personal data.

Most of my records are held within the UK and will not be transferred outside of the UK, with the exception of my email records and invoices.

  • My websites are hosted by a company called Kualo using servers located within the UK
  • My own records are held on a computer and backup drive physically located within the UK
  • They are also backed up to an online cloud service supplied by Amazon Web Services that is located within the UK
  • My email records are held within Gmail, which does transfer and store information outside of the UK (see below)
  • I have stopped using Mailchimp to send my newsletters as they are located outside of the EEA – all my subscriber data has been deleted from their systems
  • I use Paypal to process my invoices and to collect payments – Paypal’s systems are located outside the UK – Please see the section below for more information about Paypal and your data

It is possible to pass information out of the EEA where appropriate permissions have been given and precautions are in place. Google’s G Suite, which includes the Gmail email service I use, used to be certified under the EU-US Privacy Shield framework as meeting specific safeguarding requirements. The EU had stated that data can only be transferred to the US (without needing to obtain your explicit consent) when the receiving company is certified under the Privacy Shield framework.

However, the Privacy Shield was invalidated in July 2020 by the Court of Justice of the Europe Union and it is no longer possible to rely on the framework when transferring data outside of the UK (or EEA).

“The reasoning behind this decision is that the current level of protection given to personal data under US law cannot be considered to be equivalent to that provided by the GDPR. This is largely due to US surveillance programs and the lack of an adequate remedy for EU users.”

www.iubenda.com

Instead, Google have moved to rely on Standard Contractual Clauses with their users – an alternative provision for allowing transfers outside of the EEA – and this is what I am relying on when using the G Suite email system (and, consequently, when your email data is transferred to Google’s overseas servers).

With that being said, please still think carefully about what information you are including when you email me, as email is not a secure form of communication.

How is it kept secure?

  • My website data is secured using passwords and both sites are protected by Wordfence monitoring and safeguards
  • My website hosting company employ a range of protection measures to prevent attacks on my websites
  • You can read more about other web security measures in this blog post
  • My own records (including the physical and online backups) are encrypted and password protected
  • My computer system and network is protected by the usual firewalls and virus protection software
  • My email records are protected by 2-factor authentication, as well as Google’s built-in protections and encryption
  • Paper copies of any records are held in a locked file

Paypal

I normally use Paypal to process payments. When you pay me via Paypal you are subject to Paypal’s privacy policy.

In order to prepare an invoice for you, I need to add your name and contact information into Paypal. Because Paypal’s servers are located around the world any information entered into Paypal may be transferred outside of the EEA. Because of this, I need your explicit consent before I provide your information to Paypal so that an invoice can be prepared.

You will need to confirm to me that you are happy for me to provide your name and email information to Paypal for the purposes of preparing an invoice. Or, if not, please let me know so that we can discuss alternative payment options.

In conclusion

These new rules are here to help.

Yes, there’s a lot to take in. But you should be reassured that businesses and organisations – like mine – are required to take steps to comply with these new rules. If we don’t, there are significant punishments that can be handed out.

Make sure you understand your new rights and use them when necessary. And if you have any questions about what I’m doing with your data, please get in touch via jon@jonstubbington.com.

I am not a regulatory compliance expert. The information in this post is my understanding of the new regulations based on the preparatory work I have done to make sure my business is ready for GDPR. If you are a business, please make sure you carry out your own research and preparations. If you are an individual and would like to know more about your rights, I recommend visiting the Information Commissioner’s Office website.