I’m Jon Reed, the founder of Publishing Talk. I have read the Information Commissioner’s Office guidelines for compliance with the new EU General Data Protection Regulation (GDPR) rules, and this page explains how Publishing Talk complies.
This page is structured according to the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” (this is a useful read if you’re grappling with GDPR yourself). In structuring this page I have also taken inspiration from Nicola Morgan’s GDPR Compliance Statement – which has been highlighted as a good example by the Society of Authors. This is particularly worth looking at if you are an author, sole trader or freelancer.
Who is this statement for?
If you have given me your email address (for example by emailing Publishing Talk, signing up to a mailing list, buying something from the Publishing Talk website or via a third-party fulfilment site such as Eventbrite or e-junkie, subscribing to the latest Publishing Talk blog posts via Feedburner, creating an account on Basecamp as a workshop participant, or signing up as ‘User’ of the website – i.e. as a Contributor), please read this to reassure yourself that I am looking after your data extremely responsibly.
Publishing Talk is a blog, and a trading name of my business, Reed Media Limited, a company registered in England and Wales No. 5696728, whose registered address is: Reed Media Ltd, KD Tower, Plaza Suite 9, Cotterells, Hemel Hempstead, Herts, HP1 1FW, UK. I am the sole director of the company, and there is no one else in my organisation to make aware.
I do not have any staff, colleagues, associates or freelancers who have access to my website data, email lists or any of my passwords.
I have one highly trusted occasional freelance website developer who is granted access to the Publishing Talk website and code as and when necessary for updates or development work. This is rare – in practice I do most development work myself, and I haven’t used him for several years. But there may be occasions in the future when I will need his help. He is a professional web designer and fully aware of GDPR and its impact.
I have one highly trusted asssociate consultant, with whom I occasionally work on Reed Media consultancy projects (but not Publishing Talk). He is an experienced digital media professional, and fully aware of GDPR and its impact.
2. The information I hold
1. Regular email. Email addresses of people who have emailed me and to whom I have replied. These are automatically saved in Apple Mail, the program I use to access my emails.
2. MailChimp. Email addresses, names and any self-identified descriptors (e.g. “author”, “publisher”), self-identified interests (e.g. “writing”, “getting published”, “marketing”) or PDFs downloaded when they signed up (e.g. “Twitter Cheat Sheet”) of people who have signed up to my mailing list via opt-in links on the Publishing Talk website. These lists are held in MailChimp. All my mailing lists are double opt-in, meaning that, after someone signs up, they get an email asking them to confirm that they really did sign up before any further emails are sent. They are also all GDPR compliant, with tick boxes for ‘Marketing Permissions’ and the ability to segment lists to email only those who have given their explicit permission for email marketing.
3. Feedburner. Email addresses of people who have subscribed to the Publishing Talk blog feed via Feedburner. This is a service provided by Google which enables people to get the latest blog posts of a particular blog via email. It’s delivered via the RSS feed of my blog. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.
4. Paper.li. Email addresses of people who have subscribed to paper.li newsletters. I use paper.li to generated automated online newspapers that are then shared on Twitter, including The Publishing Talk Daily, The #WriterWednesday Weekly and #HowToGetPublished Weekly. People may subscribe to receive these newsletters by email if they wish. This is a service provided by paper.li. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.
5. Eventbrite. Email addresses and names of people who have bought tickets using Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.
6. Basecamp. Names, email addresses and passwords of people who have created an account and logged into Basecamp to access PDF resources from a workshop. Passwords are not visible to me. This is purely to allow the account to be created, so the workshop participant can access the materials, and for purposes relating to the workshop itself, such as asking questions on a message board. I do not use this data for any other purpose outside the scope of the workshop. I might use it to contact the participant regarding any follow-up queries they may have, for example. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.
7. WordPress Contributors. Names, email addresses, passwords and biographies of people who have registered with the Publishing Talk website as a Contributor. The email address and password is required by WordPress to register a User account. In practice, Contributors do not necessarily need to create an account, as this can be done in the back end by an Administrator (me), in which case I always use a randomly generated very strong password. Contributors can then simply send articles to me by email, e.g. as a Word document. Email addresses are also used to generate a picture of the Contributor next to their biography, where they use Gravatar. This is an optional feature – there is no requirement to use Gravatar – but it enhances the site to have a profile picture next to biographies. This is all done with the explicit consent of Publishing Talk Contributors, all of whom are personally known to me and have a working relationship with me as a guest blog contributor. Short contributor biographies are shared publicly on the site with the consent of the Contributor. They are written by Contributors themselves and submitted to me (often with edits by me, agreed with the Contributor), and can be amended and updated at any time – just email me (in fact, please do – I want to keep these up to date).
8. WordPress Comments. In order to post a comment underneath a blog post, you will need to supply a name and email address. You may optionally supply a web address, which your name will link to. Your email address is not shown publicly, but can be seen by an Administrator in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying your identity as a commenter. If your comment is approved, it will appear with the name you supply, which will link to any web address you have supplied. In addition, if you use Gravatar and have a profile image linked to the email address you supply, that profile image will show next to your comment.
9. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.
10. Social Media. We can see information from social media activity such as when you ‘like’ our Facebook page, join our LinkedIn group or follow us on Twitter. But we do not record, store or harvest this information, or use it for any purpose other than engaging with you on social media. This data is held by the respective social networks you are a member of, and you should familiarize yourself with their privacy settings and policies.
With the exception of publicly visible Contributor names and biographies on bylines, provided with explicit consent by Contributors, and commenter names and websites voluntarily provided, none of this information is shared with anyone.
No email addresses are shared with anyone. We hate spam, and will not send you any unsolicited marketing. We will only send you emails or other marketing messages where you have signed up to receive these. Marketing emails you have signed up to will always include an ‘unsubscribe’ link, should you decide that you no longer wish to receive them.
3. Communicating privacy information
I am taking eight steps:
- I have put this page on the Publishing Talk website, and will add a link from sign-up forms for new subscribers.
- I will write a blog post about the importance of GDPR. This post will link to this page.
- I will add a link to my email signature.
- I will add a link to the Publishing Talk Contact page.
- I will add a link to the footer of the Publishing Talk website.
- I will share a link to this page on key Publishing Talk social media accounts, including Twitter, Facebook and LinkedIn.
- I contacted my MailChimp database on 21 May 2018 with a ‘re-confirmation’ email, which invited people to re-consent to receive emails from me by updating their preferences, which now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails. I also sent out a final reminder to non-consented subscribers on 24 May 2018, again with a link to this page.
- In every email I remind people of what they signed up to, how they signed up, alert them to any changes (for example there is now a monthly update). I also include an ‘unsubscribe’ link in every email and remind them that they can unsubscribe at any time and their data will be deleted.
4. Individuals’ rights
- On request, I will delete data.
- If someone asked to see their data, I would take a screenshot of their entry/entries.
- If someone unsubscribes themselves from a MailChimp list, I will delete their data.
- Contributors can see their biographies on the website, and can email me corrections and updates any time. I will aim to update this on the site within 48 hours.
5. Subject access requests
I will aim to respond to all requests within 48 hours.
6. Lawful basis for processing data
1. Regular emails. If people have emailed me, they have given me their email address. I do not actively add it to a list but Apple Mail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
2. MailChimp email lists. MailChimp is the email service provider I use for email marketing. It is GDPR compliant. All my email signup forms have specific GDPR consent boxes provided by MailChimp. If people have opted into my MailChimp lists they have actively opted in, as all my lists are double opt-in. Subscribers do so in the knowledge that they will receive the following:
- For old mailing lists (pre-25 May 2018), including those where people have signed up in order to download a free PDF resource – occasional (4-6 times a year) updates with occasional bits of news, recent blog posts they may have missed, and details of new resources and courses that may be of interest. These mailing lists are currently being consolidated and replaced by a new single Publishing Talk Newsletter list as part of my GDPR re-confirmation campaign. All existing subscribers were emailed before 25 May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to this page. Only people who have re-consented will be emailed in future; those on existing lists who do not re-consent will have all their data deleted from those lists.
- For the consolidated Publishing Talk Newsletter list, I will aim for a newsletter every month or so with latest news about what I’m up to with Publishing Talk, useful tips for writers, an update of recent blog posts, and any new resources and courses from Publishing Talk that may be of interest. Full details on content and frequency can be found on the Publishing Talk Newsletter signup form hosted by MailChimp. This form is GDPR compliant, and includes check boxes for marketing preferences. If the content and/or frequency of this newsletter changes, the details will be reflected on the signup form, and included in an email to existing subscribers. Every email will include a link to unsubscribe, and a link to edit preferences.
- A new Publishing Talk Editorial Advisory Board email list is in development. This is solely for subscribers to a new Publishing Talk Patreon page (forthcoming) – which aims to help us develop new resources for authors. This list will be used primarily to consult those who have actively chosen to subscribe (by first becoming a Patron and then by signing up to the double opt-in list) on editorial priorities and direction for Publishing Talk. This is to help us develop the site and its resources in a way the most benefits the Publishing Talk community. We will occasionally send out surveys to this list, including using services such as SurveyMonkey. This list is intended for editorial input and market research rather than marketing per se – although emails will include details of latest Publishing Talk resources. Emails are likely to be every couple of months.
All existing subscribers were emailed on 21 May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to this page. A final reminder was also sent to non-consented subscribers on 24 May 2018. Only people who re-consent will be emailed in future; those on existing lists who do not re-consent will be unsubscribed from those lists and will receive no further emails, unless they choose to re-subscribe at a future date.
From 25 May 2018, subscribers to Publishing Talk MailChimp email lists will ONLY be emailed if they have actively checked the ‘Email’ box in the Marketing Preferences section of MailChimp’s new GDPR compliant signup forms. MailChimp provides email list segmentation tools to enable this.
For new subscribers, if they sign up to an email list (say, to download a PDF ebook or other free resource) but do NOT check the ‘Email’ box under Marketing Preferences, not only will they NOT be emailed again (beyond an automated link to the download they have explicitly requested), they will be unsubscribed from the list within one year, and usually within three months. This gives ample time for the subscriber to update their preferences if they wish. A list-cleaning exercise to remove any non-consented subscribers will take place around 25 May each year regardless.
3. Feedburner. People can subscribe to receive the latest Publishing Talk blog posts using a Google service called Feedburner. This uses the Publishing Talk website’s RSS feed to email those who have signed up to receive the blog feed in this way. This is a double-opt in procedure, and there is an ‘unsubscribe’ link in every email sent. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.
4. Paper.li. People can subscribe by email to receive the latest Publishing Talk paper.li online newspapers, including The Publishing Talk Daily, The #WriterWednesday Weekly and #HowToGetPublished Weekly. This is a service provided by paper.li. There is an ‘unsubscribe’ link in every email sent. I can, in theory, log into paper.li and download email addresses of people who have subscribed this way to a spreadsheet. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.
5. Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.
6. Basecamp. Basecamp is a project management site. I use it to share PDF resources with workshop participants, and it is also useful for communicating joining instructions and answers to follow-up questions with a group. Users need to enter a name, email address and password to access the service. These are only used for the purposes of delivering the workshop and related resources. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.
7. WordPress. The Publishing Talk website is built on WordPress, a popular Content Management System (CMS). One feature is the ability to add ‘Users’ with different permissions levels. Since Publishing Talk is a multi-author blog, with multiple guest contributors, there are many users, most of whom are at Contributor level (meaning a contribution needs to be edited and approved by an Administrator – me – before publication). A name and email address is required to set up a new user account. Email addresses are never shared with anyone, and are not publicly visible on the site. They are used only for account creation and to automatically generate an image of the Contributor where they have (optionally) added one to Gravatar (a separate third-party service). Contributors are asked to submit a short biography for their bylines. Their names and biographies are publicly visible on the site, and given by the Contributor with their explicit consent. (Indeed, they WANT their names and biogs to be on the site, as it helps promote them, their book, company or service!)
8. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.
9. E-junkie. If people bought a PDF ebook or magazine from the Publishing Talk website in the past, I no longer hold that data. It has been deleted. Their email addresses were saved in transaction logs on third-party order fulfilment site e-junkie.com; and an Excel spreadsheet generated by e-junkie and saved by me on my password-protected computer for the purposes of filing my accounts. Any identifying data such as email addresses were then removed from these spreadsheets. Since there are not currently any PDF ebooks or magazines for sale on the Publishing Talk website, and since I deleted my inventory on e-junkie in February 2015, e-junkie holds no data on these historic transactions, and neither do I. I may use e-junkie again in the future, or another third-party fulfilment site – in which case I will update this document to reflect this.
I have taken steps to refresh consents. On 21 May 2018 I contacted all my Publishing Talk MailChimp subscribers with ‘re-confirmation’ emails, which invited people to re-consent to receive emails from me by updating their preferences. These now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails, and a reminder that they can unsubscribe at any time. I also sent a final reminder to non-consented subscribers on 24 May 2018, again with a link to this page.
Only people who re-consent will be emailed in future. Those on existing lists who do not re-consent will have all their data deleted from those lists.
I am doing this even though the original list was double opt-in and clear about the purpose of the list, because I want to ensure full compliance with the new GDPR regulations, because this list has previously been mailed infrequently (4-6 times per year), and because I only want people on my lists who absolutely, definitely want to hear from me.
Once someone has re-consented, I regard this consent confirmed until the person asks me to remove the data, or until I run a new re-confirmation campaign. I have never harvested email addresses, nor would I. Anyone on my lists has actively opted in via a double opt-in list.
I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed in every email.
Publishing Talk is not aimed at children. To the best of my knowledge, the youngest people who engage with the site or sign up to mailing lists are higher-education students on Publishing or Creative Writing courses.
9. Data breaches
I have done everything I can to prevent this, by strongly password protecting my computers, MailChimp, Dropbox, Basecamp, Eventbrite and other accounts. I also use two-factor authentication where available, for example for MailChimp and Dropbox. If any of those organisations were compromised I would take steps to follow their advice immediately.
The only personal data that is held on the Publishing Talk website itself is that of Contributors (usernames, passwords, names, email addresses, biographies) and commenters (names, email addresses, comments). Email addresses are never visible to website visitors, and are only used in the ‘back end’ for administrative purposes. In the event of a data breach, I would alert Contributors and reset passwords.
The website is built on WordPress, a robust platform that has strong password protected logins and uses reCAPTCHA to deter automated software and bots. I keep WordPress updated to the latest version. Any hacking or other compromise to the site would also be immediately noticed by my hosting provider, who would alert me and advise me on steps to take.
10. Data Protection by Design and Data Protection Impact Assessments
11. Data Protection Officers
I have appointed myself, Jon Reed, as the Data Protection Officer (DPO), in the absence of anyone else.
My lead data protection supervisory authority is the UK’s ICO.
This page will be updated from time to time. Please check back frequently to see any updates or changes to this GDPR Compliance Statement. If there are any substantial changes I will announce them by email, on social media and in a blog post.
Questions, comments and requests regarding this GDPR Compliance Statement are welcome, and should be addressed to firstname.lastname@example.org.