GDPR COMPLIANCE STATEMENT FOR:
Christine M. Thomas,
I am an Independent Researcher with no staff or assistance and I am fully aware that the law is changing/has changed in May 2018.
I work with a Windows based computer system consisting of two desktops and a laptop. All are password protected. No one else has access to, or uses, my office. I do not print enquiry emails or the results of research commissions unless specifically requested to do so by the person who has contacted me.
I am fully aware that family history related information is sensitive. The majority of my research involves building up background information on deceased British Expatriates who spent time in Hong Kong & China in the 19th. and early 20th. centuries (1842 – 1941).
2 INFORMATION I HOLD ON LIVING PERSONS
1) The names and email addresses of people who have contacted me and to whom I have replied. These arrive via BT Mail, Mail.com or Gmail and are downloaded/copied to my system.
2) Information sent to me by family researchers who have requested that I carry out research on their behalf.
3) The results of research applicable to individual commissions.
Names and email addresses of clients are deleted from my system one month after a research commission has been completed.
I never share clients personal information with anyone else. I have never shared clients personal information with anyone else.
3 COMMUNICATING PRIVACY INFORMATION
This document is on my website & blogs and will in future be included in all responses for research assistance.
4 INDIVIDUAL RIGHTS
If someone asks to see a copy of their data I will email it to them as a pdf document.
5 SUBJECT ACCESS REQUESTS
If someone should request details which I hold on them I can normally respond within 48 hours.
If I am abroad or crossing an ocean by ship then my response will be delayed until I have internet/wifi access.
I do not accept new commissions one month prior to leaving on long overseas trips because the law requires that if a request to delete is received then this must be actioned within 30 days.
6 LAWFUL BASIS FOR PROCESSING DATA
If a client contacts me requesting assistance then I need to have their name and email address in order to contact them with results. At no time will I impart this information to anyone else.
The only details I have access to via this method are clients name and email address. I do not have access to clients credit card or bank details.
I have never harvested or purchased email lists and will never do so.
As from 25 May 2018 anyone who submits an enquiry to me will be provided with a pdf copy of this statement and will be asked to confirm that they wish me to undertake research on their behalf.
I never accept research commissions from children.
I never accept research commissions which involve tracing living children.
9 DATA BREACHES
All my computers are password protected and provided with security/anti-virus software. If I was informed of a data breach in my system I would seek advice from appropriate experts on how it should be handled.
10. DATA PROTECTION BY DESIGN & DATA PROTECTION IMPACT ASSESSMENTS
I have familiarised myself with ICO’s code of practice on Privacy Impact Assessments as well as guidance from the Article 29 working party.
11 DATA PROTECTION OFFICER
As I am an Independent Researcher this will have to be myself.
My lead data protection supervisory authority is UK ICO.
This has been written (to the best of my ability) after research into what is required from micro businesses in relation to GDPR
23rd May 2018