GDPR Compliance Statement

I’m Jon Reed, the founder of Reed Media. I have read the Information Commissioner’s Office guidelines for compliance with the new EU General Data Protection Regulation (GDPR) rules, and this page explains how Publishing Talk complies.

This page is structured according to the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now” (a useful read if you’re grappling with GDPR yourself). In structuring this page I have also taken inspiration from Nicola Morgan’s GDPR Compliance Statement – which has been highlighted as a good example by the Society of Authors. This is particularly worth looking at if you are an author, sole trader or freelancer.

Who is this statement for?

If you have given me your email address (for example by emailing Reed Media, signing up to a mailing list, buying something from the Reed Media website or via a third-party fulfilment site such as Eventbrite or e-junkie, subscribing to the latest Reed Media blog posts via Feedburner, creating an account on Basecamp as a workshop participant, or signing up as ‘User’ of the website – i.e. as a Contributor), please read this to reassure yourself that I am looking after your data extremely responsibly.

1. Awareness

Reed Media Limited is a company registered in England and Wales No. 5696728, whose registered address is: Reed Media Ltd, 7 Bell Yard, London, WC2A 2JR, UK. I am the sole director of the company, and there is no one else in my organisation to make aware.

I do not currently have any staff, colleagues, associates or freelancers who have access to my website data, email lists or any of my passwords. If that changes in the future, I will update this statement.

2. The information I hold

1. Regular email. Email addresses of people who have emailed me and to whom I have replied. These are automatically saved in Apple Mail, the program I use to access my emails.

2. MailChimp. Email addresses, names and any self-identified descriptors (e.g. the sector you work in or size of your business) or PDFs downloaded when they signed up (e.g. “Create a Social Media Marketing Plan”) of people who have signed up to my mailing list via opt-in links on the Reed Media website. These lists are held in MailChimp. All my mailing lists are double opt-in, meaning that, after someone signs up, they get an email asking them to confirm that they really did sign up before any further emails are sent. They are also all GDPR compliant, with tick boxes for ‘Marketing Permissions’ and the ability to segment lists to email only those who have given their explicit permission for email marketing.

3. Feedburner. Email addresses of people who have subscribed to the Reed Media blog feed via Feedburner. This is a service provided by Google which enables people to get the latest blog posts of a particular blog via email. It’s delivered via the RSS feed of my blog. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else. This service is not currently active – but has been in the past.

4. Eventbrite. Email addresses and names of people who have bought tickets using Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

5. Basecamp. [Update: I no longer use Basecamp.] Names, email addresses and passwords of people who have created an account and logged into Basecamp to access PDF resources from a workshop. Passwords are not visible to me. This is purely to allow the account to be created, so the workshop participant can access the materials, and for purposes relating to the workshop itself, such as asking questions on a message board. I do not use this data for any other purpose outside the scope of the workshop. I might use it to contact the participant regarding any follow-up queries they may have, for example. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If workshop participants  want to hear from me after an event they attend, they will need to sign up to a MailChimp mailing list.

7. WordPress Contributors. Names, email addresses, passwords and biographies of people who have registered with the Reed Media website as a Contributor (currently only me!) The email address and password is required by WordPress to register a User account.

8. WordPress Comments. In order to post a comment underneath a blog post, you will need to supply a name and email address. You may optionally supply a web address, which your name will link to. Your email address is not shown publicly, but can be seen by an Administrator in the back end of the website. It will not be shared with anyone, harvested or used for marketing purposes. It is solely for the purpose of verifying your identity as a commenter. If your comment is approved, it will appear with the name you supply, which will link to any web address you have supplied. In addition, if you use Gravatar and have a profile image linked to the email address you supply, that profile image will show next to your comment.

9. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

10. Social Media. We can see information from social media activity such as when you ‘like’ our Facebook page or follow us on Twitter. But we do not record, store or harvest this information, or use it for any purpose other than engaging with you on social media. This data is held by the respective social networks you are a member of, and you should familiarize yourself with their privacy settings and policies.

With the exception of publicly visible commenter names and websites voluntarily provided, none of this information is shared with anyone.

No email addresses are shared with anyone. We hate spam, and will not send you any unsolicited marketing. We will only send you emails or other marketing messages where you have signed up to receive these. Marketing emails you have signed up to will always include an ‘unsubscribe’ link, should you decide that you no longer wish to receive them.

3. Communicating privacy information

I am taking seven steps:

  1. I have put this page on the Reed Media website, and have added a link from sign-up forms for new subscribers.
  2. I have added a link to my email signature.
  3. I will add a link to the Contact page.
  4. I will add a link to the footer of the Reed Media website.
  5. I have shared a link to this page on key Reed Media social media accounts.
  6. I contacted my MailChimp database on 21 May 2018 with a ‘re-confirmation’ email, which invited people to re-consent to receive emails from me by updating their preferences, which now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails. I also sent out a final reminder to non-consented subscribers on 24 May 2018, again with a link to this page.
  7. In every email I remind people of what they signed up to, how they signed up, alert them to any changes (for example there is now a monthly update). I also include an ‘unsubscribe’ link in every email and remind them that they can unsubscribe at any time and their data will be deleted.

 4. Individuals’ rights

  • On request, I will delete data.
  • If someone asked to see their data, I would take a screenshot of their entry/entries.
  • If someone unsubscribes themselves from a MailChimp list, I will delete their data.
  • (Any future) Contributors will be able to see their biographies on the website, and can email me corrections and updates any time. I will aim to update this on the site within 48 hours.

5. Subject access requests

I will aim to respond to all requests within 48 hours.

6. Lawful basis for processing data

1. Regular emails. If people have emailed me, they have given me their email address. I do not actively add it to a list but Apple Mail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.

2. MailChimp email lists. MailChimp is the email service provider I use for email marketing. It is GDPR compliant. All my email signup forms have specific GDPR consent boxes provided by MailChimp. If people have opted into my MailChimp lists they have actively opted in, as all my lists are double opt-in. Subscribers do so in the knowledge that they will receive occasional updates about ebooks, courses, resources and consultancy services.

All existing subscribers were emailed on 21 May 2018 with an explanation of the changes, what they need to do to re-consent, a reminder they can unsubscribe any time, and a link to this page. A final reminder was also sent to non-consented subscribers on 24 May 2018. Only people who re-consent will be emailed in future; those on existing lists who did not re-consent have been unsubscribed from those lists and will receive no further emails, unless they choose to re-subscribe at a future date.

From 25 May 2018, subscribers to the Reed Media MailChimp email list will ONLY be emailed if they have actively checked the ‘Email’ box in the Marketing Preferences section of MailChimp’s new GDPR compliant signup forms. MailChimp provides email list segmentation tools to enable this.

For new subscribers, if they sign up to an email list (say, to download a PDF ebook or other free resource) but do NOT check the ‘Email’ box under Marketing Preferences, not only will they NOT be emailed again (beyond an automated link to the download they have explicitly requested), they will be unsubscribed from the list within one year, and usually within three months. This gives ample time for the subscriber to update their preferences if they wish. A list-cleaning exercise to remove any non-consented subscribers will take place around 25 May each year regardless.

3. Feedburner. People in the past have been able to subscribe to receive the latest Reed Media blog posts using a Google service called Feedburner. This uses the Reed Media website’s RSS feed to email those who have signed up to receive the blog feed in this way. This is a double-opt in procedure, and there is an ‘unsubscribe’ link in every email sent. In theory, I can log into Feedburner and see email addresses of people who have subscribed this way. In practice, I never do, nor would I ever harvest emails from this list to email subscribers about anything else.

4. Eventbrite. I use Eventbrite to sell tickets to workshops, conferences and other events. When someone purchases a ticket (including a free ticket) to a workshop, conference or other event, Eventbrite sends certain automated emails (such as order confirmations and event reminders) and holds name and email data provided by the buyer for the purposes of completing the transaction. This is standard practice for purchasing online. I only use this data for communicating essential information with the buyer, such as venue changes, joining instructions, cancellations etc. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

5. Basecamp. [Update: I no longer use Basecamp.] Basecamp is a project management site. I use it to share PDF resources with workshop participants, and it is also useful for communicating joining instructions and answers to follow-up questions with a group. Users need to enter a name, email address and password to access the service. These are only used for the purposes of delivering the workshop and related resources. I may keep a record of who has attended workshops and other events, but do not use this data for marketing purposes. If any participant wants to hear details of new workshops, they must actively sign up to a separate double opt-in mailing list that includes the required GDPR consents.

6. WordPress. The Publishing Talk website is built on WordPress, a popular Content Management System (CMS). One feature is the ability to add ‘Users’ with different permissions levels. I am currently the only User – but new Users (at Contributor level) may be added in the future. A name and email address is required to set up a new User account. Email addresses are never shared with anyone, and are not publicly visible on the site. They are used only for account creation and to automatically generate an image of the Contributor where they have (optionally) added one to Gravatar (a separate third-party service). Contributors would be asked to submit a short biography for their bylines. Their names and biographies would be publicly visible on the site, and given by the Contributor with their explicit consent.

7. PayPal. If someone buys something from me through PayPal (this may include Eventbrite tickets or PDF ebooks), the email address that they use for their PayPal account is held by PayPal and visible by me. I would only ever use this email address to contact the buyer about an issue with their order, such as a refund for a cancelled workshop. This is standard practice for purchasing online. These emails are used for transactional purposes only, relating to specific orders, and not used for marketing or any other purpose.

7. Consent

I have taken steps to refresh consents. On 21 May 2018 I contacted all Reed Media MailChimp subscribers with ‘re-confirmation’ emails, which invited people to re-consent to receive emails from me by updating their preferences. These now include check boxes for Marketing Permissions according to MailChimp’s new GDPR-compliant form fields. I included a link to this page in the emails, and a reminder that they can unsubscribe at any time. I also sent a final reminder to non-consented subscribers on 24 May 2018, again with a link to this page.

Only people who re-consent will be emailed in future. Those on existing lists who did not re-consent have had all their data deleted from those lists.

Once someone has re-consented, I regard this consent confirmed until the person asks me to remove the data, or until I run a new re-confirmation campaign. I have never harvested email addresses, nor would I. Anyone on my lists has actively opted in via a double opt-in list.

I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed in every email.

8. Children

Reed Media is not aimed at children. To the best of my knowledge, the youngest people who engage with the site or sign up to mailing lists are higher-education students.

9. Data breaches

I have done everything I can to prevent this, by strongly password protecting my computers, MailChimp, Dropbox, Basecamp, Eventbrite and other accounts. I also use two-factor authentication where available, for example for MailChimp and Dropbox. If any of those organisations were compromised I would take steps to follow their advice immediately.

The only personal data that is held on the Reed Media website itself is that of Contributors (usernames, passwords, names, email addresses, biographies) and commenters (names, email addresses, comments). Email addresses are never visible to website visitors, and are only used in the ‘back end’ for administrative purposes. In the event of a data breach, I would alert Contributors and reset passwords.

The website is built on WordPress, a robust platform that has strong password protected logins and uses reCAPTCHA to deter automated software and bots. I strive to keep WordPress updated to the latest version. Any hacking or other compromise to the site would also be immediately noticed by my hosting provider, who would alert me and advise me on steps to take.

10. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

11. Data Protection Officers

I have appointed myself, Jon Reed, as the Data Protection Officer (DPO), in the absence of anyone else.

12. International

My lead data protection supervisory authority is the UK’s ICO.

Updates

This page was last updated on 3rd November 2023. This page will be updated from time to time. Please check back frequently to see any updates or changes to this GDPR Compliance Statement. If there are any substantial changes I will announce them by email, on social media and in a blog post.

Contact

Questions, comments and requests regarding this GDPR Compliance Statement are welcome, and should be addressed to privacy@reedmedia.co.

Further information

Please also read the Reed Media Privacy Policy and Cookie Policy.