Nicola Morgan

Author, Speaker, Supporter

A few speaking slots available in 2025

My EUGDPR Compliance statement

Apologies for appalling boringness but… GDPR





First, and not at all boringly, you need to know what you are agreeing to if you sign-up to my blog/website:

  • I will never share your data with anyone
  • I will take all the steps I know of to keep it safe
  • You will automatically receive each blogpost as soon as it’s published and then a monthly round-up at the end of each month
  • Very occasionally I might have an offer or information for my blog/website subscribers only, in which case I might email you directly

GDPR statement of compliance

I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This will explain how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my blog, for example) you should read this to reassure yourself.

To create this scintillating document, I read reams of stuff and then used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are my 12 answers.

  1. Awareness

I am a sole trader so there is no one else in my organisation to make aware. I occasionally use the services of a freelance assistant but she does not have access to my databases, website data or to any of my passwords. Breaching data protection rules would be against the terms of her engagement but this is not going to happen. Believe me!

  1. The information I hold:
  • Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.
  • Email addresses, names and self-identified descriptors (eg “parent”, “school librarian”) of people who have signed up to my mailing list via the opt-in link on my website– held in Mailchimp
  • Email addresses, postal addresses and names of contacts in schools which have bought licences to my classroom resources – recorded in an Excel spreadsheet on a password-protected computer. I use Dropbox, which is also password protected.
  • Email addresses, postal addresses (for physical items) and names of people who have bought something from my website. Orders are saved by default in the background of my website, which is securely password-protected.

I do not share this information with anyone. Ever.

If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.

  1. Communicating privacy information

I am taking five steps:

  1. I have put this document on my website, with a link from my sign-up section for new subscribers.
  2. I have added a link to my contact page.
  3. I communicated with all subscribers on March 28th 2018 in response to the new EUGDPR regulations, to check that they were happy to stay on my lists.
  4. I did so again (via a blog post) on Sept 28th 2020 and reminded subscribers that they can unsubscribe at any time and their data will be deleted.


  1. Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

If they unsubscribe themselves from the Mailchimp list, I delete their data from that list. I might already have their email address for one of the other reasons listed below but


  1. Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.


  1. Lawful basis for processing data
  • If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
  • If people have opted into my Mailchimp list (and not unsubscribed when reminded) they have done so in the knowledge that they will receive the following:
    • Each post that I write, which will arrive via email
    • At the end of each month, a round-up of posts from that month
    • All such emails contain an unsubscribe link
    • Roughly annually I will remind people that they can unsubscribe
  • If schools (or others) have bought my classroom materials, they have agreed to be named on the licence and they understand that I need to hold their email address, name and school name and address for the licence records.
  • If people have bought something from my website, their postal and email addresses are saved in my orders folder in two places: an excel spreadsheet on my computer/dropbox and the orders folder behind my website. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order. I will delete their email addresses and postal addresses after one year.


  1. Consent

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.


  1. Children

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.


  1. Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer, Mailchimp, Google and Dropbox accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.


  1. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.


  1. Data Protection Officers


I have appointed myself as the Data protection Officer, in the absence of anyone else!


  1. International

My lead data protection supervisory authority is the UK’s ICO. And after Brexit? Don’t get me started.


May I have wine now?




Don't miss out!

I’m now blogging at Substack – do join me there.