My GDPR Statement of Compliance

Apologies for appalling boringness but…


I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, buying something from my website or subscribing to my website, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

If any of you understand this even better than me and believe there’s something else I should be doing, please do let me know. I value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and like most authors, trainers and coaches I’m doing my best to keep up.

To create this scintillating document, I read reams of stuff and then used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are my 12 answers.

  1. Awareness

I, Helen Oakwater, am the only director of the company FAB Parents, so there is no one else in my organisation to make aware.

  1. The information I hold:
  • Email addresses of people who have signed up to the newsletter, requested access to free short courses or  paid for online training material or free library of resources or for access to full paid membership site. Emails are automatically saved in Rainmail, part of the Rainmaker platform which I use for my website.
  • Email addresses, first and surname names of people who have signed up to my mailing list via the opt-in link on my website– held in Rainmail.

I do not share this information with anyone. Ever. Never have. Never will.

If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.

  1. Communicating privacy information

I am taking five steps:

  1. I have put this document on my website, with a link from my sign-up section for new subscribers.
  2. I have added a link to my email signature.
  3. I have added a link to my contact page.
  4. I have created a website article which will go to all subscribers 2 May 2018 


  1. Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

If they unsubscribe themselves from the Rainmail list, their data is automatically deleted.


  1. Subject access requests

I aim to respond to all requests within 48 hours and usually much sooner.


  1. Lawful basis for processing data
  • If people have emailed me, they have given me their email address. I do not actively add it to a list.
  • If people have opted into my Rainmail list (they have actively opted in, in the knowledge that they will receive the following:
    • Emails irregularly with useful information on new material produced by me or relevant to adoption, fostering and child protection.
    • You can unsubscribe at any time.
    • All outgoing emails always have an “unsubscribe” option at the bottom.


  1. Consent

Once I’ve contacted everyone with a reminder about the T&C of my holding their data, I regard this consent as confirmed for a year, or until the person asks me to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.


  1. Children

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address. Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.


  1. Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer, Rainmaker, Rainmail and Dropbox accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.


  1. Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.


  1. Data Protection Officers


I have appointed myself as the Data protection Officer, in the absence of anyone else!


  1. International

My lead data protection supervisory authority is the UK’s ICO. And after Brexit? Don’t get me started.

THANK YOU for getting this far and still being awake.

Please note, I have (with her very kind and generous permission) based this on the GDPR statement of Nicola Morgan, simply because it’s the only one which made me laugh. She is an international expert (author and speaker) on adolescent brains and stress. Her material is excellent. You’ll find it useful. Check it out here



%d bloggers like this: