Our GDPR Policies and Compliance Notices
The GDPR (General Data Protection Regulation) is a new set of European privacy laws that come into force in May 2018 and which protect the personally identifiable information of EU data subjects (typically EU residents). You can learn more about how we abide by these laws on this page.
Please note that this page only describes our GDPR compliance and policies in relation to our subscribers.
What is “personally identifiable information”?
Personally identifiable information is any information which can be directly correlated to you as an individual. For example, this could include:
- Your name
- Email address
- Personal affiliations
- IP addresses used
What personally identifiable information do we hold?
The information we store and process about subscribers is as follows:
- Email address
- Opt-in confirmation time
- Opt-in confirmation IP address
- Subscriptions held
- Name (sometimes)
- City and country (sometimes)
- Social media information (sometimes, e.g. Twitter or GitHub account name)
- Klout interests (sometimes)
What is the “right to access”?
If we hold personally identifiable information about you and you are a resident of the European Union, you are able to request that we provide you with a machine-readable copy of that information. In our case, that would typically be your email address and subscriptions, and potentially other information we may have collected such as your company name, social handles, etc.
You can email us at firstname.lastname@example.org to request access to this data. Please note that it is necessary for us to verify your identity for data protection reasons, although if you are requesting data assigned to the same email address from which you make the request, we will consider this “reasonable means” of verification.
What is the “right to erasure”?
You are able to request that we erase all information we store about you that is personally identifiable and which we are not required, by law, to keep (for example, we may need to keep customer information for tax purposes, but the GDPR allows this).
If you email email@example.com we will process your request. We can either erase all of your personally identifiable information (in which case you will also be unsubscribed from our publications) or erase part of your information, such as if we hold your name, company name, and similar details on file.
The basis on which we handle your personally identifiable information
We have determined that for most uses of personal data, the “Legitimate Interest” basis is appropriate. Handling of personal data to send email newsletters to our subscribers passes the three relevant tests:
- Purpose test. Is there a legitimate interest behind the processing? It is in both the interest of us and our readers for us to be able to send them the publications they have requested and we store the information required to be able to do this (their email address).
- Necessity test. It is necessary for us to store subscribers’ email addresses in order to be able to send them the publications they have specifically and directly requested
- Balancing test. This test requires we take into account the impact on individuals of our data processing practices. Our audience are principally adults representing businesses and who have explicitly requested to receive our publications. We use their personal information principally to send them the newsletters requested (and opted into via a double optin process). Use of their personally identifiable information for other purposes would require a further basis, though no such processing is currently undertaken, and we use our subscribers’ data in only ways that they would reasonably expect us to.
Further to the above, our universal use of the double opt-in process also affords us an audit trail of informed consent for each subscriber based upon the opt-in confirmation time and the IP address used.
How we share information with third parties
It is a necessity of business that we share personally identifiable information with third parties under certain situations. We have tried to enumerate each opportunity this occurs below:
- We store subscriber information in our own, custom built subscription management system which is hosted on servers to which the server company does not have access
- We store backups of subscriber information on our own, internal systems, as well as on Dropbox and Amazon S3
- MailChimp may store backups of old data, although we have since migrated off of their platform and are in the process of shutting down our account with them.
- Email addresses of subscribers are sent to SendGrid in order to send our publications to those addresses. In some cases, name information may be sent to customize the email headers. No other personal information is sent to SendGrid.
- We internally use Slack to work with certain types of data or to monitor signups, optins, unsubscribes, etc. Only our employees have access to these services.
- If we bill customers or other users, the information associated with these orders may come via PayPal or Stripe and then may be shared with our accountants, bookkeepers, and Xero, our online accounting platform providers.
All of our third party provided above either have a presence in the EU and are subject to the GDPR themselves, or have asserted they comply to the EU-US Privacy Shield policy.