Our EU statement of data protection compliance

We care about your data and we are fully EUGDPR compliant. If you are worried about what we might do with your email address, please read the following statement. If you can’t be bothered (we don’t blame you – it’s incredibly boring) then please trust us: we will never spam you, add your email address to a database (unless you ask us to) and that’s a promise!



We have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how we comply. If you have given us your email address (by emailing us) you should read this to reassure yourself that we are looking after your data extremely responsibly.

If any of you understand this even better than us and believe there’s something else we should be doing, do let us know. We value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and most authors are sole traders just doing our best to keep up.



We are both sole traders and have made ourselves aware of the regulations concerning GDPR. There is no one else in our organization to inform. Hilton Creativity maintain our website, but have no access to emails, Twitter or Facebook accounts.


The information we hold:

Email addresses of people who have emailed us and to whom we have replied – automatically saved in gmail and iCloud.

Email addresses, postal addresses and names of contacts in schools recorded in e mails and word documents on a password-protected computer.

We do not share this information with anyone.

If someone randomly asks for another person’s email address, unless both are known closely to us, we check with the other person first.


Communicating privacy information

We have put this document on my website.

We have added a link to my contact page.

We have made a link to this document on Twitter

We have made a link to this document on Facebook.


Individuals’ rights

On request, we will delete data.

If someone asked to see their data, we would take a screenshot of their entry/entries.


Subject access requests

We aim to respond to all requests within 24 hours and usually much sooner.


Lawful basis for processing data

If people have emailed us, they have given us their email address. We do not actively add it to a list but gmail or iCloud will save it. We will not add it to any database or spreadsheet unless the person whose address it is asks us to or gives us explicit and detailed permission.



Once we’ve contacted everyone with a reminder about the T&C of my holding their data, we regard this consent as confirmed until the person asks me to remove the data. We have never harvested email addresses, nor would we. Anyone on our lists has contacted us.

Consent is not indefinite, so we will make sure that we periodically remind people who have contacted us that they can ask for their data to be removed.



Young people sometimes email us but we don’t know their age unless they tell us – and we only have their word for that. We would not deliberately keep their email address (but gmail would save it in our account.) Since we are not “processing” their data, we are not required to ask for parental consent. We reply to the email and don’t contact them again.


Data breaches

We have done everything we can to prevent this, by strongly password-protecting our computer, Google and iCloud accounts. If any of those organisations were compromised we would take steps to follow their advice immediately.


Data Protection by Design and Data Protection Impact Assessments 

We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that we are using best practice.


Data Protection Officers

Steve Skidmore is the appointed Data Protection Officer.



Our lead data protection supervisory authority is the UK’s ICO.


Thank you for your patience and understanding!