Kateproof offers an affordable and efficient proofreading service

This proofreader's approach to GDPR

Posted on 24th January 2018; revised and updated in June 2019

The new General Data Protection Regulations (GDPR) are in force from May 25th 2018. In late 2017, I copy-edited a document about the new regulations, though that file was aimed at companies with more than 250 employees. However, having read that document and some of the finer details of the regulations themselves, I realised I need to change one or two elements of my approach to data collection and storage.

I thought I would therefore write this blog post to reassure clients about my approach and what will happen with their data, and also thought it might be useful for other editors and proofreaders in a similar situation.

The following elements are specific to my situation:

  • I am a sole trader with no employees
  • I do not have a mailing list or sign-up options on my website
  • I do not collect data from my website

What data do I collect to enable me to run my editing and proofreading business?

There are numerous clauses and caveats in GDPR but the main one for me and how I run my proofreading business is that I only ask for data that I need to fulfil my obligations to my tax authority (HMRC) – this falls into the 'lawful basis' of GDPR and is why I request specific name and address data. I have to include a name and address on my invoice and that is the only personal data I request. I will ask for this information once a client has agreed to proceed with my service, and then for the purpose of fulfilling my tax obligations, that information will be stored in my email system and on the invoice in my digital filing system (on my laptop/computer and on password-secured cloud storage). I have to keep that information for five years from the date of my tax return, so I say seven years for simplicity (see the example dates given on HMRC's website about this), but if after that time a client wishes for me to delete all emails and invoices from my files, I will do this – the client needs to send me an email to request this, just as an email was required when I asked for the information in the first place. I believe this fulfils the requirement that opting out has to be as easy as opting in.

Storage of the manuscripts or files with sensitive personal data

As per my terms and conditions, I ordinarily store files in line with the tax requirements but again, if a client wants me to delete the work sooner, I will do this. Within GDPR, there are different rules for 'sensitive personal data', which includes 'health data, information on individuals' racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation' – I don't collect any data related to that, though obviously some of this might be in the texts I am working on. As that data has been willingly sent to me and I am not going to be processing or storing any of it without the client's permission, I do not believe I need to comply with the more complex elements of GDPR, but as mentioned above, if a client wants me to delete the files once I've edited or proofread them, I will be more than happy to do so.

Changes to how I will ask clients to accept my terms and conditions

I used to send clients a copy of my terms and conditions with a quotation and said that if the client agrees to the quotation, I take that as acceptance of the terms and conditions. However, under the new GDPR, I believe this acceptance has to be more active, so I will instead ask for explicit confirmation that the client accepts the terms.

What data do I pass to people when I refer a client to a different editor or proofreader?

Sometimes I don't have capacity to take on a project or don't think I am the right person for a project, and in these circumstances, I try to help the client by giving them details of someone else who might be available or suitable. In these situations, I have permission from the editors or proofreaders to pass clients their email addresses, and I let the person I'm referring know the first name of the potential client. I do not pass them potential clients' email addresses. This is my default approach but if you wish for me to do it differently, please let me know.

Aside from the first name in the situation described above, I do not share any data with any other editors, proofreaders, businesses or third parties (with the exception of HMRC (the UK tax authority) if they request to see all my files for audit as this is a legal requirement).

Force majeure impact on my proofreading service

In force majeure scenarios, i.e. unforeseen circumstances that mean I am unable to work, my husband, Peter Haigh, will have access to my emails to contact current clients to advise them of the situation. Peter Haigh will not save or copy those details for his own use, and he will make it clear that he is the author of the email, even if it is coming from my email account.


I believe that the above changes and clarification mean that as a sole trader, I will be compliant. I have also added a brief privacy policy to my website.

If you have any questions about what I do with other data or want confirmation on any further elements before agreeing to work with me, please do not hesitate to ask.

Although this is an EU regulation and there might be some uncertainty with Brexit and the application of GDPR in the UK, as I work with many EU-based clients and think the UK will implement similar rules if/when Brexit does happen, I will continue to adhere to GDPR.

If you want more information about GDPR, this is a good website.

Written by Kate Haigh.