What is GDPR?
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into effect.
• GDPR will apply to every European organisation that handles the information of private individuals plus non-EU organisations offering goods and services to EU individuals.
• The UK government has confirmed that Brexit will not affect the commencement of the GDPR.
• GDPR gives the Information Commissioners Office (ICO) the power to impose high fines: violation of the regulations could result in fines of the higher of €20,000,000 or 4% of global turnover depending on the type of breach.
• A violation can be caused by the act of a third party, i.e by the organisation being hacked. There will be no exemption or relief where the breach is the result of a cyber-attack.
• The GDPR provide additional rights to individuals and increased restrictions to how and when organisations can process personal data.
How do we manage data?
CL Finance Associates LLP (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection in place which complies with existing law and abides by the data protection principles. However, we recognise the requirement and importance of updating and expanding this to meet the demands of the GDPR and the UK’s Data Protection Bill.
We understand the importance of safeguarding personal information under our remit and have developed a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation.
What we have done in preparation for GDPR?
We already have a consistent level of data protection and security across CL Finance Associate LLP, but we have taken the opportunity to tighten up some procedures including the transfer of data via email which is now all encrypted, the emailing of payslips, obtaining consent and ensured data minimisation.
What data do we hold, why do we hold it and how do we protect it?
• We may hold your own, your client’s and your employee’s details which may include names, private addresses, date of birth, tax and NI references, company number (if applicable), employer’s reference and name (if applicable), business details (if applicable) and details of past and present taxable income and gains and data on other taxes.
• We hold this data to allow us to provide accountancy and tax compliance and tax advisory services (if applicable).
• We also hold data in order to make ID checks under the Money Laundering Regulations, this may include a copy of your passport or driving licence and evidence of your address.
• We retain data for as long as statute or regulations demand.
• We hold data electronically and on paper.
• We normally destroy files after six years.
• Our computer hard drives are destroyed before disposal.
• We do not allow any third party access to our data, however, our IT support (outsourced) may work on software programmes that hold that data such as our databases.
• We store data via third party servers and we use applications including Dropbox, Microsoft and Google products.
• Data held on third party servers is highly protected by security features including firewalls, regular scans against malware and measures to prevent SQL injection.
• We process and store data using our tax and accounting software, such software may be located ‘in the Cloud’ and if so we rely on the software provider’s security features and all access is password protected.
• When software is installed on our local machines all software is password protected.
• We prohibit the use of memory sticks to hold client data. If you provide us with a memory stick we will not transport it out of our office.
• We will only share data with HMRC and HM Courts and Tribunal’s service, during the course of an enquiry or investigation or tax appeal or other reasons if:
a) We authorised to do so by the taxpayer, or
b) In the case of a Schedule 36 FA 2008 Information Notice, we have either been so authorised by a tribunal or we are compelled to provide data under the terms of a third party notice, or
c) We are obliged by other regulations to provide data.
• We may use third party contractors in our business and they are required to sign a ‘Fit and proper’ declaration which includes a declaration that they will not remove data or pass on data to other parties.
On our website:
• We maintain a database that contains the details of users of our website. The details that we retain are as input by you when you registered with our website. We retain this information as required for billing and to contact you.
• Our website allows us to track user data for our own analytical purposes. We track users by name (when logged in), by IP address, according to which device you are using (whether you are logged in or not) and by device location.
• We do not sell our website data or allow any third party access to our data or our database of users.
• Our website data is hosted on third party servers which are protected by firewalls, encryption and access to our servers is protected by password protection applications.
• Our hosting offers technical support and support technicians and our web developers may require access to the full back-end of our website. We place reliance on their own security measures when they access our data.
We are registered with the Information Commissioner.
Can I find out what data you hold about me?
Anyone can access personal information we hold about them. An individual can request information about:
• What personal data we hold about them
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long we intend to store your personal data for
• If we did not collect the data directly from them, information about the source
• The right to have incomplete or inaccurate data about them corrected or completed
• The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
• The right to lodge a complaint or seek judicial remedy and who to contact in such instances
Do we have processes to ensure security of data?
CL Finance Associates takes the privacy and security of individuals and their personal information very seriously and are taking every reasonable measure and precaution to protect and secure the personal data that we process. We have policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures.
Does everyone who works for CL Finance Associates know about GDPR and its impact?
Everyone who works at CL Finance Associates LLP has received training about the impact of GDPR and have been provided with copies of our policies on data protection.
Please contact Sue on firstname.lastname@example.org if you would like any further information.