Data Protection Policy 2018
Our Firm needs to gather and use certain information about individuals.
These can include clients, customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the
Firm’s data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures our Firm:
- Complies with data protection law and follow good practice
- Protects the rights of staff, clients, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Effective GDPR implementation will also provide:
- Trust – customers will have more confidence in the firm’s safeguards and security
- Value – increased data accuracy will result in higher communication efficiency
- Innovation and business boost – A worthwhile opportunity to transform company culture, improve business processes and rethink data.
- Innovation and business boost – A worthwhile opportunity to transform company culture, improve business processes and rethink data
- Searchable storage – localisation and indexing, knowing what data is stored and where it is held, with back-up and recovery systems, with controlled access.
- Policy Purpose
1.1 This Policy defines requirements to ensure compliance with laws and regulations applicable to the Firm’s collection, use, processing, and transfer of Personal Data.
- Policy Scope
2.1 the Firm is committed to complying with the applicable Data Privacy and Protection requirements with common core of values, policies and procedures.
2.2 This policy is based upon the General Data Protection Regulation (GDPR) which operates within EU Regulation 2016/679, which provides a robust generic model for global Data Protection and privacy compliance.
2.3 This policy applies to all Firm’s full and part time employees, agency employees, and all suppliers and clients who receive Personal Data from the Firm, have access to Personal Data collected or processed by the Firm, or who provide information to the Firm, regardless of geographic location.
2.4 As a policy commitment, to ensure compliance with the regulations the Firm will correctly establish its status for all Data Processing as either a Data Controller, or Data Processor acting for another Data Controller.
3.1 The Firm’s data compliance program will be overseen by the Managing Director. Responsibilities may be delegated by the Managing Director.
3.2 The Managing Director will implement the Firm’s Data Protection procedure, as well as any duties required by applicable law, including:
3.2.1 Determining whether notification to one or more Data Protection authorities is required because of the Firm’s Data Processing activities, then making any required notifications, and keeping such notifications current.
3.2.2 Designing and implementing ongoing programs for training employees in Data Protection rules and procedures.
3.2.3 Establishing (with the involvement of the IT and legal counsel) procedures and standard contractual provisions for obtaining compliance with this policy with clients, suppliers, and third parties who receive Personal Data from the Firm, have access to Personal Data collected or processed by the Firm, or who provide information to the Firm, regardless of geographic location.
3.2.4 Establishing mechanisms for periodic audits of compliance with this policy, implementing procedures, and applicable law.
3.2.5 Establishing, maintaining, and operating a system for prompt and appropriate responses to Data Subject requests to exercise their rights.
3.2.6 Establishing, maintaining, and operating a system for the prompt and appropriate automatic disclosure to the relevant authorities and Data Subjects of any loss of Personal Data.
3.2.7 Informing senior managers, officers, and directors of the Firm of the potential corporate and personal civil and criminal penalties which may be assessed against the Firm and / or its employees for violation of applicable Data Protection laws.
3.2.8 Ensuring that the risk management plans in relation to Data Protection are implemented effectively and promptly.
3.2.9 Ensuring that adequate assurance regarding the effectiveness of Data Protection procedures and audits is provided to the Board, management and other stakeholders.
- Data Protection Principles
4.1 The Firm has adopted the following principles to govern its use, collection, and transmittal of Personal Data:
4.1.1 Personal Data shall only be processed fairly and lawfully.
4.1.2 Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
4.1.3 Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
4.1.4 Personal Data shall not be collected or processed unless one or more of the following apply:
4.1.5 The Data Subject has provided consent;
4.1.6 Processing is necessary for the performance of a contract directly with the Data Subject, or to which the Data Subject is an employee of a party;
4.1.7 Processing is necessary for compliance with the Firm’s legal obligation;
4.1.8 Processing is necessary to protect the vital interests of the Data Subject;
4.1.9 Processing is necessary for legitimate interests of the Firm or by the third party or parties to whom the Data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject.
4.2 Appropriate physical, technical, and procedural measures shall be taken to:
4.2.1 Prevent and / or to identify unauthorised or unlawful collection, processing, and transmittal of Personal Data; and
4.2.2 Prevent accidental loss or destruction of or damage to, Personal Data.
- Transfers to Third Parties
5.1 Personal Data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to establish and maintain the required level of Data Security.
5.2 Personal Data may be communicated to third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorised by law.
5.3 All transfers of Personal Data to third parties for further processing shall be subject to written agreements.
5.4 EU Personal Data shall not be transferred to a territory outside the European Economic Area (EEA) unless the transfer is made to a territory recognised by the EU as having an adequate level of data security.
5.5 Subject to the provisions of the above, Personal Data may be transferred where any of the following apply:
5.5.1 The Data Subject has given consent to the proposed transfer;
5.5.2 The transfer is necessary for the performance of a contract between the data subject and the Firm;
5.5.3 The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Firm and a Third Party;
5.5.4 The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defence of legal claims;
5.5.5 The transfer is required by law;
5.5.6 The transfer is necessary to protect the vital interests of the Data Subject.
- Prevention of Non-Complying IT Systems
6.1 The Firm’s Data Protection officer shall establish a procedure for assessing the impact of any new or existing technology on the privacy and security of Personal Data.
6.2 No new system or new version of an existing system shall be made available for use until the Managing Director has obtained written confirmation from the Data Protection Officer there would be no breach of any Data Protection or other legal requirement or regulation.
- Sources of Personal Data
7.1 Personal Data shall be collected only from the Data Subject unless the nature of the business purpose necessitates collection of the data from other persons or bodies.
7.2 If Personal Data is collected from someone other than the Data Subject, the business unit collecting the data must have confirmation, in writing, from the supplier of the data that the Data Subject has provided consent to the transfer to the Firm.
- Data Subject Rights
8.1 Data Subjects shall be entitled to obtain the information about their own Personal Data upon a request made in writing to the Managing Director who will establish a system for logging each request under this Section as it is received and noting the response date.
8.2 The Firm shall provide its response to a request above within one month from the date of the written request in the most commonly used electronic format. Complex or multiple requests may take up to two months. Making a request for personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive or repetitive in character.
8.3 Data Subjects shall have the right to require the Firm to correct erroneous, misleading, outdated, or incomplete Personal Data.
- Sensitive Data
9.1 Sensitive Personal Data should not be processed unless:
9.1.1 Such processing is specifically authorised or required by law.
9.1.2 The Data Subject expressly and unambiguously consents.
9.1.3 Where the Data Subject is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the Data Subject.
- Special Category Data
10.1 The firm does hold special category data in order to provide advice to clients. However, in the event that the data is obtained and recorded, this will be in accordance with Article 9 (2) (a).
- Data Quality Assurance
11.1 Personal Data must be kept only for the period necessary for permitted uses. The Firm has established local Record Retention Policies which determine applicable timescales for data deletion.
11.2 Personal Data shall be securely erased if their storage violates any Data Protection rules or if knowledge of the data is no longer required by the Firm, or at the request of the Data Subject.
- Third Party Processors.
12.1 Where the Firm relies on third parties to assist in its processing activities, the Firm will choose a Data Processor who provides sufficient security measures and take reasonable steps to ensure compliance with those measures.
- Written contracts for Third Party Processors.
13.1 The Firm shall enter into a written contract with each Data Processor requiring it to comply with data privacy and security requirements imposed on the Firm.
- Audits of Third Party Data Processors.
14.1 As part of the Firm’s internal Data auditing process, the Firm shall conduct periodic checks on processing by third party Data Processors, and relating to the hand-off procedures for the Data especially in respect of security measures.
- Notice to Directors, Managers and Officers of Potential Sanctions for Non-Compliance
15.1 The Managing Director shall notify directors, managers, and other officers of the Firm that:
15.1.1 Failure to comply with relevant Data Protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and
15.1.2 They can be personally liable where an offence is committed by the Firm with their consent or connivance, or is attributable to any neglect on their part.
- Data Security
16.1 The Firm has a Data Security Management policy, under which it shall adopt physical, technical, and organisational measures to ensure the security of Personal Data, including the prevention of their alteration, loss, damage, unauthorised processing or access, having regard to the nature of the data, and the risks to which they are exposed by human action or the physical or natural environment. These measures will be documented within the Data Security Policy, which will be reviewed at least annually, or when necessary to reflect significant changes to security arrangements.
16.2 Adequate security measures should include all the following:
16.2.1 Prevention of unauthorised persons from gaining access to data processing systems in which Personal Data are processed.
16.2.2 Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorisations.
16.2.3 Ensuring that Personal Data during electronic transmission during transport or during storage on a data carrier cannot be read, copied, modified or removed without authorisation.
16.2.4 Ensuring that Personal Data are protected against undesired destruction or loss.
16.2.5 Ensuring that data collected for different purposes can and will be processed separately.
16.2.6 Ensuring that data are not kept longer than stipulated in the Data Retention Policy, including by requiring that data transferred to third persons be returned or destroyed.
- Compliance Measurement.
17.1 The Managing Director shall establish a schedule for and implement a Data Protection compliance audit for all business units. The Managing Director, in cooperation with the business units, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.
17.2 Each of the Firm’s business units shall review annually its data collection, processing, and security practices and shall determine what Personal Data the business unit is collecting including that held in manual systems that constitute “Relevant Filing Systems”
17.3 The information collected in this annual review shall be delivered to the Managing Director for review and appropriate action including, without limitation, the following:
17.3.1 Making recommendations for improvement to policies and procedures to improve compliance with this Policy and applicable law.
18.1 This Policy shall be available to employees through the Firm’s intranet and compliance system, and a public version shall be made available to others via the Firm’s website.
18.2 The Managing Director, in cooperation with the business Units, will develop a timeline and program for implementing this Policy.
18.3 This Policy may be revised at any time but at least annually by the managing Director. Notice of significant revisions shall be provided to employees through the Firm shared folders and compliance system and to others via the Firm’s website.
If you wish to register a complaint, please write to The Compliance Officer, MFP Wealth Management, 10 Falcon Drive, Christchurch, Dorset, BH23 4BA or telephone 01425 279212.
A summary of our internal complaints handling procedures for the reasonable and prompt handling of complaints is available on request and if you cannot settle your complaint with us, you are entitled to refer it to the Information Commissioner’s Office.
Policy prepared by: Kathy King, MFP Wealth Management
Approved by board / management on: 11th April 2018
Policy became operational on: 20th April 2018
Next review date: 20th April 2019