GDPR will have strict controls on how all organisations within the EU and personal data collectors of EU citizens collect and process personal data. We at The Hughes Partnership have conducted a review of our data collection and retention policies and what we have done to prepare for GDPR.
Some information on data we may hold:
- We may hold your details which may include names, private addresses, contact details, date of birth, tax and NI references, company number (if applicable), employer’s reference and name (if applicable), business details (if applicable) and details of past and present taxable income and gains and data on other taxes.
- We hold this data to allow us to provide accountancy and tax compliance, tax advisory services and payroll services.
- We also hold data in order to make ID checks under the Money Laundering Regulations, this may include a copy of your passport or driving licence and evidence of your address.
- We retain data for as long as statute or regulations demand.
- We hold data electronically and on paper.
- We normally destroy files after ten years.
- Our computer hard drives are destroyed before disposal.
- We do not allow any third party access to our data, however, our IT support (outsourced) may work on software programmes that hold that data such as our databases.
- We store data via third party servers and we use applications including Dropbox, Microsoft and Google products.
- Data held on third party servers is highly protected by security features including firewalls, regular scans against malware and measures to prevent SQL injection.
- We process and store data using our tax and accounting software, such software may be located 'in the Cloud' and if so we rely on the software provider's security features and all access if password protected. We utilise 2-step authentication where possible.
- No software or data is held on local machines in the interest of data security.
- We prohibit the use of memory sticks to hold client data. If you provide us with a memory stick we will not transport it out of our office.
- We will only share data with HMRC and HM Courts and Tribunal’s service, during the course of an enquiry or investigation or tax appeal or other reasons if:
a) We authorised to do so by the taxpayer, or
b) In the case of a Schedule 36 FA 2008 Information Notice, we have either been so authorised by a tribunal or we are compelled to provide data under the terms of a third party notice, or
c) We are obliged by other regulations to provide data.
- We may use third party contractors in our business and they are required to sign a ‘Fit and proper’ declaration which includes a declaration that they will not remove data or pass on data to other parties.
- We maintain a database that contains the details of users of our website. The details that we retain are as input by you when you registered with our website. We retain this information as required for billing and to contact you.
- Our website allows us to track user data for our own analytical purposes. We track users by name (when logged in), by IP address, according to which device you are using (whether you are logged in or not) and by device location.
- We do not sell our website data or allow any third party access to our data or our database of users.
- Our website data is hosted on third party servers which are protected by firewalls, encryption and access to our servers is protected by password protection applications.
- Our hosting offers technical support and support technicians and our webdevelopers may require access to the full back-end of our website. We place reliance on their own security measures when they access our data.
Some things we have done to comply:
- We have undertaken a ‘Information Audit’ to assess what personal information we hold and to identify any ‘risk factors’ regarding the processing and retention of data.
- We have updated our own internal Data Retention Policy and associated documents.
- We have updated our Privacy and Cookie Policies along with our Terms of Engagement so that you can see exactly how, why, where and for how long we may be processing and holding your data.
- We have carried out staff training to cover all aspects of our new GDPR related policies and procedures.
By signing up to The Hughes Partnership, you are entering into an agreement which gives us a legitimate basis to process your data, in line with GDPR requirements. In other words, in order for you to benefit fully from using us as your accountants, we will need to process and store your data to complete Payrolls, Accounts, and Tax Returns etc.
Rights that you have as a client
Under GDPR you have the right to see a full copy of any data we hold about you, and also the right to request that it is fully deleted from our system (we may be required to keep some records to comply with any legal obligations).
The Hughes Partnership is based in Solihull which is located in the Birmingham area, so we ultimately answer to the UK Information Commissioner’s Office (ICO) regarding Data Privacy and Protection. We are registered with the ICO under agreement number 00045831661.
Despite all our best efforts, should the unthinkable happen and we suffer a significant data breach that puts your personal data at risk, we have a legal duty to report this to yourself and the ICO within 72 hours of discovery.
Maintaining your privacy is really important to us.
Data Protection Policy
In the course of its business, the Firm needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.
This policy describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed at all times by the Firm, its employees and all those within its scope as set out below.
Why this policy exists
This Policy provides help and guidance to our staff and managers in:
- complying with data protection law and following good practice
- protecting the rights of staff, clients, partners and business contacts
- being open about how we use personal data, how we store it and when we secure it
- protecting the Firm against the risks of both inadvertent and intentional data breaches
Scope of the Policy
The Policy applies to all employees; fixed term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the Firm’s files and/or computer systems. Collectively these individuals are hereafter referred to as 'users'. All users have responsibility for complying with the terms of this Policy.
Data Protection Law
What is personal data?
The GDPR regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We hold data relating to our employees, some of which is classed as sensitive personal data (also known as ‘special category data’) where, for example, it concerns a person’s health and medical status. We also hold a wide range of information about clients, including highly confidential personal financial data such as their individual tax information.
These rules apply to all data stored in any structured way, including both paper files and electronically.
What does the law say?
The Data Protection Principles
The GDPR contains a number of key principles which apply to the collection and processing of personal data and which underpin everything that follows.
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Personal data shall be accurate and, where necessary, kept up to date
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The controller shall be responsible for, and be able to demonstrate compliance with the GDPR
For the purposes of the law and these principles, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In relation to the majority of our data, we are data controllers, although where we are responsible for eg looking after a client’s payroll, they are the data controller and we are ‘data processors’. A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." Our responsibilities as data processors are dealt with later in the Policy.
- The Partners are ultimately collectively responsible for ensuring that the Firm meets its legal obligations and that this Policy is followed
- The Data Protection Manager (DPM) is responsible for:
- keeping the partners updated about data protection responsibilities, risks and issues
- reviewing all data protection procedures and related policies, in line with an agreed schedule
- arranging data protection training and advice for everyone to whom this Policy applies
- handling data protection queries from staff and contractors
- dealing with requests from anyone whose data we hold for access to that data (known as ‘subject access requests’)
- checking and approving any contracts or agreements with third parties that may handle our personal data
- checking and approving any contracts or agreements with third parties whose personal data we may handle
- ensuring that policies on processing, retention, storage and deletion of data are adhered to and relevant documentation is maintained to evidence compliance
- The IT Server is responsible for:
- ensuring that all systems, services and equipment used for storing data meet acceptable security standards
- performing regular checks to ensure that security hardware and software is functioning properly
- evaluating any third-party services the Firm is considering using to store or process data. For example, cloud computing services
- The Partner in charge of marketing is responsible for:
- approving any data protection statements attached to communications such as emails and letters
- where necessary working with other staff to ensure marketing initiatives are compliant with data protection principles
- ensuring that records of consents and withdrawal of consents to marketing are maintained.
Lawful, Fair and Transparent Data Processing
We are responsible as a Firm for ensuring that any personal data we hold is processed in accordance with the principles laid out above. We are permitted to process data where one of the following legal bases applies:
- the data subject has given their consent. An example might be where a client has agreed to be contacted about a new tax advice service we are providing
- the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering a contract with them. An example of this is where we need to retain and file personal information about our clients in order to finalise their accounts or tax affairs, or where a potential client gives us their personal data in order for us to be able to quote for advice that they need, and in order for them to decide whether to instruct us
- the processing is necessary for compliance with a legal obligation to which the data controller is subject. An example of this might be where we pass personal data to the relevant money laundering authorities in a situation where we have an obligation to do so
- the processing is necessary to protect the vital interests of the data subject or another natural person. An example of this might be where we pass on information to the next of kin of an employee who is gravely ill
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This is usually used by public authorities carrying out vital functions such as provision of public utilities or public safety
- the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the fundamental rights and freedoms of the data subject and their right to privacy in relation to their personal data. This is a difficult exception to generalise about, but it can be used by business where they have legitimate commercial aims which can override the data subjects’ interests. An example might be the chasing of a legitimate debt, investigating potential dishonesty of an employee, investigating a grievance about sexual or racial harassment. These legitimate aims may require some processing of personal data which may be justified in that context. Any user who wishes to use this basis would be advised to speak to the DPM to discuss it.
Sensitive Personal Data or ‘Special Category Data’
This data has a special status under the law, as it is particularly personal in nature. It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do so or a clear legal basis. We will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.
In normal circumstances, the only sensitive personal data that we hold is in relation to our employees, and it is dealt with in a separate Privacy Statement, a copy of which is provided to all staff. Please refer to that for further details. We may occasionally hold personal data about others providing work to the business such as agency workers or contractors working on site eg. biometric identity data, but this data will be dealt with in accordance with our contract by which their services are provided.
Other Personal Data
The Firm will adhere to the following principles:
- the Firm collects and processes the personal data set out below, this includes:
- personal data obtained directly from data subjects, and
- personal data obtained from third parties
- the Firm only collects processes and holds personal data for the specific purposes set out in xx below, or for other purposes expressly permitted by the GDPR
- we keep data subjects informed at all times of the purpose(s) for which the Firm processes their personal data
- where personal data will be disclosed to third parties, we will only do so where we are legally required to do so, eg to HMRC or to money laundering authorities, or where we have the data subjects’ free and informed consent to the disclosure
- we will only collect and process personal data for and to the extent necessary for those specified purpose(s)
- in respect of personal data that we collect and process, we will
- keep it accurate and up to date
- grant the data subject the right to rectify any inaccurate data in accordance with their right to do so
- regularly check the data and ensure that all reasonable steps are taken to promptly rectify or delete any mistakes or inaccuracies as appropriate
- not keep personal data any longer than is necessary bearing in mind the purpose(s) for which it was collected
- take all reasonable steps to delete or dispose any data which is no longer required promptly
- adhere to our Retention Policy, which is available to all staff
- take measures to ensure the security of the data in line with the measures set out below
We act as data processors for a number of clients (the data controllers), receiving personal data relating to their employees and processing it for the purpose of payment of salary, and appropriate deductions. We do not expect to receive any data which is sensitive personal data in relation to this. We will:
- only process the personal data provided in accordance with the data controller’s instructions and in accordance with our contract with them
- implement technical and organisational measures in line with the GDPR to ensure the fair and lawful processing and the security of such data
- not disclose the data or transfer it to any third party without the explicit permission of the data controller, unless we are legally obliged to do or it is permitted and authorised by the contract with the data controller
- ensure that appropriate records are kept in order that we are able to demonstrate compliance with GDPR principles
- comply with our obligations to notify the regulatory authorities of any data breach.
Accountability and Record Keeping
The Firm will keep written internal records of all personal data collection, holding and processing, and this will incorporate the following:
- name and details of the Firm, its DPM and any third party data processors
- the purposes for which the Firm collects, holds and processes personal data
- details of the categories of personal data collected, held and processed by the firm and the categories of data subject to which the data relates
- details of any transfers of data to non-EEA countries including the mechanism for doing so and security measures taken
- details of the Firm’s retention policy (see Data Retention Policy)
- detailed descriptions of all technical and organisational measures taken by the Firm to ensure the security of personal data.
Privacy by Design – Data Impact Assessments
Part of the Firm’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the GDPR. The Firm will always ensure that all such changes are designed and implemented in accordance with the Regulation, and that the DPM is consulted and their recommendations are taken into account in the planning and introduction of such changes.
In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the Regulation, we will carry out a Data Impact Assessment, overseen by the DPM. This will deal with:
- the type(s) of personal data that will be collected, held and processed
- the purpose for which it is to be used
- the Firm’s objectives in processing this data and making this innovation
- how the personal data is to be used
- internal and external parties to be consulted
- why we need the data and how the collection of the data is proportionate to our need for it
- what risks there are for data subjects
- what risks the Firm runs, and
- what measures we are proposing to minimise and protect against the risks.
Providing Information to Data Subjects
We are required to ensure that, when we collect and process personal data, the data subject is aware of the purposes for which this is being done, and what is happening to the data. We therefore will ensure that the following principles are followed:
- where we collect personal data directly from the data subject, we will inform them of the purpose for which it is being collected at the time of collection
- where we are obtaining personal data from a third party, we will inform the data subject why we are doing this
- if we use the details to contact them, at the time of first contact, or
- if we are going to pass the information to a third party, at the time this is done, or
- as soon as is reasonably possible and in any event, within one month
- All data subjects will be provided with the following information:
- details of the Firm, including the name of the DPM
- why the data is being collected and processed, and the legal basis for this
- if applicable, any legitimate interests justifying the Firm’s collection and processing of data
- where personal data is not collected directly from the subject, the categories of data collected and processed
- where the data is to be transferred to third party/parties, their details
- where data is to be transferred outside EEA, details of the transfer
- details of data retention
- details of the data subject’s rights
- under GDPR
- to withdraw consent to processing at any time
- to complain to the Information Commissioner’s Office (ICO)
- details of any legal or contractual requirement which means that the Firm needs to collect this information and process it, and what the implications are if it cannot do so.
- details of any automated decision making or profiling that will take place using personal data, how the decisions will be made and their consequences
Data Subject Access
‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it. Where a subject access request is being made to us as a payroll processor, we will refer the employee to the data controller (who is their employer or client) to deal with the request.
- such requests need to be made by the data subject in writing
- they should be addressed to the DPM, who will deal with the request
- the Firm will usually respond to them within one month, but we may need to extend it for a period of up to a further two months if it is a complex request or there are multiple requests. In that situation, the data subject(s) will be informed.
- the Firm will not charge the data subject any fee for responding to the SAR, unless the subject is asking for multiple copies of data already supplied or unless the request is manifestly unfounded or excessive.
Rectification of Personal Data
Where a data subject informs us that data we are holding about them is inaccurate or incomplete and requests that it is corrected, we will rectify the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months.
Where the incorrect data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is rectified.
Erasure of Personal Data
Data subjects have a right to require the Firm to erase personal data held about them when:
- the Firm no longer needs the data it is holding for the purposes for which it was originally collected
- the data subject wishes to withdraw their consent to the Firm holding and processing the data
- the data subject objects to the Firm holding and processing the data, and there is no overriding legitimate interest which allows us to continue to do so
- the personal data has been processed unlawfully
- the personal data needs to be erased in order for the Firm to comply with a particular legal obligation.
Where we are obliged to do so, we will erase the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months, and again where the data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is erased.
Restriction of Personal Data Processing
Data Subjects have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing takes place, and we will inform any third parties to whom we have disclosed the data about the restriction on processing (unless it is impossible to do so or would involve disproportionate effort).
Objections to Personal Data Processing
Data subjects have a right to object to us processing their personal data based on our legitimate interests or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject, or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately.
Personal Data, Collected, Held and Processed
Type of Data
Personal details of employees, such as names, addresses, contact details, age, sex etc
The administration of employment contracts
Personal details of clients, such as names addresses, contact details, age, sex etc
To provide accountancy and related services to clients, in particular for the administration of their tax and personal financial affairs and to comply with both their and our legal obligations including in relation to tax and money laundering.
To market our services to clients, in accordance with the GDPR
Education and Training details of our prospective employees, employees and contractors
Collected in the course of recruitment with a view to selection, and maintained to track their career progression
Financial Details of employees and contractors ie matters related to income and payroll, tax details, expenses claimed, court orders, pensions, insurance
Collected and maintained in order to ensure timely and accurate payment of staff, and proper accounting for tax purposes
Time recording of work for clients
To provide services to our clients and bill for them, to monitor performance of our employees
Data Security – Transferring Personal Data and Communications
We will ensure that we take the following measures with respect to all communications containing personal data:
- all emails containing personal data are encrypted
- all documents prepared for clients such as tax returns, and final accounts will be held in a separate client area, hosted by a reputable IT service provider. Access to the area is controlled. Clients will be provided with unique, confidential log in details to allow them to view their documents
- all emails containing personal data will be marked ‘Confidential’
- personal data contained in the body of an email, whether sent or received, should be copied from the body of the email and stored securely, with the email being deleted
- all temporary files containing any personal data should be deleted without delay
- where personal information is being sent by fax, the recipient should be informed of its imminent arrival to allow them to monitor and collect the document immediately
- all personal data sent in hard copy form should be delivered to the recipient in person, in a container marked ‘Confidential’, or sent by recorded delivery or courier, as appropriate.
Data Storage and General Security
For detailed guidance on this please refer to NCSC Cyber Essentials at www.cyberessentials.ncsc.gov.uk.
- all electronic copies of personal data should be stored securely using privilege levels and passwords
- regular password changes will be enforced and the number of logins will be restricted
- passwords should never be written down or shared between any employees, agents, contractors or other persons working on behalf of the Firm, no matter what their level of seniority.
- computer equipment belonging to the Firm will be sited in a secure location within the office and in a position where they cannot be viewed by members of the public
- computer terminals must not be left unattended, and should be logged off at the end of the session
- personal data is backed up and is stored offsite and where appropriate is encrypted
- all software must be kept up to date and we shall be responsible for ensuring that all security-related updates are installed promptly, unless there are valid technical reasons for not doing so
- no software should be installed on the Firm’s system without the prior approval of the DPM
- personal data should not be stored on any mobile device such as laptops, tablets and smartphones without the approval of the DPM and, where it is held, only in accordance with his or her instructions and limitations
- personal data must never be transferred on to an employee’s personal device and we will never transfer such data onto a device owned by a contractor or agent unless they have agreed to comply fully with the letter and spirit of this Policy and with the GDPR
- all manual files must be stored securely in locked cabinets and should not be left unsecured in the office overnight
- computer print outs containing personal information should be destroyed without delay and should never be retained for scrap paper
- where personal data is to be erased, or otherwise disposed of, this will be done in accordance with the Firm’s Data Retention Policy.
Access to Personal Data
In relation to accessing personal data:
- employees must never access data either on a computer or in paper form, without having authority to do so
- personal data must not be shared informally and if an employee, agent, contractor, or any other third party wants access to the data, it must be formally requested from the DPM
- personal data must be handled with care, and should not be left unattended or in view of unauthorised employees, contractors or agents whether on paper or on a screen
- where personal data held by the Firm is being used for marketing purposes, it is the responsibility of the DPM to ensure that appropriate consents are obtained.
The Firm will take the following steps in relation to the collection, holding and processing of personal data:
- all employees, agents, contactors or other parties working on our behalf will be made fully aware of their individual responsibilities, and the responsibilities of the Firm, in relation to data privacy and the GDPR and they will be provided with a copy of this Policy
- in respect of these individuals and of personal data held by the Firm:
- only those persons who need access to particular personal data in order to complete their assigned duties will be granted such access
- all persons will be appropriately trained and supervised in handling personal data
- all persons will be encouraged to exercise caution in discussing work related matters within the workplace
- all employees are bound by strict duties of professional confidentiality in discussing any work related matters outside the workplace, which will be adhered to and enforced
- our methods of collecting, holding and processing data will be regularly evaluated and reviewed and the personal data held by the Firm will be reviewed periodically, as set out in our Data Retention Policy
- we will keep the performance of our agents, contractors and third parties under review and, not only will we ensure that they are required to handle personal data in accordance with the GDPR and our Policy, but we will also ensure that they are held to the same standards as our own employees both contractually and in practice
- where any agent, contractor or third party fails in their obligations under this Policy, we will ensure that they are required to indemnify us for costs, losses, damages or claims which may arise as a result.
Transfer of Personal Data outside the EEA
The Firm may from time to time transfer personal data outside the EEA. This will only be done if one or more of the following applies to the transfer:
- it is to a territory or sector within that territory that the European Commission has determined has an adequate level of protection for personal data, or appropriate safeguards as determined by the supervisory authorities
- it is made with the informed consent of the data subject
- it is necessary for the performance of a contract between the data subject and the Firm, or for pre-contractual steps taken at the request of the data subject
- it is necessary for important public interest reasons, or for the conduct of legal claims, or to protect the vital interests of the data subject
- it is made from a register that under UK or EU law is intended to provide information to the public and which is open to the public or to those able to show a legitimate interest in accessing it.
Data Breach Notification
All personal data breaches must be reported immediately to the DPM.
If such a breach occurs, and it is likely to result in a risk to the rights and freedoms of data subjects eg financial loss, breach of confidentiality, reputational damage, the DPM is required to ensure that the ICO is informed without delay and, in any event, within 72 hours of the breach.
Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPM also needs to ensure that the data subjects affected by the breach are informed directly and without undue delay. The following information must be provided:
- the categories and approximate numbers of data subjects affected
- the categories and approximate numbers of personal data records concerned
- the name and contact details of the Firm’s DPM
- the likely consequences of the breach
- details of the measures taken, or proposed, to deal with the consequences of the breach.
Data Retention Policy
This Policy sets out our obligations regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.
Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
When the data subject withdraws their consent;
When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
When the personal data is processed unlawfully (i.e. in breach of the GDPR);
When the personal data has to be erased to comply with a legal obligation; or
Where the personal data is processed for the provision of information society services to a child.
This Policy sets out the type(s) of personal data held by the Company, for the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.
Aims and Objectives
The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.
In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.
This Policy applies to all personal data held by the Company and by third-party data processors processing personal data on the Company’s behalf.
Personal data, as held by the above is stored in the following ways and in the following locations:
The Company’s cloud servers, located in the UK;
Computers permanently located in the Company’s premises;
Laptop computers and other mobile devices provided by the Company to its employees;
Computers and mobile devices owned by employees, agents, and sub-contractors used in accordance with the Company’s Bring Your Own Device (“BYOD”) Policy;
Physical records stored in our office;
Data Subject Rights and Data Integrity
All personal data held by the Company is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.
Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their personal data, the right to data portability, and further rights relating to automated decision-making and profiling.
Technical and Organisational Data Security Measures
The following technical measures are in place within the Company to protect the security of personal data.
Personal data may only be transmitted over secure networks;
Personal data may not be transmitted over a wireless network if there is a reasonable wired alternative;
Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself and associated temporary files should be deleted;
Where personal data is to be sent by facsimile transmission the recipient should be informed in advance and should be waiting to receive it;
Where personal data is to be transferred in hardcopy form, it should be passed directly to the recipient;
All personal data transferred physically should be transferred in a suitable container marked “confidential”;
No personal data may be shared informally and if access is required to any personal data, such access should be formally requested.
All hardcopies of personal data, along with any electronic copies stored on physical media should be stored securely;
No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without authorisation;
Personal data must be handled with care at all times and should not be left unattended or on view;
Computers used to view personal data must always be locked before being left unattended;
No personal data should be stored on any mobile device, whether such device belongs to the Company or otherwise without the formal written approval of the DPM and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the Company’s Data Protection Policy and the GDPR;
All personal data stored electronically should be backed up with backups stored offsite. All backups should be encrypted;
Under no circumstances should any passwords be written down or shared. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
All software should be kept up-to-date. Security-related updates should be installed as soon as reasonably possible after becoming available;
No software may be installed on any Company-owned computer or device without approval; and
Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of the DPM to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
The following organisational measures are in place within the Company to protect the security of personal data. Please refer to Company’s Data Protection Policy for further details:
- All employees and other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under the Company’s Data Protection Policy;
Only employees and other parties working on behalf of the Company that need access to, and use of, personal data in order to perform their work shall have access to personal data held by the Company;
All employees and other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
All employees and other parties working on behalf of the Company handling personal data will be appropriately supervised;
All employees and other parties working on behalf of the Company handling personal data should exercise care and caution when discussing any work relating to personal data at all times;
Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
The performance of those employees and other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
All employees and other parties working on behalf of the Company handling personal data will be bound by contract to comply with the GDPR and the Company’s Data Protection Policy;
All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and the Company’s Data Protection Policy;
Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under the GDPR and/or the Company’s Data Protection Policy, that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Upon the expiry of the data retention periods set out below, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
Personal data stored electronically (including any and all backups thereof) shall be deleted securely;
Special category personal data stored electronically (including any and all backups thereof) shall be deleted securely;
Personal data stored in hardcopy form shall be securely shredded and recycled;
Special category personal data stored in hardcopy form shall be securely shredded and recycled.
As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.
When establishing and/or reviewing retention periods, the following shall be taken into account:
The objectives and requirements of the Company;
The type of personal data in question;
The purpose(s) for which the data in question is collected, held, and processed;
The Company’s legal basis for collecting, holding, and processing that data;
The category or categories of data subject to whom the data relates;
If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).
In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.
Roles and Responsibilities
The Company’s Data Protection Manager is Gareth Hughes.
The Data Protection Manager shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.
The Data Protection Manager shall be directly responsible for ensuring compliance with the above data retention periods throughout the Company.
Any questions regarding this Policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Protection Manager.