1 Introduction to this GDPR policy
This GDPR policy ensures England & Company:-
- Complies with data protection law and follows good practice
- Protects the rights of staff, clients and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from data protection risks such as breaches of confidentiality, failure to offer
choice and reputational damage
This policy applies to:-
- The England & Company office
- All staff of England & Company
- All contractors, suppliers and other people working on behalf of England & Company
The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 from 25th May 2018. It applies to both data controllers and data processors, which have day-to-day responsibility for data protection.
A controlleris the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
A processoris a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
Thedata subjectis the individual who is the subject of the relevant personal data.
The GDPR applies to personal datameaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Personal data that has been pseudonymisedcan fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
The GDPR refers to sensitive personal data as special categories of personal data. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
The GDPR does not apply to data that are rendered anonymous in such a way that individuals cannot be identified from the data.
This GDPR policy will be operational from 25th May 2018 and should be next reviewed in May 2021.
2 Principles of GDPR
Article 5 of the GDPR
Under the GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those in the Data Protection Act, with added detail at certain points and a new accountability requirement. Article 5 of the GDPR requires that personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The accountability principle
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate,compliance with the principles.” The new accountability principle requires organisations to show howthey comply with the principles of GDPR. This can be done by:-
- Maintaining relevant documentation on processing activities
- Implementing appropriate technical and organisational measures that ensure and demonstrate compliance
- Implementing internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
- Implement measures that meet the principles of data protection by design and data protectionby defaultData protection by designData protection by design is an approach that promotes privacy and data protection compliance from the start. Privacy and data protection should be a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:-
- Building new IT systems for storing or accessing personal data
- Developing legislation, policy or strategies that have privacy implications
- Embarking on a data sharing initiative
- Using data for new purposes
3 Lawfulness of processing conditions
Under the GDPR, there is requirement to have a valid lawful basis in order to process personal data. There are six available lawful bases for processing set out in Article 6 of the GDPR:-
(a) Consent: the data subject has given clear unambiguous consent for their personal data to be processed for a specific purpose
(b) Contract: processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
(c) Legal obligation: processing is necessary for compliance with a legal obligation
(d) Vital interests: processing is necessary to protect the vital interests of a data subject or
(e) Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(f) Legitimate interests: processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
4 Our lawful bases for processing
Our lawful basis for processing the personal data of clients is that processing is necessary to perform or enter into the contractwe have with them to undertake accounting, audit, payroll, bookkeeping and related services, as outlined in their engagement letter and the terms of business.
Our lawful basis for processing the personal data of employees is that processing is necessary to perform or enter into the employment contractwe have with them.
Our lawful basis for processing the personal data of employees in relation to PAYE, pension contributions and other personal data shared with HMRC is that processing is necessary for compliance with the law.
Our lawful basis for holding the personal data of potential employees / candidates is that we have a legitimate interestin deciding whether to recruit them. Should a candidate be unsuccessful, this legitimate interest will cease to exist and any personal data held on unsuccessful candidates must be deleted/destroyed within three months, as agreed by the directors.
We will only process personal data in relation to marketing activities if we have clear consentfrom the data subject. This covers contacting clients regarding:-
- Networking and similar events
- Newsletters and updates
- Additional products/services we can offer such as fee protection
- Cloud-based software and other applications that we believe could be of interest to you
We are under legal obligationto hold company and accounting records (on behalf of our clients) for 6 years from the end of the last company financial year they relate to, or longer if:
– They show a transaction that covers more than one of the company’s accounting periods
– The company has bought something that it expects to last more than 6 years, like equipment
– The Company Tax Return was sent late
– HMRC has started a compliance check into the Company Tax Return
We therefore have a legal obligation to hold personal data relating to these company records for approximately 7 years. We may keep these records for longer than 7 years if we have a legitimate interestto do so. Payroll records will be kept for 7 years, as agreed by the directors.
5 Data controllers and data processors
The GDPR applies to data controllers and data processors. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
Obligations as the data controller
When processing personal information for accounting, auditing, taxation and related services, England & Company acts as the data controller and will therefore comply with the following obligations:-
- Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected
- Whenever the data controller uses a data processor, it needs to have a written contract in place
- The data controller must ensure written contracts between data controllers and processors comply with GDPR. Contracts must include the following details:-
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subject The obligations and rights of the controller
- The obligations of the processor
- As a matter of good practice, contracts should state that nothing within the contract relieves the data processor of its own direct responsibilities and liabilities under the GDPR
- As a matter of good practice, contracts should reflect any indemnity that has been agreed
- Data controllers must record and report any serious data breaches to the Information
Commissioner’s Office (ICO)
- Controllers have a legal obligation to give effect to the rights of data subjects
Obligations as the data processor
For services such as payroll and auto-enrolment where England & Company processes personal data on behalf of its client, the company acts as the data processor and the client acts as the data controller. England & Company will therefore comply with the following obligations placed on it as the data processor, under the GDPR:-
- The data processor must have adequate security measures in place for processing personal data
- The data processor must only act on the documented instruction of the data controller unless required by law to act without such instruction
- The data processor must ensure that the people processing the data are subject to a duty of confidence
- The data processor will only engage a sub-processor with the prior consent of the data controller and a written contract
- The data processor will assist the data controller in meeting their GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- The data processor must maintain records of personal data and data processing activities
- The data processor must inform the data controller if it becomes aware of any breach of
- The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
6 Description of our processing activities
Each controller must keep records of its processing activities, including:
- the contact details of the controller/representative;
- the purposes of the processing;
- the categories of data subjects and personal data processed;
- the categories of recipients with whom the data may be shared;
- information regarding Cross-Border Data Transfers;
- the applicable data retention periods; and
- a description of the security measures implemented in respect of the processed data.
Upon request, these records must be disclosed to data protection authorities.
England & Company process personal information in order to:-
- Provide accounting, auditing, taxation, auto-enrolment and related services
- Maintain its own accounts
- Support and manage its employees
- Process its own payroll
The company processes personal information about customers and clients, advisers and other professional experts and employees.
This information may include:-
- Personal details
- Family, lifestyle and social circumstance
- Goods and services
- Financial details
- Education details
- Employment details
England & Company also processes sensitive classes of information that may include:-
- Physical or mental health details
- Racial or ethnic origin
- Religious or other beliefs
- Trade union membership
England & Company’s processing activities do not involve automated decision making or profiling.
Sharing personal information
The company may need to share the personal information it processes with the individual themselves and also with other organisations. Where this is necessary, the company is required to comply with all aspects of the GDPR. Where necessary or required, the company shares information with:-
- Business associates, professional advisers
- Family, associates and representatives of the person whose personal data is being processed
- Local and central government
- Financial organisations
- Ombudsmen and regulatory authorities
- Credit reference and debt collection agencies
- Healthcare professionals, social and welfare organisations
- Current, past or prospective employers
- Examining bodies
- Service providers
Transferring personal information overseas
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the GDPR.
Retention of personal data
It has been agreed that personal data held on clients, including data within accounts, taxation and payroll records will be kept by the company for 7 years after:
- The date at which the client ceases to be our client; or
- The date at which the client’s last return to HMRC was submitted
After this the records will be deleted/destroyed.
The company may however, keep clients’ records for longer than 7 years, where it believes it has a legitimate interest/reason to do so.
Any personal data held on potential employees / candidates, which prove unsuccessful, will be deleted/destroyed within three months.
Retention periods for personal data held on employees varies according to the category of data. Retention of personal data held on employees is not outlined in this policy document but details can be obtained from the board.
7 The rights of data subjects
The GDPR provides the following rights for individuals:-
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
1. Right to be informed
We are obliged to provide ‘fair processing information’, typically through a privacy notice or policy document. The information that must be supplied includes:-
- Identity and contact details of the data controller
- Purpose of the processing and the lawful basis for the processing
- The legitimate interests of the controller
- Any recipient or categories of recipients of the personal data
- Retention periods
- The rights of the data subjects
- The existence of any automated decision making and profiling
If the data is obtained directly from the data subject, the information should be provided at the time the data is obtained. If the data is not obtained directly from the data subject, the information should be provided:-
- Within one month of obtaining the data
- When the first communication takes place
- Before the data is disclosed to another recipient, if disclosure to another recipient is envisaged
The information we supply individuals about the processing of personal data must be:-
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language
- Free of charge
2. Right of access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
The company must provide a copy of the information free of charge. However, it can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Information must be provided without delay and at the latest within one month of receiving the request. The company will be able to extend the period of compliance by a further two months where requests are complex or numerous.
The company must verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, the company should provide the information in a commonly used electronic format.
Where requests are manifestly unfounded or excessive, the company can:
- Charge a reasonable fee based on administrative costs; or
- Refuse to respond.
If the company refuses to respond to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
3. Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If the company has disclosed the personal data to others, it must contact each recipient and inform them of the rectification, unless this proves impossible or involves disproportionate effort.
A request for rectification must be responded to within one month. This can be extended by two months where the request is complex.
4. Right to erasure / Right to be forgotten
The right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:-
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed
- The personal data has to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
There are some specific circumstances where the right to erasure does not apply and the company can refuse to deal with a request. This is where the personal data is processed:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- For archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- For the exercise or defence of legal claims.
If the company has disclosed the personal data to others, it must contact each recipient and inform of the erasure of the personal data – unless this proves impossible or involves disproportionate
5. Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the company is permitted to store the personal data, but not further process it. The company can retain just enough information about the individual to ensure that the restriction is respected in future.
The company will be required to restrict the processing of personal data in the following circumstances:-
- Where an individual contests the accuracy of the personal data, the company should restrict the processing until it has verified the accuracy of the personal data
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the company is considering whether its legitimate grounds override those of the individual
- When processing is unlawful and the individual opposes erasure and requests restriction instead
- If the company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim
If the company has disclosed the personal information to others, it must contact each recipient and inform them of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. The company must inform individuals when it decides to lift a restriction on processing.
6. Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The company must provide the personal data in a structured, commonly used and machine-readable form. This should enable other data controllers to use the data.
The information must be provided free of charge. The company must respond without undue delay, and within one month.
7. Right to object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling); and
- Processing for purposes of scientific/historical research and statistics
Individuals must have an objection on “grounds relating to his or her particular situation”. The company must stop processing the personal data unless:
- It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- The processing is for the establishment, exercise or defence of legal claims.
The company must inform individuals of their right to object “at the point of first communication” and in their privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
The company must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.
If the company’s processing activities are carried out online, it must offer a way for individuals to object online.
8. Rights in relation to automated decision making and profiling
The GDPR has provisions on automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
Organisations can only carry out this type of decision-making where the decision is:
- Necessary for the entry into or performance of a contract; or
- Authorised by Union or Member state law applicable to the controller; or
- Based on the individual’s explicit consent.
England & Company confirms its processing activities do not involve automated decision making or profiling.
8 Our responsibilities
Everyone who works for or with England & Company has some degree of responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The board of directors is ultimately responsible for ensuring that England & Company meets its legal obligations.
Key areas of responsibility
- The board must be kept updated about GDPR responsibilities, risks and issues
- The company must demonstrate compliance with the data protection principles and GDPR
- The company should implement appropriate technical and organisational measures to ensure and to demonstrate that processing activities are compliant with the GDPR
- All data protection procedures and related policies will be reviewed every three years, as agreed by the directors
- Training and advice on data protection should be arranged for the people covered by this policy
- The data protection representative, Daniel Whitcher, should handle data protection questions from staff and anyone else covered by this policy
- The organisation should deal with requests from individuals such as right of access or right to be forgotten
- The organisation should address any data protection queries from journalists or the media
- Any third party services the organisation is considering using to store or process data should be evaluated
- Contracts with third parties and processors that may handle the company’s sensitive data should be checked and reviewed
- All systems, services and equipment used for storing data must meet acceptable security standards
- Regular checks and scans should be performed to ensure security hardware and software is functioning properly
- Data protection statements attached to communications such as emails should be approved and updated when necessary
- Marketing initiatives should abide by GDPR principles
- Adequate data protection procedures should be in place for when an employee leaves
- Data breaches should be recorded, serious data breaches should be reported to the ICO and high risk breaches should be reported to the affected data subjects
- Following any breaches, the company should review the adequacy of its security measures
- The company should make sure individuals are aware that their data is being processed, how the data is being used and how to exercise their rights
- The company must have a lawful basis for all processing activities
- The company should make sure this policy document is made available to potential and existing clients and employees
- The company must ensure they continue to be registered as a data controller with the ICO
9 Practical Security Measures
- The building is alarmed outside of office hours
- Visitors can only enter with authorisation from reception
- Employees require office keys to enter the building
- The reception area is not left unattended if there are visitors in the building
- Cleaners are subject to a duty of confidence and must sign a confidentiality agreement
General Staff Guidelines
- Employees should keep all data secure by taking sensible precautions and following the guidelines below
- England & Company will provide training to all employees to help them understand their responsibilities
- Employees should request help from the data protection representative, Daniel Whitcher, if they are unsure about any aspect of data protection
- The only people able to access data covered by this policy should be those who need it for their work
- Personal data should not be disclosed to unauthorised people, either within the company or externally
- Employees should only process personal data electronically from the company’s remote desktop and keep their credentials secure
- Employees must maintain their duty of confidence as outlined in their confidentiality agreements
- Servers containing personal data should be sited in a secure location, away from general office space
- Data should be backed up frequently and these backups should be tested regularly
- All servers and computers containing data should be protected by approved security software
and a firewall
- When data is stored electronically, it must be protected from unauthorised access, accidental
deletion and malicious hacking attempts
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones
- Employees should not save copies of personal data to their own computers or the normal desktop
- Payroll details held electronically should be password protected and payroll details held manually should be retained in files within a secure environment
- Backups transferred to memory sticks should be password protected
- Employees should keep memory sticks in a secure place when not in use
- The company should keep account of the number of memory sticks in use; employees should limit how many memory sticks they use
- Personal data stored on memory sticks should be protected as much as possible
- Data stored on memory sticks should be cleared regularly
- Personal data stored or printed out on paper should be kept in a secure location where unauthorised people cannot see it
- Data printouts should be shredded and disposed of securely when no longer required
- When working from home or at clients’ premises, or if visitors are in the office, employees should ensure computer screens are locked when left unattended
- Personal data should never be transferred outside of the European Economic Area
- When using clients’ laptops in the office, employees should ensure access is restricted that laptops are kept locked away overnight
- When using clients’ remote desktops, written consent must be given and access must be restricted
- When taking files and records containing personal data out of the office, employees should take reasonable measures to ensure the data is protected and that no unauthorised persons access the data
- Employees should be encouraged to use lockable briefcases to take client’s personal files out of the building
- It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible
- Staff should take every opportunity to ensure data is updated; data should be updated as inaccuracies are discovered
- England & Company must make it easy for data subjects to update their information that is held by the company
Emailing personal data
- In order to increase security of personal data, the company has agreed that documents containing clients’ personal data should not be emailed as email is not considered a secure method of communication
- Documents containing personal data should be shared between the company and clients through IRIS OpenSpace, a cloud application that allows secure file exchange end electronic document approval
- Clients have their own login and create their own password, making the process more secure
- Examples of documents that should be shared through OpenSpace include payslips, P45s,
P60s, new starter details for payroll and tax returns
- If a client wishes to use email communication for sharing such data, they should have a discussion with us
- Attachments to emails containing personal data should be password protected or encrypted if this is possible
Procedures for when an employee leaves
- Office keys must be returned
- Office memory sticks must be returned
- Ensure no files and records are still at the employee’s residence
- Ensure no files are kept on the employee’s desktop at home
- Remove employee access/login to remote desktop
- Change passwords for HMRC portal logins
- Redirect emails to a director
- Check the employee cannot access work emails from their phone
- Remove the employee’s Xero login, and remove credentials for any other cloud-base software used for clients’ data
- Remove their OpenSpace login
10 Recording and reporting a data breach
What constitutes a personal data breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Recording a breach
All data breaches should be recorded internally, using the England & Company Data Protection Breach Report Form. This form should be completed by the member of staff who discovered the breach, a member of staff who has knowledge of the company’s data protection procedures in place, and the decision as to whether to report the breach must be signed off by the directors. Completing this form will assist the company when and if the breach is reported.
How do we decide whether to report a breach?
Each case must be considered on its own merits. Breaches that are considered by the company to be ‘serious’ should be reported to the Information Commissioner’s Office (ICO). The seriousness of a breach will depend on:-
- the potential detriment to data subjects
- the volume of personal data lost / released / corrupted
- the sensitivity of the data lost / released / corrupted
The potential detriment to individuals is the overriding consideration in deciding whether to report a breach of security. Detriment includes emotional distress as well as both physical and financial damage. Where there is significant actual or potential detriment as a result of a breach, whether due to the volume of data, its sensitivity or the combination of the two, there should be a presumption to report.
There is no need to report a breach if it is “”unlikely to result in a risk to the rights and freedoms of natural persons”.
How do we report a breach?
The company has 72 hours from the time it becomes aware of a reportable breach within which to report it.
Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113. To report the breach in writing, use the DPA security breach notification form (found on the ICO website www.ico.org.uk) and send it to firstname.lastname@example.org by post to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.The ICO will then advise what to do next.
The company has agreed that serious breaches will be reported to the ICO by Daniel Whitcher. In his absence, serious breaches will be reported to the ICO by Cheryl Lawes.
Should we notify the data subject(s) affected?
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the breach must also be reported to the affected individual(s) without undue delay.
The company has agreed that individuals will be notified of a breach in writing by Daniel Whitcher.