In an increasingly data-driven world, it is no surprise that the European Union are introducing the General Data Protection Regulation(GDPR), which comes into effect on 25th May 2018. The main aims of the regulation are to enhance the protection of personal data and to improve the ways in which organisations approach data privacy. Our policy at Bespoke is to handle client data with integrity and respect, which has been a fundamental principal of ours since we began in 2011. We are always looking for ways to improve our security and the GDPR has helped us to highlight high risk areas and has encouraged our system operators to make our software even more secure.
Impact on Bespoke and Our Clients
We have identified the personal data we hold as our clients’ financial information, as well as their contact and identification details. This data is held securely; however, we believe that a risk may occur when contacting our clients via e-mail. Bespoke have already implemented password protection when sending tax returns to clients, and this is now a procedure that will be applied across the entire business.When contacting clients via e-mail, information concerning our clients’ personal data will be attached in a document that is password protected. The password will be the first five digits of your Unique Tax Reference (UTR) number, or if you do not have a UTR, you will be contacted to agree a password in the near future.
Bespoke often receives requests from third parties, such as IFAs or mortgage advisors, to gain access to our clients’ data and we have identified this as a potential risk. We had always required our clients’ consent before forwarding data to third parties, but a phone call was previously acceptable. To reduce the risk of a data breach,we will now require written consent from our clients, before forwarding any personal data to third parties. This prevents the chance of someone coming into contact with our clients’ data, who does not have consent from the client to do so. You can update your third party preferences via our consent form by clicking this link.
The statutory requirement for holding clients financial records is 7 years. This will now be a maximum period of time that Bespoke will hold our clients’ records for, unless the data is a permanent legal document, such as a Will or Deed. If you would like to have access to your data, then please email firstname.lastname@example.org and we shall process this request immediately.
Personal Data Rights
There are a number of new client rights under GDPR that we would like you to be aware of:
• Right to Information
– The client holds the right to – Understand how we process their data.
– Bespoke shall – be transparent in all client requests for information regarding personal data and will provide information without undue delay.
• Right of Access
– The client holds the right to – Request their personal data free of charge, in a machine-readable format and within one month.
– Bespoke shall – not charge for data requests and shall send data in a pdf or Microsoft Office format.
• Right to Rectification
– The client holds the right to – Have their personal data rectified if it is inaccurate or incomplete. If the rectification is simple this must be within one month of the request or 2 months if the rectification is complex.
– Bespoke shall – delegate rectification requests efficiently and make sure that rectifications are made without undue delay and within the required time.
• Right to be Forgotten
– The client holds the right to – Request the deletion of their personal data (although we must consider our legal obligations).
– Bespoke shall – See erasure policy.
• Right to Restriction of Processing
– The client holds the right to – block personal data from being processed.
– Bespoke shall – deal with these requests immediately, by contacting all staff members and notifying them that the client has blocked their data from being processed. The discussion with the client then needs to be had as to whether the client would like to stay with Bespoke.
• Right to Notification
– The client holds the right to – be notified of a data breach without undue delay, within 72 hours of us becoming aware of the breach.
– Bespoke shall – notify the client of the breach as soon as possible and discuss the breach with Mark Trevethan, the Data Protection Officer, who will then decide whether the breach needs to be reported to the ICO.
• Right to Portability
– The client holds the right to – May reuse their personal data for their own purposes.
– Bespoke shall – send clients data in a machine-readable format in either PDF or Microsoft Office format.
• Right to Object
– The client holds the right to – Object to data being processed.
– Bespoke shall – Deal with these requests immediately, by contacting all staff members and notifying them that the client has blocked their data from being processed.
• Right to Appropriate Decision Making
– The client holds the right to – Have human involvement in automated decision making.
– Bespoke shall – not rely upon computerised decision-making processes.