This policy document has been prepared by and approved by the Partners/Members of McCartneys LLP on 22nd May 2018
McCartneys LLP needs to gather and use certain information about individuals. These can include clients, customers, suppliers, business contacts, employees and other people the firm has a relationship with, or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the firm’s data protection standards, and to comply with the law.
Why this policy exists
This GDPR policy ensures McCartneys LLP:
- Complies with the GDPR legislation and follows good practice
- Protects the rights of clients, customers, suppliers, employees and partners
- Is open about how we store and process individuals’ data
- Protects itself from the risks of a data breach
General Data Protection Regulation
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.
These rules apply to all data regardless of whether it is stored electronically, on paper, or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully and without consent.
GDPR is underpinned by eight important principles, these state that:
- Personal information must be fairly and lawfully processed
- Personal information must be processed for limited purposes
- Personal information must be adequate, relevant and not excessive
- Personal information must be accurate and up to date
- Personal information must not to be kept for longer than is necessary
- Personal information must be processed in line with the data subjects’ rights
- Personal information must be secure
- Personal information must not be transferred to other countries without adequate protection
This policy applies to:
- The head office of McCartneys LLP
- All branches and departments of McCartneys LLP
- All partners, consultants, employees and workers of McCartneys LLP
- All contractors, suppliers and any other people or organisations working on behalf of
It applies to all data that the firm holds relating to identifiable individuals, this includes:
- Names of individuals
- Postal addresses
- E mail addresses
- Telephone numbers
- …plus any other information relating to individuals
Data protection risks
This policy is written to help to protect McCartneys LLP from data security risks including:
- Breaches of confidentiality Information being given out inappropriately.
- Failing to offer choice All individuals should be free to choose how the firm uses information relating to them.
- Damage to reputation The damage to the firm’s reputation could be immeasurable if we were to be reported for breaching the GDPR.
Everyone who for or with McCartneys LLP has some responsibility for ensuring data is collected, stored and handled appropriately and that data is not disclosed unlawfully and without consent. Every person that handles personal data must ensure that it is handled and processed in line with this policy and the GDPR principles.
However, these people have key areas of responsibility:
Keeping the partnership updated about data protection responsibilities, risks and issues. Reviewing all data protection procedures and related policies, in line with an agreed schedule. Arranging data protection training and advice for the people covered by this policy. Handling data protection questions from employees and anyone else covered by this policy. Dealing with requests from individuals to see the data McCartneys LLP holds about them (Subject access requests). Checking and approving any contracts or agreements with third parties that may handle the firm’s sensitive data.
Ensuring all systems, services and equipment used for storing data meets acceptable security standards. Performing regular checks and scans to ensure security hardware and software is functioning correctly. Evaluating any third-party services the firm is considering using to store or process data, such as cloud computing services. Approving any data protection statements attached to communications such as e-mails and letters.
- The partners are ultimately responsible for ensuring that McCartneys LLP meets its legal obligations.
- The Data Protection Officer is responsible for:
- The IT Manager, Mark Fish, is responsible for :
General employee guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Every partner, consultant, employee and worker must implement and adhere to the firm’s Clear Desk Policy (please refer to separate policy document)
- Data should not be shared informally. If and when access is required, employees can request it from their line manager\partner.
- Personal details relating to clients, customers, suppliers, colleagues and any other person connected to McCartneys LLP should never be disclosed to any third party either within the firm or externally, without specific consent being obtained.
- Partners, consultants and all employees and workers of McCartneys LLP should keep all data secure by taking sensible precautions and adhering to these guidelines.
- All desktop computers, laptops, i phones and memory sticks and any other electronic device which stores data should be protected by strong passwords and/or encrypted.
- Partners, consultants and employees should be particularly diligent in areas where the public have access, not to leave computers/laptops, paper files or any medium with personal data where such information can be seen or heard by a third party.
- Data should be regularly reviewed and updated if it is found to be out of date. If it is no longer required it should be deleted and disposed of.
These rules describe how and where data should be safely stored. Questions about storing electronic data safely can be directed to the IT manager, Mark Fish.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically and has also been printed.
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Any documents, paper and computer printouts should not be left where any unauthorised person could see them.
- Any documents or printouts should be shredded and disposed of securely when no longer required
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Data should be protected by strong passwords that are changed regularly and never shared between colleagues or any other person.
- If data is stored on removable media, these should be kept locked away securely when not being used and encrypted if possible.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service.
- Servers containing personal data should be sited in a secure location away from general office space.
- Data should be backed up frequently. Those backups should be tested frequently to ensure they are working.
- All servers and computers containing data should be protected by approved anti-virus software.
Personal data is of no value to McCartneys LLP unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
- When working with personal data, partners, consultants, employees and workers should ensure the screens of computers are always locked when left unattended. The quickest and most simple method of achieving this is to use the Windows key and letter L key simultaneously.
- Personal data should never be shared informally. In particular, it should never be sent by e-mail, as this form of communication is not secure.
- The use of a fax machine for sending data should be avoided if possible, if data is sent by fax you must ensure that there is an authorised person available to receive it.
- Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
- Employees should not save copies of sensitive personal data held by the firm, to their own computers, mobile phones or any other device.
The law requires McCartneys LLP to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of everyone who accesses and uses personal data held by the firm, to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data should be stored and held in as few places as necessary. Unnecessary data sets or copies of data should not be created.
- Every effort should be made to ensure data is updated. For instance, by confirming a client’s, customer’s or suppliers details when they call.
- Data should be updated when inaccuracies are discovered. For instance, if a client, customer or supplier can no longer be reached on a telephone number that is stored, that number should be removed from the database.
Subject access requests
All individuals who are the subject of data held by McCartneys LLP are entitled to:
- Ask what information the firm holds about them and why.
- Ask how they can gain access to that information.
- Be informed how to keep it up to date.
- Be informed how the firm is meeting its data protection obligations.
If an individual contacts the firm requesting this information, this is called a Subject Access Request.
Subject access requests by individuals should be made in writing, addressed to the Data Protection Officer, McCartneys LLP, The Livestock Market, The Ox Pasture, Overton Road, Ludlow, Shropshire, SY8 4AA Individuals will be charged £10 per subject access request and the DPO will aim to provide the relevant data within 14 days.
The DPO will always verify the identity of anyone making a subject access request before releasing the information to them.
Disclosing data for other reasons
In certain circumstances the GDPR allows for personal data to be disclosed to law enforcement agencies and HM Government agencies without the consent of the data subject. Under these circumstances, McCartneys LLP will disclose the data requested. However, the data controller will ensure the request is legitimate, seeking assistance from the partners and from the firm’s legal advisors where necessary.