The EU General Data Protection Regulation
The General Data Protection Regulation, which replaces the UK Data Protection Act, gives people more control over how their personal data is used.
The intention of the Regulation is ‘to ensure consistency of laws protecting the rights and freedoms of natural persons in all EU states and to make sure the laws are appropriate to a digital age. Risk to rights and freedoms may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation or any other significant economic or social disadvantage.’
The Regulation sets out your rights as an individual regarding how your personal data is collected, used and stored, including your rights to have data corrected or removed. It also imposes much heavier penalties on firms who do not have adequate security procedures in place to minimise risks of breaches. We are a ‘data controller’ because we process personal information in a form that may allow an individual to be identified. You are a ‘data subject’ if we process your personal information.
Our basis for processing personal data
The Regulation requires a lawful basis for a data controller processing any personal data, with a number of options in addition to explicit consent.
- Our lawful basis for processing the personal data of those who are, at any time, our clients is the contractual performance of business operations under a service agreement. We could not provide you with the services we do without processing personal information.
- In the period up to agreeing a contract with a prospective client, our lawful basis is the taking of steps to enter into a contract.
- When a contract is terminated, our lawful basis for retaining your personal data is regulatory requirements and rights of legal defence. Since time bars do not apply, we are entitled to retain data indefinitely.
- We will only hold any data for clients’ children if and to the extent that it is necessary to the provision of the services to the parent(s) such as for information purposes or because we have been asked by the parents as bare trustee to make investments designated for the children.
- In all these cases we do not need explicit consent as a basis for processing personal data.
- You have a right to obtain from us information on whether any personal data is being processed, where this is taking place and what is the purpose of this processing.
- You have a right to obtain a copy of this data, free of charge.
- You have a right of erasure – to be forgotten. For clients and former clients of Fowler Drew, this right is likely to be overridden indefinitely by our right of legal and regulatory defence.
- You have a right to require us to keep the data accurate and up-to-date. This will not apply if we are retaining data after termination of a contract by right of legal defence, even if erasure has been requested.
- You have a right to require us to transfer your data to another firm.
Who is processing your personal information
- We hold clients’ personal information in our own cloud-based database and electronic files and, on a temporary basis only, in physical files.
- Access to our database and electronic files is given to our IT consultants, who also host the servers on which this data is held.
- Data may also be held by third parties providing custody, transaction or reporting services in conjunction with our service. Those firms will have their own lawful basis for processing your information, having a contract with you.
- Access to your data may also be given to third parties to whom we subcontract the development or maintenance of databases and business management processes; limited data identifying you may be provided to third parties for the purposes of conducting client feedback surveys on our behalf.
- We do not share clients’ personal information with any third parties for marketing purposes.
- Processing of data other than for the purposes above will not be carried out without prior notification.
How we manage data security risks
- We have systems and controls in place to ensure information is only accessible to persons or systems with appropriate and verifiable authority, using entry restrictions, firewalls and encryption.
- Authority to access data is only given where it is necessary for those persons to create, update or otherwise use the data as part of the firm’s processes.
- We do not record or store personal information, particularly highly-sensitive information, unless we consider it necessary to the performance of contractual financial planning and investment management services, even if that information has been disclosed to us by a data subject.
- Wherever possible we make it difficult to identify individuals from the data.
- We continually evaluate the firm’s data protection systems and processes.