GENERAL DATA PROTECTION REGULATION (GDPR)
General Data Protection Regulation Policy Statement GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent.
Kenneth Curtis & Co is committed to protecting the rights and freedoms of individuals with respect to the processing of personal data. GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. Kenneth Curtis & Co is registered with the ICO (Information Commissioners Office) under registration number Z1590368.
We confirm that we will comply with the General Data Protection Regulation from 25 May 2018. In order to provide legal services to you and for related purposes shown below we may obtain, process, use and disclose personal data about you:-
· updating and enhancing client records and client files in paper and on computer systems
· analysis to help us manage our practice
· statutory returns
· legal and regulatory compliance and crime prevention
Our use of that information is subject to your instructions, the GDPR and our duty of confidentiality. Please note that our work for you may require us to give information to third parties such as to other solicitor firms other professional advisers. You have a right of access under data protection legislation to the personal data that we hold about you.
When processing personal data for accounting and auditing in accordance with Solicitors Regulation Authority, taxation and related services, we act as the data controller. We confirm that we will comply with the obligations GDPR places on Kenneth Curtis & Co as a data controller. For services such as tax returns you are the data controller and we act as the data processor and we confirm we will comply with the obligations the GDPR places on us as a data processor.
We record clients’ names, addresses, telephone numbers, email addresses, dates of birth and National Insurance numbers. In family matters we need to know children’s full names, addresses, and dates of birth. Information is stored on our computers systems on our servers and on our client files.
We record details of our suppliers, referrers names, addresses, telephone numbers, email addresses and fax numbers which are held on our computer systems and in our accounts department where invoices are processed.
As an employer Kenneth Curtis & Co is required to hold data on its employees; names, addresses, email addresses, telephone numbers, dates of birth, National Insurance numbers, photographic ID for example passport, driver’s licence, bank details, utility bills..
At any point an individual can make a request relating to their data and Kenneth Curtis & Co will provide a response within 14 days. Kenneth Curtis & Co can refuse a request i.e. if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection.
Individuals have the right to request the deletion of data where there is no legal reason for its continued use. If an individual requests their personal data is removed from the firm’s files or accounting system or computer system, the request cannot be fulfilled where files have to be kept for a specific length of time by law. The individual will have the right to complain to the ICO if they are not happy with the decision.
Clients and staff can object to their data being used for certain activities like marketing or research.
Kenneth Curtis & Co does not use personal data for marketing based organisations or do they use data for any direct marketing purposes.
Access to all office computers is password protected. When a member of staff leaves the firm their password will immediately be changed in accordance with Kenneth Curtis & Co leavers process.
GDPR means that Kenneth Curtis & Co must:-
· manage and process personal data properly
· protect the individual’s rights to privacy
· provide an individual with access to all personal information held on them
The legislation places a responsibility on every data controller to process any personal data in accordance with the eight principles. Detailed guidance on how to comply with these principles can be found on the ICO’s website (www.ico.org.uk) In order to comply with its obligations Kenneth Curtis & Co undertakes to adhere to the eight principles.
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.