General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Acts (DPA) which it will supersede.
Brewin Dolphin places a high priority on protecting and managing data, especially that of its clients and employees. The firm will complies with applicable GDPR regulations.
Brewin Dolphin is focusing on the following GDPR requirements. These are being implemented with oversight from both within the Firm and the Brewin Dolphin Group Data Protection Team:
- Ensuring Privacy by design is implemented in all new projects, services and tools.
- Fine tuning processes to ensure they meet GDPR requirements, for example DSARs (data subject access requests), our Data Breach process and Privacy Impact Assessments.
- Updating our terms and conditions to reflect GDPR requirements.
- Updating our Privacy Standard Policy and Privacy Notices.
- Ensuring the required consent and preferences have been requested where necessary.
- Providing guidance on data retention periods.
- Providing training for all staff to enable them to understand the requirements of GDPR and how to manage the data that they are responsible for effectively.
We are also working on an Information Security framework which combines controls from NIST (National Institute of Standards and Technology) cybersecurity framework, ISF (Information Security Forum) and ISO2700 to ensure that data:
- is protected as it comes in to the firm.
- is held securely whilst in the firm.
- access is controlled whilst stored in our systems.
- is secured when it is sent to a third party where required.
- finally, that the data is securely destroyed once it is no longer required.
We have policies in place that are being updated and reviewed to ensure the requirements of GDPR are addressed. The following key policies are in place: Information Security, Data Management, Records Management Policy (incl. Data Retention requirement), Data Classification Standard. These provide the governance to ensure the PII data is handled correctly.
Brewin Dolphin will not have a Data Privacy Officer but in their place the Brewin Dolphin Data Protection Champion will be responsible for the day to day compliance with GDPR and its requirements with support of the compliance team.
Should you have any further questions regarding this GDPR statement then please contact us using the following email address firstname.lastname@example.org