GDPR Compliance

John Turner FCA as a firm is committed to conducting its business in accordance with all applicable Data Protection laws and regulations. The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and applies to personal data or any information relating to an identifiable person.

The GDPR applies to both electronic personal data and to manual filing systems. It requires that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of clients for no longer than is necessary for the purposes for which the personal data is processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

John Turner, the firm’s principal, is the Data Protection Lead and has overall responsibility for data protection.

We as a firm are controllers of data and also processors.

We are controllers for the work we carry out for our clients and data we hold for employees. On behalf of some of our client companies we process personal information such as payroll where we act as processors.

Our lawful basis for processing personal data is contract. Our clients engage in a contract with us to provide the services outlined in the letter of engagement. We keep only data and correspondence required to identify the client and keep only the data necessary to carry out the work contracted to us.

Our lawful basis for processing employee data is contract. We engage our employees under a contract of employment.

Our lawful basis for processing subcontractor data is contract. We engage sub-contractors under a contract of engagement.

The firm does not market or advertise services to clients in addition to the accountancy and taxation services we are engaged to supply. Neither do we give out customer details to third parties for marketing purposes.

Data Retention

To ensure fair processing, personal data will not be retained for longer than necessary. This takes into account the legal and contractual requirements. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a legal requirement to retain it.

Security Policy and Cyber Essentials

The firm has achieved Cyber Essentials Certification. Cyber Essentials Certification is the IASME standard, based on international best practice. It aims to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. It is risk-based and includes all aspects of IT including physical security, staff awareness, and data backup.

We have a security policy that ensure that we have all necessary procedures in place to keep personal data (both electronic and hard copy) secure whilst in the office or working from home, or when sharing and emailing information to others.

Subject access requests:

We have a rights procedure, which details our obligations regarding the personal data we hold on individuals.

The following are the rights of the individuals:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object.

If an individual makes a request relating to any of the rights listed above, it should be made in writing and we will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.

A response to each request will be provided within thirty days of the receipt of the written request from the client.

Process for reporting breaches

We have a breach policy and a risk register, detailing the procedures in case of a breach.

Data quality

We will adopt all necessary measures to ensure that the personal data we collect and process is complete and accurate in the first instance, and is updated to reflect the current situation of the client.

Privacy by design

To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before being implemented. This will be in the form of a Data Protection Impact Assessment (DPIA).

Privacy notice

We have a privacy notice that sets out what information we hold and why, how we are keeping it secure, and what rights individuals have over their personal information. This has been sent to all clients, employees, sub-contractors and professional associates of the firm.

Why not get in touch with us and find out how we can help you?

We would love to find out how we could help you. Simply click the button and we’ll be in touch for an informal, no-obligation chat.