Millen Capital needs to gather and use certain information about individuals.
Internally, we need to gather information on our employees. Externally, we need to gather information from our clients and contractors/suppliers working on behalf of Millen Capital.
This policy will detail how we collect personal data, how we handle it and how we store it to successfully meet the company’s data protection standards and to comply with the General Data Protection Regulations.
Why This Policy Exists
This data protection policy ensures that Millen Capital:
- Complies with the General Data Protection Regulation
- Follows good practice
- Protects the rights of our staff and customers
- Is transparent about how we store and process personal data
- Protects itself from the risks of data breaches
The General Data Protection Regulations
The General Data Protection Regulations 2018 gives details of how organisations – including Millen Capital – must collect, store and handle personal data. These rules apply to data stored on both paper or by electronic means.
The General Data Protection Regulations have seven principles that every organisation must adhere to. Data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for a specified, explicit and legitimate manner
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary kept up to date
- Kept for no longer than is necessary
- Processed in a manner that ensures appropriate data security
- The Data Controller must be responsible for and be able to demonstrate compliance with all of the above principles.
This policy applies to:
- All staff of Millen Capital
- All contractors, suppliers and others working on behalf of Millen Capital
We will have access to certain pieces of information provided by you that will include:
- Names of individuals
- Postal addresses
- Email addresses
- Contact number(s) & other contact details
- Personal financial details including policy information
- Personal family details
This policy is put in place for protection from:
- Failing to offer a choice – all individuals should be free to choose whether or not the company holds data about them.
- Breaches of confidentiality – information being given out inappropriately or to the wrong recipient.
- Reputational damage – Millen Capital could suffer reputational damage if someone outside of the business gains access to the data we hold.
All members of staff employed by Millen Capital have a responsibility for ensuring data is collected, stored and handled in accordance with the General Data Protection Regulations.
There are certain individuals who have key areas of responsibility:
- Partners – they are ultimately responsible for ensuring that Millen Capital meets its legal obligations.
- The data protection officer is responsible for:
- Keeping the Partners updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training.
- Giving advice to those covered by this policy.
- Handling data protection questions from staff and others covered by this policy.
- Dealing with requests from individuals to see the data Millen Capital holds about them.
- Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data.
- Ensuring all equipment used for storing data meets acceptable security standards.
- Evaluating any third-party services the company is considering using to store or process data e.g cloud services.
- The IT company Wood ITC, is responsible for:
- Ensuring all systems and services meet acceptable security standards.
- Performing regular checks and scans to ensure security software is functioning properly.
- The Marketing Manager is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
- Those who will have access to data will only do so for reasons of their job.
- Data should not be shared informally. If confidential information is required, employees can request it from the Partners.
- Millen Capital will provide training to all members of staff to aid their understanding of the General Data Protection Regulations and their responsibilities.
- Every employee should keep data secure. They should take sensible precautions and follow guidelines given.
- Strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- All data should be regularly reviewed and updated if it is found to be out of date. If the data is no longer required, it should be disposed of.
- Employee should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
Data should be safely stored.
Data stored on paper or kept electronically then printed out, should be kept in a secure place where unauthorised people cannot see it – although Millen Capital does have a paperless office policy.
- The paper should be kept in a locker drawer or filing cabinet.
- All employees must ensure paper and printouts are not left where unauthorised people can see them.
- Data printouts should be shredded and disposed of securely when no longer required.
If data is stored electronically:
- Data should be protected by strong passwords that are changed every 30 days and never shared. Where allowed, two-factor-authentication should be enforced for all users.
- If data is stored on a removable media e.g a memory stick, the data should only be uploaded on an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All services and computers containing data should be protected by approved security software and a firewall.
Millen Capital will only hold data that they have legally obtained to use.
When working with personal data:
- Employees will lock screens of unattended computers.
- Employees should not share the data informally.
- It must be encrypted before being transferred electronically.
- Should never be transferred outside the European Economic Area unless it is listed within the EU Commission’s list of countries of territories providing adequate protection.
The General Data Protection Regulations requires Millen Capital to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of the employees to take all reasonable steps to ensure that data is kept as accurate as possible.
- Data will be held in as few places as necessary.
- Employees should take every opportunity to ensure data is updated.
- Millen Capital will make is easy for data subjects to update the information the company holds about them.
- Data should be updated as and when inaccuracies are discovered. E.g if a phone number is no longer the clients, this should be removed from all databases.
It is the Partners responsibility to ensure marketing databases are checked every six months.
Subject Access Requests (SARs)
Individuals whose data is held by Millen Capital are entitled to:
- Know what information the company hold on them and the reasons why
- How to gain access to the data
- Be information on how to keep it up to date
- Be informed on how the company is meeting its data protection obligations.
Subject Access Requests should be made by email to the data protection officer, [firstname.lastname@example.org] the data protection officer will need to verify the identity of the individual making the request.
Individuals will not be charged for this request unless it is deemed excessive. The data protection officer will supply this to you within one month of the request being made.
In some circumstances, Millen Capital will disclose personal data without prior consent. Where Millen Capital is required by the FCA, the Financial Ombudsman Service or a court of law to provide information, we will do so with or without your consent.
Reporting a breach
Millen Capital take personal data breaches very seriously. If we believe we have breached your personal data rights, we will contact the ICO within 72 hours. We will do everything we can to identify the breach and help minimise the consequences.
A letter will be sent with the relevant information attached, including steps we have taken and steps we recommend taking to minimise any consequences.
If a member of staff at Millen Capital fails to comply with this policy the necessary disciplinary procedures will be followed as outlined in our employee contract with regards to a rule breach.
A: Millen Capita, 10th Floor, Horton House, Exchange Flags, Liverpool, L23YL