One of the biggest changes to UK data privacy law came into effect on 25th May 2018.
The General Data Protection Regulation (GDPR) now gives you much more control
over how your data is used and how you're contacted. The changes also help to better protect your personal data.
REX Financial Services LLP GDPR Compliance Statement – Introduction
The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law since two decades ago.
Founded on the fundamentals of privacy by design and a risk-based approach, GDPR has been designed to meet the requirements of the digital age. The 21st century brings with it, the broad use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new regulations aim to standardise data protection laws and processing across the EU, affording individuals stronger, more consistent rights to access and control their personal information. REX Financial Services LLP (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, as well as provide a compliant and consistent approach to data protection.
We have always had a robust and effective data protection framework in place which complies with the existing laws and abides by GDPR as well as the UK’s Data Protection Bill. REX Financial Services LLP is dedicated to safeguarding the personal information under our responsibility by developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for GDPR.
Our GDPR compliance process has been summarised in this statement and includes the new GDPR data protection roles, policies, procedures, controls and measures to ensure maximum compliance at all times.
How we have prepared for GDPR
REX Financial Services LLP already have a consistent level of data protection and security across our organisation and are currently fully compliant with GDPR. Our process includes: –
- Information Review – carrying out regular company-wide information reviews to identify and assess what personal information we hold, where it comes from, how and why it is processed, and if disclosed, to whom it is disclosed.
- Policies & Procedures – our revised data protection policies and procedures meet the requirements and standards of GDPR and any relevant data protection laws, including: –
- Data Protection – our main policy and procedure document for data protection has been updated to meet the standards and requirements of GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with focus on the rights of individuals.
- Data Retention & Erasure – our retention policy and schedule ensures that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and both obligations to retain data relating to financial transactions for 5 years, response timeframes and notification responsibilities.
- Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest opportunity. Our procedures are robust and will be distributed to all employees, who are aware of the reporting lines and steps to follow. Our current policies comply with the requirement to report security breaches within 24 hours, to our supervisory authority, the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- International Data Transfers & Third-Party Disclosures – REX FINANCIAL SERVICES LLP stores or transfers personal information in UK only, we already have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We complete continual reviews with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct. We carry out due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information.
- Subject Access Request – we have updated our Subject Access Request procedures to accommodate the revised 1-month timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request and what exemptions apply.
- Legal Basis for Processing – we have reviewed all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR (Records of processing activities) are met.
- Privacy Notice – we have revised our Privacy Notice to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
- Obtaining Consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways for data subjects to consent to us processing their information. Our Terms and Conditions currently address the consent to use personal data, ensuring we comply with Article 7 of the GDPR (Conditions for consent). We have developed processes for recording consent, making sure that we can evidence an agreeing opt-in, and a way to withdraw consent at any time for marketing purposes only. Consent cannot be withdrawn for data relating to financial transactions once activity begins.
- Obtaining Parental Consent – the GDPR states that where the child is below the age of 16 years, such processing shall be lawful only if consent is given or authorised by the holder of parental responsibility over the child. The GDPR does allow that Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years. In the UK Data Protection Bill, the age parental consent is required will be set to under 13, which means any minor that is 13 or over will be permitted to provide consent themselves without parental consent. We do not conduct any business with anyone under 18 years of age.
- Direct Marketing – At present we do not conduct direct marketing. If in future we conduct direct marketing, we will including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out.
- Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk; we have developed a procedure and assessment template for carrying out impact assessments that comply fully with Article 35 of the GDPR (Data Protection Impact Assessments). We will provide easy to access information of an individual’s right to access any personal information that REX FINANCIAL SERVICES LLP processes about them and to request information about: –
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- The right to request erasure of personal data (only where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us.
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances. REX FINANCIAL SERVICES LLP takes the privacy and security of individuals and their personal information very seriously and we take every reasonable measure and precaution to protect and secure the personal data that we process. We have dedicated information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and security measures. REX FINANCIAL SERVICES LLP understands that continuous employee and client awareness and understanding is vital to the continued compliance of the GDPR. If you have any questions about our GDPR process, please contact us.
REX FINANCIAL SERVICES LLP