Data Protection Policy
Finn Gledhill is required to comply with the law governing the management and storage of personal data, which is outlined in the General Data Protection Regulation 2018 (GDPR) and the Data Protection Act 1998.
For this reason, protection of personal data and respect for individual privacy is fundamental to the day-to-day operations of Finn Gledhill.
Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO). Finn Gledhill is accountable to the ICO for its data protection compliance.
This policy aims to protect and promote the data protection rights of individuals and of Finn Gledhill, by informing everyone working for and with Finn Gledhill, of their data protection obligations and of Finn Gledhill’s procedures that must be followed in order to ensure compliance with the GDPR.
This policy applies to all partners and staff and any third party to whom this policy has been communicated.
This policy covers all personal data and special categories of personal data, processed on computers or stored in manual (paper based) files.
Marc Gledhill, who is Finn Gledhill’s Information Security Manager, is responsible for monitoring Finn Gledhill’s compliance with this policy.
Everyone in Finn Gledhill (and any third party to whom this policy applies to) is responsible for ensuring that they comply with this policy. Failure to do so may result in disciplinary action.
INFORMATION SECURITY MANAGER (ISM)
Finn Gledhill has appointed Marc Gledhill as its Information Protection Manager (ISM). This is not a statutory role. Mark Gledhill’s responsibilities within this role include:
The GDPR is designed to protect individuals and personal data which is held and processed about them by Finn Gledhill or other individuals.
The GDPR uses some key terms to refer to individuals, those processing personal data about individuals and types of data covered by the Regulation. These key terms are:
Means any information relating to an identified and identifiable natural person (‘data subject’)
This includes for example information from which a person can be identified, directly or indirectly, by reference to an identifier i.e. name; ID number; location data; online identifiers etc.
It also includes information that identified the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
For Finn Gledhill’ purposes, partners, clients and Finn Gledhill’s staff are data subjects (other individual third parties concerning whom we hold personal data about are also likely to be data subjects).
Means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data. In effect, this means the controller is the individual, organisation or other body that decides how personal data will be collected and used.
For Finn Gledhill’s purposes, this Finn Gledhill is a data controller for certain categories of data.
Means any operation which is performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
For Finn Gledhill’s purposes, everything that we do with client information (and personal information of third parties) is ‘processing’ as defined by the GDPR. This processing will often be in the capacity as a Data Processor on behalf of a solicitor/member of staff as a Data Controller.
Special categories of personal data
Means personal data revealing:
Data Protection Principles
The GDPR is based around a number of principles which are the starting point to ensure compliance with the Regulation. Everybody working for and with Finn Gledhill must adhere to these principles in performing their day-to-day duties. The principles require Finn Gledhill to ensure that all personal data and sensitive personal data are:
You must process all personal data in a manner that is compliant with the GDPR, in short, this means you must:
The conditions for processing special categories of personal data that are most relevant to our Finn Gledhill are:
Rights of the data subject
The GDPR gives rights to individuals in respect of the personal data that any organisations hold about them. Everybody working for Finn Gledhill must be familiar with these rights and adhere to Finn Gledhill’ procedures to uphold these rights.
These rights include:
If anybody receives a request from a data subject (a client or other third party concerning whom we hold personal data) to exercise any of these rights, the request must be referred to Marc Gledhill, the Information Security Manager immediately or to any other Partner of Finn Gledhill, in his absence.
Note: we only have one month to respond to a request to access a copy of personal data.
Confidentiality and data sharing
Finn Gledhill must ensure that they only share personal information with other individuals or organisations only where they are permitted to do so in accordance with data protection law.
Wherever, possible you should ensure that you have the client’s (or other data subject’s) consent before sharing their personal data, although, it is accepted that this will not be possible in all circumstances, for example if the disclosure is required by law.
Any further questions around data sharing should be directed to Mark Gledhill, the Information Security Officer.
Data Protection Impact Assessments (DPIAs)
DPIAs are required to identify data protection risks; assess the impact of these risks; and determine appropriate action to prevent or mitigate the impact of these risks, when introducing, or making significant changes to, systems or projects involving the processing of personal data.
In simpler terms, this means thinking about whether Finn Gledhill is likely to breach the GDPR and what the consequences might be, if Finn Gledhill uses personal data in a particular way. It is also about deciding whether there is anything that Finn Gledhill can do to stop or, at least or minimise the chances of any of the potential problems identified, from happening.
DPIAs will be undertaken by Mark Gledhill (ISM) or designated members of staff.
A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Everybody working in, for and with Finn Gledhill has a duty to report any actual or suspected data protection breach without delay to Steven McCormick, the Information Security Manager,or any of the Partners of Finn Gledhill. Full details of the Finn Gledhill’ breach reporting policy can be requested from Marc Gledhill.
Breaches will be reported to the Information Commissioner’s Office (ICO) by Marc Gledhill (ISM) without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless, Finn Gledhill is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Marc Gledhill (ISM) will maintain a central register of the details of any data protection breaches.
Complaints relating to breaches of the GDPR and/ or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to Marc Gledhill, the ISM without delay.
It is important that everybody working for Finn Gledhill understands the implications for Finn Gledhill if we fail to meet our data protection obligations. Failure to comply could result in: