Crib Sheet for Data Protection Policy

Maintaining data protection is critical to our firm's professional responsibilities and compliance with the Data Protection Act 2018 and UK GDPR. The personal data that the Firm processes to provide these services relates to its clients,  and other individuals, as necessary.  

This policy (together with our terms and conditions of business and GDPR Privacy Notice)  sets out the Firm’s commitment to ensuring that any personal data, including special  category personal data, which the Firm processes, is carried out in compliance with Data  Protection Law. The Firm processes the personal data of clients from all over the world and is committed to ensuring that  all the personal data that it processes is done in accordance with Data Protection Law. The  Firm ensures that good data protection practice is imbedded in the culture of our personnel  and our organisation

Personal data is kept in client files or within the Firm’s IT systems. The type of data held by  the Firm includes, but is not limited to, the following:  

• Name, address, phone numbers  

• National Insurance numbers  

• Employer details, job title and job descriptions  

• Copy passports and/or driving licences  

• Copy utility bills  

• Copy credit card bills/statements  

• Bank account details and copy bank statements  

Relevant individuals should refer to the Firm’s Privacy Notice and its terms of business  letters for more information on the reasons for its processing activities, the lawful bases it  relies on for the processing of data and data retention periods.

The firm has the following checks and balances in place to ensure compliance with Data Protection law and UK GDPR: 

Store all physical files in locked cabinets or secure storage areas when not in use.

Ensure documents are not left unattended on desks or in public areas.

Use strong, unique passwords for accessing client files and firm systems.

Log off or lock your computer when leaving your desk.

Only use secure, firm-approved email accounts for client communication.

Encrypt emails containing sensitive or personal data.

Verify the identity of the caller before sharing sensitive information.

Conversations:

Avoid discussing client matters in public areas or where you may be overheard.

Restrict access to client files and systems to authorised personnel only. 

Regularly review access permissions to ensure compliance with need-to-know principles. 

Obtain explicit client consent before sharing their data with third parties.

Ensure any third party receiving data complies with the same strict confidentiality standards.

Use confidentiality agreements where appropriate.

Shred confidential documents when they are no longer needed.

Ensure data backups are encrypted and stored securely.

Use firm-approved methods to delete electronic files permanently.

Attend all mandatory data protection training sessions.

Stay informed about updates to data protection laws and firm policies.

Be vigilant about phishing emails, unsecured devices, and unauthorised data access.

Notify the Data Protection Officer (DPO) of any suspected or actual data breaches without delay.

We will only share personal data with third parties where certain safeguards and contractual  arrangements have been put in place. In addition, we only share the personal data we hold  with third parties if:  

  

a) we have a lawful basis for doing so;  

b) sharing the personal data complies with the privacy notices provided to the data  subject and, if applicable, consent has been obtained; and  

c) the third party has agreed to comply with the Firm’s required data security policies  and procedures and put adequate security measures in place.  

We may share the personal data we hold with other agents if the recipient has a business-

related need to know the information.  

The partners of the Firm take ultimate responsibility for data protection.  

If you have any concerns or wish to exercise any of your rights under the GDPR, then you  can contact the data protection partner using the following information:  

Contact: Data Protection Partner  

Address:  

Email:  

Telephone: