Marshall Wilson Law Group Limited
Data Protection Policy
This policy is designed to ensure that we meet the requirements of data protection law that is expected of us by our clients. This policy applies to all employees, contractors and partners who are in any way involved in the collection, storage or processing of personal data.
Failure to comply with this policy could lead to our being investigated and punished by regulatory authorities. Of potentially greater impact would be the negative publicity generated and the impact on our reputation and business as a result. Accordingly, any breach of this policy may result in disciplinary action in accordance with out disciplinary policy.
2. What is “personal data” & when does this policy apply?
This policy applies to any ‘personal data’ collected, stored or processed by us or by a third party on our behalf, whether that be personal data that relates to our clients, business partners, employees, supplies, or any other identifiable individual.
What is ‘personal data’?
Data is ‘personal data’ if
it relates in any way to a living person that can be identified (by us or by any other third party), either directly from the data, or indirectly in combination with any other information that could reasonably be obtained by us or any other third party.
This means that data is personal data if we or anyone else could single out an individual from a group on the basis of the information, even if we could not necessarily find out that person's name or email address. Individuals to whom personal data relate are known as ‘data subjects’. When we determine the reasons and means of collecting and processing person data, we are acting as a ‘data controller’. Where we are processing the personal data on the instructions of another organization or entity, we are acting as a ‘data processor’.
Is this definition wider in scope than it used to be?
Yes - the scope of personal data is much wider than it was in the past: an individual is now considered to be identifiable not only by way of traditional ‘offline’ identifiers such as name, address, location or passport number, but also by way of online and ‘anonymous’ identifiers such as ID numbers, that might never enable the individual to be identified in the ‘offline’ world. Provided an individual can be identified or singled out, any information that relates to that individual will also qualify as personal data.
Can you give me an example?
The following is a non-exhaustive list of other information which is potentially personal data:
Contact details - name, address, email address, telephone number
Online identifiers – IP addresses and user IDs
Passport / NI / driver licence number
Payment details - card numbers
Demographic data - race, gender, age
Profiling data – records of behavioural patterns
Content or correspondence - photos, feedback, complaints, letters
Employment data - job title, salary, performance information, payslips
Sensitive personal data - special categories of information like health, race, religion and sexuality (see below for more information).
What about anonymized data?
Data which is fully anonymized such that it is no longer possible to re-identify an individual from that data is not personal data and will not fall within the scope of this policy. Given the broad scope of this definition, however, careful analysis is required to determine whether a data set is truly anonymized. For example, where data is held against an ID and that unique ID is replaced with a randomly generated number, that data may be regarded as anonymized if it is no longer possible to identify the individual. However, if it would be possible to re-link that data to the ID, then this data will still be considered personal data. You can generally assume that aggregate reports and statistics will not be considered personal data and will fall outside the scope of this policy.
3. Lawfully processing personal data
You can ensure you are dealing with personal data fairly and lawfully by following the following data protection principles set out in the GDPR which require personal data to be:
(a) Processed lawfully, fairly and in a transparent manner
(b) Collected only for specified, explicit and legitimate purposes
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
(d) Accurate and where necessary kept up to date
(e) Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is Processed
(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage
(g) Not transferred to another country without appropriate safeguards being in place
(h) Made available to data subjects, who are allowed to exercise certain rights in relation to their personal data
More detail on applying these principles is provided below:
4. Ensuring you have a lawful basis
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
You may only collect, process and share personal data only for specified purposes. The GDPR allows Processing for specific purposes, some of which are set out below:
(a) the data subject has given his or her consent;
(b) the processing is necessary for the performance of a contract with the data subject;
(c) to meet our legal compliance obligations (such as AML checks or due diligence);
(d) to protect the data subject's vital interests;
(e) to pursue our legitimate interests for purposes where they are not overridden by the harm to the interests or fundamental rights and freedoms of data subjects.
Always ensure you have a specific lawful purpose for collecting or processing data.
5. Storing & protecting personal data
Personal data must be secured by appropriate ‘technical and organisational measures’ against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
However, the main cause of data breaches is human error. To maintain the effectiveness of the measures we have put in place, you must follow all procedures and technologies relating to personal data from the point of collection to the point of destruction. Most importantly, you must only transfer personal data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
6. What to do if there’s a breach
The GDPR requires us to notify any personal data breach to the applicable regulator and, in certain instances, the data subject. If we are processing data on behalf of another organization under a contract, we are obligated to promptly notify them of any breach and provide reasonable assistance in understanding and remedying the incident.
If you know or suspect that a personal data breach has occurred (from client records going missing to a USB stick containing personal data being left on the train) do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for personal data breaches and preserve all evidence relating to the potential personal data breach.
7. Keeping records
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing including records of data subjects' consents and procedures for obtaining consents.
These records should include, at a minimum, the name and contact details of the data controller (that’s us), clear descriptions of the personal data types, data subject types (e.g. employee, client…), processing activities and purposes, third-party recipients of the personal data, where the personal data is stored, the personal data's retention period and a description of the security measures in place.
We are required to ensure all personnel have undergone adequate training to enable them to comply with data privacy laws. You must complete mandatory data privacy related training. You must regularly review all the systems and processes under your control to ensure they comply with this policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
9. Data subjects’ rights
Data subjects have rights when it comes to how we handle their personal data. These include rights to:
(a) withdraw consent to Processing at any time (where consent is the legal basis for processing);
(b) receive certain information about our processing activities;
(c) request access to their personal data that we hold;
(d) prevent our use of their personal data for direct marketing purposes;
(e) ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
(f) restrict processing in specific circumstances;
(g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
(h) request a copy of an agreement under which personal data is transferred outside of the EEA;
(i) object to decisions with a significant legal impact which are based solely on automated processing;
(j) prevent processing that is likely to cause damage or distress to the data subject or anyone else;
(k) be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
(l) make a complaint to the supervisory authority (in our case the ICO); and
(m) in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (this is unlikely to apply to us).
A formal request from a data subject for information that we hold about them must be made in writing. Any member of staff or person collecting or processing personal data on our behalf who receives a written request should immediately forward it to [CONTACT].
10. Data Protection Impact Assessments
As you can see, when dealing with personal data there is a lot to keep in mind and records. This means that before you gather personal data in new ways, or introduce a new processing activity, you should assess the risk beforehand. If you determine that the new way of dealing with this personal data is of high risk to the rights of data subjects, you must complete a Data Protection Impact Assessment using our template. The activity is likely to be high-risk if there is:
(a) use of new technologies;
(b) automated processing;
(c) large scale processing of sensitive data; and
(d) large scale, systematic monitoring of a publicly accessible area.
A Data Protection Impact Assessment must include:
(a) a description of the processing, its purposes and the data controller's legitimate interests if appropriate;
(b) an assessment of the necessity and proportionality of the processing in relation to its purpose;
(c) an assessment of the risk to individuals; and
(d) the risk mitigation measures in place and demonstration of compliance.
We are subject to certain rules and privacy laws when marketing to our customers. For example, a data subject's prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as "soft opt in" allows us to send marketing texts or emails if we obtained contact details in the course of a sale to that person, are marketing similar products or services, and give the person a clear and prominent opportunity to promptly opt out of marketing when first collecting the details and in every subsequent message.
12. Sharing Personal Data
Generally, we cannot share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the personal data we hold with another employee, agent or representative of our group) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
You may only share the personal data we hold with third parties when:
(a) they have a need to know the information for the purposes of providing the contracted services;
(b) sharing the personal data complies with the privacy notice or other information provided to the data subject and, if required, the data subject's consent has been obtained;
(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
(d) the transfer complies with any applicable cross border transfer restrictions; and
(e) a fully executed written contract that contains GDPR approved third party clauses in in place.
13. Data breach
If you become aware of any loss, damage or unauthorised access to any personal data you should notify Fiona Munn
For any advice, help or support on any matter covered by this policy please contact Fiona Munn. If you are unsure about whether an issue is worth raising, err on the side of caution, and speak to the legal team.