GJF is committed to responsible and secure data processing so you can be sure your data is well protected. We understand the importance of an individual’s personal data and the harm which can be caused by unauthorised access to such data, whether deliberate or not. We take all reasonable precautions to protect your data and this policy aims to explain to you the ways in which we safeguard the information we are given.
What is data?
Personal data is defined as any information that relates to the identity of a natural person and can identify them, either directly or indirectly. As you can appreciate, this covers a wide range of details, such as names, addresses, contact numbers, location information, online log in details, physical features, genetic details, cultural beliefs, social attitudes and economic factors.
Some data is classified as special category data under Article 9 of the General Data Protection Regulations (GDPR). These categories are racial and ethnic origin, political opinion, religious and philosophical beliefs, any trade union memberships, genetic or biometric data, information about your health and details of your sex life or sexual orientation.
In the course of GJF’s involvement with you, it is extremely likely that we will have access to some data which falls under the special category characterisation.
The GDPR penalises us for unauthorised disclosure of your personal data – what is disclosure?
Disclosure occurs whenever information passes from one person to another. It may be oral or written. Unauthorised disclosure will be treated as a serious offence under the GDPR, so we will take care not to let people who are not entitled to see your data have access to it. We will also seek to limit access to personal data within our organisation to only those individuals who need to see the information so they can address your needs.
Do we need your consent to hold your data?
The GDPR provides that we can retain data where it is necessary to do so to fulfil our contractual obligations to you. This will cover the majority of circumstances where we have access to your personal data, as it is necessary for us to have your personal information to be able to represent you.
What are our obligations under the GDPR?
In processing your personal data, we are required to make sure we comply with the following principles, namely that the data held is:
- Fair, lawful and transparent
- GJF will use your personal data only for reasons which are fair and lawful and we will make sure you are fully aware of your rights and obligations under GDPR
- Compatible and specific
- GJF will obtain your personal data only for specific reasons (usually the reason why you instructed us)
- Adequate, relevant and limited to what is necessary
- GJF will obtain only that personal data which is required to be able to represent you and will not ask for additional personal data which is not necessary in furtherance of your instructions
- Accurate and rectifiable
- GJF will take all reasonable steps to make sure the data we hold about you is accurate. If it is not accurate, we will ensure we have a straightforward and transparent process in place to rectify any errors we become aware of
- Retained for no longer than is necessary
- Unless you specifically request that GJF retains your data for longer, we will not retain your personal data for any longer than is necessary under our Anti Money Laundering and professional obligations. We recognise that our data partners may need some time to dispose of personal data they retain on our behalf, so appropriate allowances in this regard are made in our Data Retention Policy
- Integrity and confidentiality
- GJF have implemented a robust data security programme for both electronic and paper files and have trained our employees of the importance of such security measures, so you can rest assured your data is in safe hands.
What are your rights under GDPR?
You have a number of rights under GDPR as follows:
- Right of access
- GJF acknowledges the right of every data subject to access their personal data and has implemented a protocol to deal with this eventuality in their Subject Access Request Policy
- Right to be forgotten
- A data subject also has the right to be forgotten. Whilst GJF accepts this right, data subjects should be aware that they will not be able to exercise their right to be forgotten whilst GJF retain their data for compulsory reasons, such as to comply with AML requirements. More detail about this can be found in our Data Retention Policy and our Data Subject Objection Policy
- Right to rectification
- GJF also acknowledges a data subject’s right to rectification in situations where personal data we hold is inaccurate. How we will deal with this is clearly laid out in our Data Rectification Policy.
- Right of restriction
- Whilst we would hope any errors in data can be swiftly and accurately rectified, we also accept that a subject has a right to restrict their data where it is inaccurate. This is dealt with in our Data Restriction Policy.
- Right to portability
- GJF supports a client’s entitlement to obtain a copy of their data to transfer to other organisations and will endeavour to do this as swiftly and accurate as our professional obligations will allow.
- Right to object
- Although GJF does not ordinarily process data for direct marketing purposes, we understand the frustrations this can cause to data subjects and support their entitlement to object. Our policy for dealing with such an objection can be found in our Data Subject Objection Policy
Who is responsible for Data Protection in our organisation?
Our Data Controller, who is responsible for day to day Data Protection queries, is our Office Manager. We also have a number of individual Information Asset Owners who have day to day control of various databases and other sources of personal data and report to our Data Controller.
Our Data Controller is supported at board level by our Managing Director, who is our Senior Information Reporting Officer. In the event our Data Controller is unavailable to deal with queries, these should be referred to our Managing Director.
In the event of any disputes, we also have a Data Protection Officer.
Sometimes, we may have been passed information about you from a third party, for example another firm of advocates, an estate agent, an insurance company or a union. We undertake to process such data in line with our Third Party Data Protection Policy to ensure that other parties apply the same high data protection standards.
From time to time, it is inevitable we will need to transfer data to other companies, both in the Isle of Man and in other countries. Where transfers take place within the Isle of Man and the EEA, they are governed by the principles set out in our Domestic Data Transfer Policy.
Transfers outside the EEA are covered by our Non EU Data Transfer Policy.
With so much business being conducted by electronic means in the modern world, specific consideration has been given to electronic communication and how this will interact with our GDPR obligations. Our conclusions and processes can be found in our Email Data Protection Policy.
Given so much of our data is stored electronically and that the easiest way for a data protection breach to occur is for unauthorised physical access into computer terminals or other devices, we have implemented a Password Policy to make it more difficult for such breaches to occur.
A number of employees also work away from the office on occasion, so we have implemented our Data Protection in Remote Working Policy to make sure our working practices do not endanger your personal data.
Breaches of the GDPR
In the unlikely event that breaches of the GDPR occur, GJF will need to classify each breach as either minor or major. Minor breaches will be governed by our Internal Breach Reporting Policy, but those deemed serious enough will follow the process laid out in our Information Commissioner Reporting Policy.
Future amendments to data protection
All our policies are subject to our Data Review Policy and any new developments will be subject to a privacy impact assessment, as laid out in our Privacy Impact Assessment Policy.
Obtaining additional information
If you are concerned about any of the issues raised in this policy, or would like additional information, please contact our Data Controller to discuss the same. Copies of all of the policies are available on request.