General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
Brewin Dolphin places a high priority on protecting and managing data, especially that of its clients and employees. The firm complies with applicable GDPR regulations.
Brewin Dolphin is focusing on the following GDPR requirements. These are being implemented by the GDPR project team with oversight from the Brewin Dolphin Data Protection team:
- Ensuring Privacy by design is implemented in all new projects, services and tools.
- Fine tuning processes to ensure they meet GDPR requirements, for example DSARs (data subject access requests), our Data Breach process and Privacy Impact Assessments.
- Updating our terms and conditions to reflect GDPR requirements.
- Updating our Privacy Standard Policy and Privacy Notices.
- Ensuring the required consent and preferences have been requested where necessary.
- Providing guidance on data retention periods.
- Providing training for all staff to enable them to understand the requirements of GDPR and how to manage the data that they are responsible for effectively.
Brewin Dolphin is also working on an Information Security framework which combines controls from NIST (National Institute of Standards and Technology) cybersecurity framework, ISF (Information Security Forum) and ISO2700 to ensure that data:
- is protected as it comes in to the firm.
- is held securely whilst in the firm.
- access is controlled whilst stored in all Brewin Dolphin systems.
- is secured when it is sent to a third party where required.
- finally, that the data is securely destroyed once it is no longer required.
Brewin Dolphin has policies in place that have been updated and reviewed to ensure the requirements of GDPR are addressed. The following key policies are in place: Information Security, Data Management, Records Management Policy (incl. Data Retention requirement), Data Classification Standard. These provide the governance to ensure the PII data is handled correctly.
Brewin Dolphin does not have a Data Privacy Officer but in their place the Head of Information Risk and Data Protection will be responsible for the day to day compliance with GDPR and its requirements with support of the legal team.
Should you have any further questions regarding this GDPR statement then please contact your Brewin Dolphin relationship manager.