Privacy Policy

McCartneys LLP – Data Protection and UK GDPR Policy

Introduction

McCartneys LLP needs to gather and use certain information about individuals. These can include clients, customers, suppliers, business contacts, employees and other people the firm has a relationship with, or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the firm’s data protection standards, and to comply with the law.

Why this policy exists

This UK GDPR policy ensures McCartneys LLP:

• Complies with the UK GDPR legislation and follows good practice
• Protects the rights of clients, customers, suppliers, employees and partners
• Is open about how we store and process individuals’ data
• Protects itself from the risks of a data breach

UK General Data Protection Regulation

These rules apply to all data regardless of whether it is stored electronically, on paper, or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully and without consent.

UK GDPR is underpinned by eight important principles, these state that:

1. Personal information must be fairly and lawfully processed
2. Personal information must be processed for limited purposes
3. Personal information must be adequate, relevant and not excessive
4. Personal information must be accurate and up to date
5. Personal information must not be kept for longer than is necessary
6. Personal information must be processed in line with the data subjects’ rights
7. Personal information must be secure
8. Personal information must not be transferred to other countries without adequate protection

Policy scope

This policy applies to:

• The head office of McCartneys LLP
• All branches and departments of McCartneys LLP
• All partners, consultants, employees and workers of McCartneys LLP
• All contractors, suppliers and any other people or organisations working on behalf of McCartneys LLP

It applies to all data that the firm holds relating to identifiable individuals, including:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• …plus any other information relating to individuals

Data protection risks

This policy is written to help to protect McCartneys LLP from data security risks including:

• Breaches of confidentiality – Information being given out inappropriately.
• Failing to offer choice – All individuals should be free to choose how the firm uses information relating to them.
• Damage to reputation – The damage to the firm’s reputation could be immeasurable if we were to be reported for breaching the UK GDPR.

Responsibilities

Everyone who works for or with McCartneys LLP has some responsibility for ensuring data is collected, stored and handled appropriately and that data is not disclosed unlawfully and without consent. Every person that handles personal data must ensure that it is handled and processed in line with this policy and the UK GDPR principles.

Key responsibilities include:

• Keeping the partnership updated about data protection responsibilities, risks and issues.
• Reviewing all data protection procedures and related policies, in line with an agreed schedule.
• Arranging data protection training and advice for the people covered by this policy.
• Handling data protection questions from employees and anyone else covered by this policy.
• Dealing with requests from individuals to see the data McCartneys LLP holds about them (Subject Access Requests).
• Checking and approving any contracts or agreements with third parties that may handle the firm’s sensitive data.
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning correctly.
• Evaluating any third-party services the firm is considering using to store or process data, such as cloud computing services.
• Approving any data protection statements attached to communications such as emails and letters.

The partners are ultimately responsible for ensuring that McCartneys LLP meets its legal obligations.

General employee guidelines

• The only people able to access data covered by this policy should be those who need it for their work.
• Every partner, consultant, employee and worker must implement and adhere to the firm’s Clear Desk Policy (see separate policy document).
• Data should not be shared informally. If and when access is required, employees can request it from their line manager/partner.
• Personal details relating to clients, customers, suppliers, colleagues and any other person connected to McCartneys LLP should never be disclosed to any third party either within the firm or externally, without specific consent being obtained.
• Partners, consultants and all employees and workers of McCartneys LLP should keep all data secure by taking sensible precautions and adhering to these guidelines.
• All desktop computers, laptops, iPhones, memory sticks and any other electronic devices which store data should be protected by strong passwords and/or encryption.
• Partners, consultants and employees should be particularly diligent in areas where the public have access, not to leave computers/laptops, paper files or any medium with personal data where such information can be seen or heard by a third party.
• Data should be regularly reviewed and updated if it is found to be out of date. If it is no longer required it should be deleted and disposed of.

Data storage

• When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Documents, paper and computer printouts should not be left where any unauthorised person could see them.
• Paper documents and printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared.
• If stored on removable media, these should be kept securely locked away and encrypted if possible.
• Data should only be stored on designated drives and servers, and only uploaded to an approved cloud computing service.
• Servers containing personal data should be sited in a secure location away from general office space.
• Data should be backed up frequently, and backups tested regularly.
• All servers and computers containing data should be protected by approved anti-virus software.

Data use

Personal data is of no value to McCartneys LLP unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.

When working with personal data, partners, consultants, employees and workers should ensure:

• The screens of computers are always locked when left unattended.
• Personal data should never be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• The use of a fax machine for sending data should be avoided if possible. If data is sent by fax you must ensure that there is an authorised person available to receive it.
• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
• Employees should not save copies of sensitive personal data held by the firm to their own computers, mobile phones or any other device.

Email Marketing and Communications

McCartneys LLP may use personal data, such as names and email addresses, for the purpose of sending marketing communications by email. This may include newsletters, service updates, event invitations, and information about our professional services.

In accordance with the UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and other relevant data protection laws:

• Lawful basis – McCartneys LLP will only send email marketing where we have obtained the individual’s explicit consent, or where a clear “soft opt-in” applies (for example, where an existing client relationship exists and the communication relates to similar services).
• Consent management – Individuals must actively opt in to receive marketing emails. Consent will be clearly recorded and individuals may withdraw their consent at any time.
• Right to object – Every marketing email sent by McCartneys LLP will include a clear option to unsubscribe or manage preferences, in line with UK GDPR requirements.
• Data minimisation – Only the minimum personal data required (e.g. name and email address) will be processed for email marketing purposes.
• Third-party processors and software – McCartneys LLP may use trusted third-party software providers and email marketing platforms to store, process and manage marketing data. All such providers will be subject to appropriate due diligence, contractual safeguards, and data processing agreements to ensure compliance with UK GDPR.
• Retention – Marketing contact details will be securely retained only for as long as consent is valid or until an individual opts out. At that point, records will be updated to ensure the individual no longer receives marketing communications.

McCartneys LLP is committed to respecting individuals’ privacy rights. No personal data will be sold or shared with third parties for their own marketing purposes.

Data accuracy

The law requires McCartneys LLP to take reasonable steps to ensure data is kept accurate and up to date.

• Data should be stored and held in as few places as necessary. Unnecessary data sets or copies of data should not be created.
• Every effort should be made to ensure data is updated, for instance by confirming details when clients, customers or suppliers call.
• Data should be updated when inaccuracies are discovered, for example if a telephone number no longer works.

Subject Access Requests

All individuals who are the subject of data held by McCartneys LLP are entitled to:

• Ask what information the firm holds about them and why.
• Ask how they can gain access to that information.
• Be informed how to keep it up to date.
• Be informed how the firm is meeting its data protection obligations.

If an individual contacts the firm requesting this information, this is called a Subject Access Request (SAR).

• SARs should be made in writing, addressed to the Data Protection Officer, McCartneys LLP, The Livestock Market, The Ox Pasture, Overton Road, Ludlow, Shropshire, SY8 4BH, or submitted via email to the firm’s designated Data Protection Officer email address.
• In line with UK GDPR, SARs will normally be provided free of charge, unless a request is manifestly unfounded, excessive, or repetitive, in which case a reasonable administrative fee may be charged.
• McCartneys LLP will aim to provide the requested data within one month of receipt. Where requests are complex or numerous, the firm may extend this period by up to a further two months, but the individual will be informed within one month of the request and given reasons for the delay.
• The DPO will always verify the identity of anyone making a SAR before releasing information.
• McCartneys LLP reserves the right to refuse a SAR where it is manifestly unfounded or excessive, in line with UK GDPR. In such cases, the firm will explain the reasons for refusal and inform the individual of their right to complain to the Information Commissioner’s Office (ICO).

Disclosing data for other reasons

In certain circumstances the UK GDPR allows for personal data to be disclosed to law enforcement agencies and HM Government agencies without the consent of the data subject. Under these circumstances, McCartneys LLP will disclose the data requested. However, the data controller will ensure the request is legitimate, seeking assistance from the partners and from the firm’s legal advisors where necessary.