Your privacy is very important to us as a company and we have updated it and made changes necessary for the EU’s General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018.
1. Key definitions:
- GDPR – EU derived new data protection law that comes into legal effect in the UK from 25 May 2018 and replaces and extends the reach of existing UK data protection laws.
- Personal data – includes anything that can identify you e.g. name, phone number, email address, home address, online ID, financial information and reference numbers, social media links, date of birth, marital status.
- Special sensitive categories of data – includes race, ethnic origin, political beliefs, religious beliefs, TU membership, biometrics, health, sex life, sexual orientation.
- Data controller – someone who determines the purpose and the means of the processing of personal data, often the CEO of a company.
- Data processor – people who process personal data on behalf of the data controller and maintain the records of personal data.
2. Who we are:
- Goverseth Accountants are a trading name of Goverseth Accountants Ltd.
- Our Data Protection Officer is our founding director, Carl Martin Willcock.
- We have identified that we act as both a “data controller” and a “data processor”.
- Our Registered Office and Postal Address is: Argentum House
510 Bristol Business Park
3. Key principles we adopt:
- - Properly inform you if we collect your personal data
- - Process it lawfully, fairly and transparently
- - Only collect it for a defined purpose
- - Only collect what we need
- - Audit your personal data regularly and update it for changes
- - Ensure it is held securely and backed up
- - Restrict access to our systems to protect your data.
4. What personal data we collect from you:
We collect the following types of data (not exhaustive) from you so that we can perform the work we are engaged by you to do:
- Your full name
- Maiden name
- Date of birth
- Home and business address
- Phone number
- Email address
- National Insurance number
- Unique Taxpayer Reference number (for self-assessment tax returns)
- Photo driving licence and passport
- Your gender
- Marital status
- Your personal and business financial records e.g. payroll and accounting
- Historic tax information from your previous accountant
- Social media contact details e.g. your LinkedIn profile connection.
5. Why we collect personal data from you and what we use it for:
- We collect your personal data so that we can provide you with the best customer service possible. If you become or are already, a customer of Goverseth Accountants then in order for us to actually do the work that you engage us to do on your behalf e.g. a personal tax return, we will need to collect and then process your personal data.
- We may also send you information that we feel is relevant to you e.g. ways to reduce your tax bill or new time-saving methods for your record-keeping. However, we will have an unsubscribe link at the foot of all our emails.
- Here are some examples of what we use your personal data for:
- Preparing your tax return, accounts, VAT return, payroll
- Sending you our fee invoices
- Arranging meetings with you
- Setting you up as a new client on our software
- Liaising with regulators e.g. HMRC and Companies House
- Requesting feedback on our services
- Rewarding you for our Refer-A-Friend Scheme
- Contacting you on queries or issues that we have identified during our normal day-to- work
- Notifying you of networking events that you may be interested in attending
- Verifying your identity as part of our standard new client identification checks and updating and maintaining this at regular intervals.
- Our website provides details of the services that we offer, and we use your personal data to perform those services for you.
- Our Letter of Engagement outlines what services we are engaged to perform, and these are updated as and when the scope of our work changes.
6. How we collect personal data from you:
We collect personal data from you in a variety of different ways, for example:
- When you fill in our “contact form” on our website for us to get in touch with you
- When you call or email us to enquire about our products and services
- At meetings e.g. at initial prospecting meetings we would take your full contact details and sources of income and financial history to determine how we can help you
- When you give us your business card e.g. at a networking event
- When you connect with us on Facebook or LinkedIn
- When you become a new client, we complete our new client procedures and collect your data
- When you visit our website, details of your visit may be stored on our Google Analytics account.
As is common with most businesses, our website uses “cookies”, which are small tiles downloaded to your computer to improve your user experience of the internet.
The cookies can be disabled at any point by adjusting your computer’s browser settings.
8. Our lawful basis for collecting and processing your personal data:
There are 6 legal bases for having and using your personal data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
In many cases one or more of the above bases will apply. For example, to prepare your tax return we would rely on contract (as we have a letter of engagement in place for the contract of services to be provided), legal obligation (to submit your tax return to HMRC we would need your National Insurance number, name etc on it) and legitimate interests (to keep you updated of changes in tax laws or new products we think would be of benefit to you).
We request consent e.g. before we share your personal data with other parties that you have agreed or asked us to liaise with such as mortgage brokers, banks and financial advisors.
Our primary legal basis for processing your personal data is our contract of services that we provide you.
9. Who we share your data with and why:
Who and why we share your data with, depends on what service we are providing to you.
- Examples of these other parties are below, and they are also required to follow the same data protection legislation as us:
- Companies House
- Our payment providers
- Mortgager and insurance brokers
- Equifax individual identification software
- Cloud accounting software providers
- Cloud add-ons software
- Data processors
- Internal practice management software
- Our insurers
- Business networking groups that we are members
- Social media sites
- Google Analytics
- Courts and legal authorities if required to do so by law.
- We have a legal obligation to take steps to prevent fraud and comply with anti-money laundering rules, and so it is in our legitimate business interests to collect your personal data, so we can meet these obligations.
- We therefore request evidence to verify your identify at the start of our engagement and at regular intervals throughout. We use electronic verification procedures provided by Equifax to perform these checks, which look at public and non-public data about you. A trace of the check is left on your record, but the identity search does not impact your credit approval rating.
- Please note, that in some circumstances we may be required to process your personal data without your consent or knowledge, where we are legally permitted or required to do so.
10.Data processors and transfers outside the EU:
- At our sole discretion, we may use any third-party individual or organisation to process your personal data on our behalf, so that we can perform the services we are engaged to do e.g. payroll and auto-enrolment work, bookkeeping services, tax return and accounts preparation.
- These “data processors” act within the realms of our written instructions and they only have access to the data relevant to perform the tasks assigned.
- In addition, these data processors will always be bound by our normal client confidentiality terms.
- If we need to transfer your personal data outside of the EU, to be able to fulfil the provision of services to you, we will ensure that the relevant safeguards are in place to protect your data.
- We have in place EU model contract clauses with organisations in non-EU countries, which contractually require that your personal data is protected and only used for the purpose of our written instructions.
11.Safeguards we take to keep your data secure:
We operate a variety of measures to help safeguard your personal data, for example:
- 2-step login authentication wherever possible
- Password protected software
- Up to date anti-virus, firewall and malware protection across all devices
- Data is stored on our secure Citrix Sharefile Client Portal (in Dublin, Ireland on Amazon Web Services Servers) and internal document management system, which conforms to bank-level security standards and is encrypted with restricted user access levels and full audit trail functionality
- Attachments sent in emails are done so using our Sharefile links meaning that they are encrypted within the email
- New login notification emails are sent to us where any of our key software is accessed from potentially unknown devices
- Encouragement for customers to use the Portal at all times to send and receive personal data to and from us
- Remote desktop function in operation, so that if a device is stolen no data is lost as it is not held on the hard-drive
- Data held is backed up
- Obsolete devices are physically broken up and destroyed
- Physical security at our offices at Hollywood Estate:
- Padlocked access gate – locked overnight and during the weekends and under CCTV surveillance
- Individually provided user access key fob to enter the building, which is administered by the Estate
- Locked rooms within the Estate’s building
- CCTV at the main entrance and exits to monitor user access
- Secure filing cabinets that all locked at all times within the office
- Iron bars outside of the office windows to prevent burglary
- Clear desk policy, so that no records are left outside the locked cabinets overnight
- Prompt and regular shredding of confidential waste paper.
12.Our data retention policy:
- We will hold your personal data and associated documentation in accordance with HMRC normal rules of 7 years.
- For marketing purposes, if you no longer want to receive any material we need to keep evidence of that indefinitely.
- For prospects that we have not converted into customers, we will keep your personal data for a period of 2 years before we will delete it in full.
The GDPR enshrines the following rights for individuals into law:
- Right to be informed
- Right of access
- Right of rectification
- Right of erasure
- Right of restriction
- Right of data portability
- Right to object
If you wanted to enforce any of these rights at any time, please get in touch with us.
14.Changes to this policy and source of more information:
- We expect that this Privacy Notice will be updated on a regular basis and the current version will always be available on our website.
- We will use clear referencing for version updates (e.g. version 1.0 – last updated on 25 May 2018).
- For more information concerning data protection and the GDPR please refer to the Information Commissioner’s Office website