GDPR and haysmacintyre

The General Data Protection Regulation 2016

On May 25th 2018 the European wide General Data Protection Regulation (GDPR) will come into effect. This regulation places specific emphasis on the handling and protection of personal data and applies to all the countries of the European Union.

haysmacintyre have taken steps to ensure that the GDPR is understood, requirements communicated to all staff and complied with in full.

Due to the volume of customers that we process data on behalf of, we regret that we are unable to respond to individual questionnaires regarding our Data Protection compliance and have instead produced the following pack to assist you with your supplier due diligence efforts.

Our Compliance

Our GPDR compliance programme has included a full Gap analysis against the requirements of the GDPR, an audit of all the personal data we hold, a review of our handling procedures and required updates to business agreements, policies and training materials.

Our updated data protection policy can be found in this pack and on our website.

haysmacintyre only processes client data in line with its engagement requirements and its data protection policy. haysmacintyre takes the protection of all client data extremely seriously and we have implemented data security controls consummate with the sensitivity of this data as shown below.

haysmacintyre does not process special category data apart from in rare circumstances where the engagement dictates this as an obligation.

If a breach were to occur haysmacintyre will take steps to respond to such instances in line with the requirements of the GDPR.
haysmacintyre does not store any data outside the European Union.

Data Security Controls

Overview

haysmacintyre is committed to protecting the confidentiality, integrity and availability of personal and client data. This document outlines the controls we have in place to protect it and the IT systems where the data is stored.

Security controls

Measures include, but are not limited to:

  • Full disk encryption for all laptops and desktops
  • Encryption of approved USB storage devices, and blocking of non-approved devices
  • Implementation of Microsoft best-practice for password controls and use of multi-factor authentication systems
  • Multiple perimeter (including application layer) and desktop/laptop firewalls
  • Intrusion/breach detection and prevention systems
  • Multi-level and multi-vendor anti-malware systems (capable of detecting sophisticated threats, such as ransomware), covering the email/web gateways, servers, server applications (such as email), network and desktops/laptops
  • Regular reviews of log files generated by key security systems
  • The use of Role Based Access Control to restrict data to relevant client teams
  • Strong physical, environmental and perimeter controls
  • Regular vulnerability scanning and penetration testing by a third party specialist
  • Regular and automated patching of all client/server operating systems and third-party applications with adherence to ITIL change and configuration management practices
  • Adherence to all UK legal requirements, the General Data Protection Regulation, and standards issued by the Institute of Chartered Accountants in England and Wales
  • Accredited under the Cyber Essentials Plus scheme with annual recertification

Disaster Recovery

There are multiple levels of redundancy in place, with an underlying fault-tolerant hosted server environment and communication links. Our response to major disasters has been carefully planned and tested, including replication of all critical infrastructure to a secondary datacentre, with contractual recovery point and time objectives, to support key services provided by the firm.

Data protection policy

Policy statement

In the course of our business operations haysmacintyre makes use of data about identifiable individuals, including data about:

  • Current, past and prospective partners and staff
  • Current, past and prospective clients
  • Business contacts

In collecting and using this data, the organisation is subject to legislation controlling what data may be held, how such activities must be carried out and the safeguards that must be put in place to protect it.

Purpose

The purpose of this policy is to set out the data protection legislation that applies to the business and to describe the steps we take to ensure that we comply with it.

Scope

This policy applies to all systems, people and processes that constitute the organisation’s information systems, including partners, permanent or temporary members of staff, consultants, suppliers and any third parties who have access to our systems. 

Policy Compliance

This policy applies to anyone who processes data on behalf of haysmacintyre, including partners, staff and third parties.

Policy Governance

The following table identifies who within haysmacintyre is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible: Data protection lead (partner)

Accountable: Managing Partner

Consulted: Managing Partner and Heads of Department

Informed: All partners, staff (including temporary staff) and contractors

Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the data protection lead.

The General Data Protection Regulation

The General Data Protection Regulation 2016 (GDPR) is a significant piece of legislation affecting the way that haysmacintyre carry out their information processing activities. The GDPR is designed to protect the personal data of citizens of the European Union. It is our policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.

Definitions

There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. However, the fundamental definitions with respect to this policy are as follow:

  • Personal data is defined as: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • ‘processing’ means: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • ‘controller’ means: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Principles Relating to Processing of Personal Data

There are six fundamental principles upon which the GDPR is based. These are as follow:

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner.
  • shall be collected for specified, explicit and legitimate purposes.
  • Shall be adequate, relevant, and limited to what is necessary.
  • Shall be accurate and, where necessary, kept up-to-date.
  • Shall be retained only for as long as necessary.
  • Shall be processed in an appropriate manner to maintain security.

haysmacintyre ensures that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing, for example, deploying new IT systems. 

Rights of the individual

The rights of the data subject within GDPR consist of:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Each of these rights are supported by appropriate procedures within haysmacintyre that allow the required action to be taken within the timescales stated in the GDPR. 

These timescales are as follows:

 

Data subject request

Timescale

The right to be informed

When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)

The right of access

One month

The right to rectification

One month

The right to erasure

Without undue delay

The right to restrict processing

Without undue delay

The right to data portability

One month

The right to object

On receipt of objection

Rights in relation to automated decision making and profiling

Not specified (haysmacintyre do not conduct automated decision making or profiling)

Making a subject request

Data subject requests must be made in writing to dataprotection@haysmacintyre.com.  Any person who receives a data subject request through a different channel must immediately forward the request to the above email address so that it can be logged and responded to. 

Consent

Explicit consent must be obtained from a data subject to collect and process their data unless it is necessary for a reason allowable in the GDPR. In case of children below the age of 16 parental consent must be obtained. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent and how to do this. This information will be provided in an accessible form, written in clear language and free of charge.

If the personal data are not obtained directly from the data subject then this information must be provided within a reasonable period after the data are obtained and at the most within one month.

Privacy by Design

haysmacintyre has adopted the principle of ‘privacy by design’ and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues

This includes:

  • Consideration of how personal data will be processed and for what purposes.
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s).
  • Assessment of the risks to individuals in processing the personal data.
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation.

Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.

Transfer of Personal Data

Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time. 

haysmacintyre do not currently transfer client personal data outside the European Union. 

Subject data will not be transferred outside the European Union in the future without prior consultation with the data controller.

Data Protection Officer

A defined role of Data Protection Officer (DPO) is required under the GDPR if an organisation is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.

Based on these criteria, haysmacintyre does not require a Data Protection Officer to be appointed, however internal responsibility for data protection has been assigned.