Contents
Overview.. 4
Introduction. 4
What is GDPR?. 4
To whom does GDPR apply?. 4
What is Personal Data?. 5
What is ‘Special Category’ Personal Data?. 5
What is Criminal Offence Data?. 6
Do I need to pay a data protection fee to the ICO?. 6
Lawful bases for processing. 7
Territorial Scope. 9
‘Accountability Principle’ 9
Transfer of Data (outside EU) 11
‘Adequacy’ 11
‘Appropriate Safeguards’ 12
‘Derogations’ (from the transfer of data requirements) 13
One-off/Infrequent transfers/small number of data subjects 13
Data Subject Rights. 14
The right to be informed. 14
The right of access 14
The right to rectification. 14
The right to erasure. 14
The right to restrict processing. 15
The right to data portability. 15
The right to object 15
Rights in relation to automated decision making and profiling. 15
IT security. 15
Cybersecurity – Factors to consider. 16
Physical Security – Factors to consider 17
What must I consider if I am using a Data Processor?. 18
Staff Training. 18
Recordkeeping. 19
Appendix I: Subject Access Request Policy. 20
Appendix II: Consent Policy (N/a) 21
Appendix III: Data Breach Recording Policy. 22
Appendix IV: Privacy Notice (Staff & Contractors) 24
Appendix V: Privacy Notice (Clients & Website Use) 26
Appendix VI: Record keeping Policy. 31
The purpose of this policy, together with the ancillary documents in the appendix, is to ensure that the Organisation meets the requirements detailed in the General Data Protection Regulation (“GDPR”).
The GDPR took effect in UK from 25th May 2018 and updated the Data Protection Act to reflect changes in technology and data use. It places greater emphasis on documenting data protection procedures, accountability and governance arrangements, and how organisations manage data protection as a corporate issue. As anEU regulation, it is directly binding on member states. The GDPR is regulated and enforced in the UK by the Information Commissioner’s Office (“ICO”) but the FCA will consider compliance with GDPR when determining whether a regulated Organisation is operating in accordance with the FCA’s Senior Management Arrangements, Systems and Controls (“SYSC”) rules. The FCA has stated that, in the context of GDPR and as part of their obligations underSYSC, Organisations should establish, maintain and improve appropriate technology and cyber resilience systems and controls.
It applies to data ‘controllers’ and ‘processors’.
A controller is: ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’[1]
A processor is: ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’[2].
In our regulated business as an asset manager, we are a data controller as we determine the purpose and means of processing the personal data that we hold. Generally, asset managers hold personal data in relation to investors in our funds and/or managed accounts, marketing contacts/business prospects and personnel. We may involve a processor to assist us but we ensure that such relationships are governed by GDPR-compliant contracts.
In our non-regulated business, we are a data controller as we determine the purpose and means of processing the personal data we hold. As an Angel network, we seek to connect Angel investors (seeking a potential return) with start-up businesses (requiring funding to grow their new venture). As such, we may collect and hold personal data as part of our rigorous due diligence on the start-up company (which relates to the individuals who own/control that business) and also the Angels wishing to invest. We may involve a processor to assist us but we ensure that such relationships are governed by GDPR-compliant contracts.
In order to process data, organisations are required to have a valid ‘lawful basis’. There are 6lawful bases, of which, organisations must have at least one:
1. Consent:the individual has given clear consent for us to process their personal data for a specific purpose.
2. Contract:the processing is necessary for a contract that we have with the individual, or because they have asked us to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary or us to comply with the law (not including contractual obligations as per 2 above).
4. Vital interests: the processing is necessary to protect a person’s life.
5. Public task: the processing is necessary to perform a task in the public interestor for official functions and the task has a clear basis in law.
6. Legitimate interests: the processing is necessary for our legitimate interests or thelegitimate interests of a third party unless there is a good reason to protectthe individual’s personal data which overrides those legitimate interests (thiscannot apply to an organisation which is a public authority processing the datato perform official tasks).
More detail is provided on the lawful bases for processing below,see heading ‘Lawful Bases for processing’.
There are exemptions from GDPR where processing is performedby a natural person for a purely personal/household purpose and (in certaincircumstances) where it is performed by a law enforcement agency or by EUinstitutions.
Personal data is data related to a living individual who canbe directly/indirectly identified from it or other information which is in thepossession of/is likely to come into the possession of the datacontroller. It is defined broadly andincludes information such as:
- Name
- Date of birth
- Address/location identifiers
- Online identifiers (such as IP address)
- Identification number(s) (such as clientreference numbers, passport numbers, bank account details, etc)
Key-coded/’pseudonymised’ data may also be personal datadepending on how easy it is to attribute it to a specific person.
This refers to sensitive data which requires greaterprotection due to its private or potentially intrusive nature. In addition to requiring one of the 6 lawfulbases for processing, organisations which process ‘special category’ data mustalso, in addition, meet one of the additional conditions for processing specialcategory data under Art 9 of GDPR. Special category data includes information relating to an individual’s:
- Race
- Ethnic origin
- Politics
- Religion
- Trade union membership
- Genetics
- Biometrics (where used for ID purposes)
- Health
- Sex life
- Sexual orientation
There are additional requirements in order to process‘special category’ data (at Art 9(2)) which are, in summary:
a) The data subject has given explicit consent
b) Processing is necessary to carry out thespecific rights of the controller or of the data subject in relation toemployment and social security and social protection law
c) Processing is necessary to protect the vitalinterests of the data subject
d) Processing is carried out in the course oflegitimate activities with appropriate safeguards by a foundation, associationor other not-for-profit body in relation to present/past members or certainconnected persons of that body and are not disclosed outside that body.
e) Processing relates to personal data which ismanifestly made public by the data subject
f) Processing is necessary for the establishment,exercise or defence of legal claims or whenever courts are acting in a judicialcapacity.
g) Processing is necessary for reasons ofsubstantial public interest
h) Processing is necessary for the purposes ofpreventative or occupational medicine
i) Processing is necessary for reasons of publichealth e.g. protecting against serious cross border threats to health orensuring safety of health care or medical products
j) Processing is necessary for archiving purposesin the public interest, scientific or historical research, or statisticalpurposes.
This refers to the processing of criminal conviction andoffence data (“Criminal Offence Data”), which is similar to Special CategoryData but requires greater protection due to its private or potentiallyintrusive nature.
For instance, details of criminal convictions uncoveredabout staff typically gathered during pre-employment screening will be CriminalOffence Data. In addition, details of criminal convictions uncovered in respectof existing directors of investee companies in private equity / venture capitaltype investments, typically gathered during legal due diligence, will also be CriminalOffence Data.
We are not permitted to keep a comprehensive register ofcriminal convictions, unless doing so under the control of an official authority.
There are additional requirements in order to process‘criminal offence’ data (see sub-chapter titled ‘Processing Criminal Offence Data’ below).
Organisations should check the ICO guide “The DataProtection Fee: A guide for controllers”:
https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf
As a general rule, if you are providing financial servicesand advice, research or consultancy services, you will be required to pay adata protection fee to the ICO. Thereare 3 tiers of fee which vary between £40 and £2,900. The tier which applies to the Organisationdepends upon the following factors:
- Staff numbers
- Annual turnover
- Whether the organisation is a public authority
- Whether the organisation is a charity
- Whether the organisation is a small occupationalpension scheme.
The fee tiers are as follows:
Tier
Fee
Criteria
1 – ‘micro organisations’
£40
Maximum turnover £632k for the financial year; OR
No more than 10 staff* members
2 – ‘small & medium organisations’
£60
Maximum turnover of £36 million for the financial year; OR
No more than 250 staff members
3 – ‘large organisations’
£2,900
You do not meet the criteria for tiers 1 or 2.
*This is broadly defined to includeall employees, workers, office holders and Partners and is the average numberwho worked at the Organisation during the financial year (part-time staff arecounted as one member of staff).
If you were alreadyregistered under the Data Protection Act, you only need to pay the above feewhen your existing registration expires. The ICO will issue Organisations with a reminder when the fee is about to fall due.
If you were not previously registered with the ICO, you must register either online (https://ico.org.uk/)or call 0303 123 113 for assistance.
The requirement to have a lawful basis is not new, instead,it replaces and mirrors the previous requirement to satisfy one of the‘conditions for processing’ under the Data Protection Act 1998 (“DPA”).However, the GDPR places more emphasis on being accountable for and transparentabout your lawful basis for processing.
The six lawful bases for processing are broadly similar tothe old DPA conditions for processing, although there are some differences. Wemust review our existing processing, identify the most appropriate lawfulbasis, and ensure that it applies. It is most likely to be the same as ourexisting condition for processing.
Processing must be‘necessary’
Many of the lawful bases depend on the processing being“necessary”. This does not mean that processing always has to be essential,however, it must be a targeted and proportionate way of achieving the purpose.The lawful basis will not apply if you can reasonably achieve the purpose bysome other less intrusive means.
Organisations cannot argue that processing is necessarybecause they have chosen to operate their business in a particular way.Instead, the question is whether the processing is necessary for the statedpurpose.
Deciding upon whichlawful basis to apply
We should consider which lawful basis best fits thecircumstances in terms of our specific purposes and the context of theprocessing data. Where more than one basis applies, we will identify anddocument each at the outset.
The organisation must not adopt a one-size-fits-allapproach. No one basis should be considered as being better, safer or moreimportant than the others.
In deciding which basis best fits our circumstances, weshould consider a variety of factors, including:
· What is our purpose – what are we trying toachieve?
· Can we reasonably achieve it in a different way?
· Do we have a choice over whether or not toprocess the data?
Contractual basis - Where there exists a contractualbasis for processing personal data, for example under a client agreement forinvestment services or as an investor in a fund that we manage, then theappropriate lawful basis will be obvious – ‘contract’.
If we are processing data for other than contractualpurposes, then we are likely to have a choice between relying upon legitimateinterests or consent. However, we should consider the wider context,including:
· Would individuals expect this processing to takeplace?
· What is our relationship with the individual?
· What is the impact of the processing on theindividual?
· Is the individual concerned likely to object?
· Are we able to stop the processing at any timeon request?
Legitimate interests - We may prefer to opt forlegitimate interests as our lawful basis if we wish to keep control over theprocessing and take responsibility for demonstrating that it is in line withthe individual’s reasonable expectations and doesn’t have an unwarranted impact on them.
Consent - On the other hand, if we prefer to giveindividuals full control over and responsibility for their data, including theability to change their mind as to whether it can continue to be processed, wemay want to consider relying on the individuals’ consent.
When must we decide onour lawful basis
Organisations can choose a new lawful basis or decide that adifferent basis is more appropriate, however, it is important to get this rightfrom the outset as it will be much harder to swap between lawful bases at willif you find that your original basis was invalid and we will be in breach ofthe GDPR if we did not clearly identify the appropriate lawful basis (or bases,if more than one applies) from the start.
What happens if wehave a new purpose
If our purpose for processing data change over time, or wehave a new purpose, we may not need a new lawful basis as long as our newpurpose is compatible with the original purpose.
However, this does not apply to processing based on consent,as consent must always be specific and informed. In such circumstances, wewould need to either get fresh consent which specifically covers the newpurpose or find a different basis for the new purpose.
As a general rule, if the new purpose is very different fromthe original purpose, would be unexpected, or would have an unjustified impacton the individual, it is unlikely to be compatible with our original purposefor collecting the data.
Notwithstanding, even if the processing for a new purpose islawful, we must also consider whether it is fair and transparent and give the individualinformation about the new purpose.
Documenting our lawfulbasis
We are required to be able to show that we have properlyconsidered which lawful basis applies to each processing purpose and canjustify our decision. We therefore must keep a record of which basis we arerelying on for each processing purpose, and a justification for why we believeit applies
The Groupmaintains the ICO’s template spreadsheet as a record of which lawful basis ithas applied for each client/investor/company/Angel/Marketing recipient andstaff member. The Organisation’s populated version is saved as a restrictedaccess document and the link to the template is provided in Appendix VI(Recordkeeping policy).
Disclosing our lawfulbasis
We must inform people upfront about our lawful basis forprocessing their personal data. We include this within the Organisation’sPrivacy Notice sent to all individuals (see appendices IV and V, Privacy Notices for staff/contractors andClients/website use, respectively).
As GDPR brings in new accountability and transparencyrequirements, we must therefore clearly document our lawful basis (see sectiontitled ‘Recordkeeping’).
Processing Special CategoryPersonal Data
Where we seek to process special category data, we must identifyand document both our ‘lawful basis’ for processing and a ‘special category’condition for processing.
Our choice of lawful basis does not dictate which specialcategory condition we must apply, and vice versa. For example, if we useconsent as our lawful basis, we are not restricted to using explicit consentfor special category processing.
Processing CriminalOffence Data
Where we seek to process Criminal Offence Data, which includes data about criminal convictions, criminal offences or related security measures, we must identify and document both our ‘lawful basis’ for processing and a ‘separate condition’ for processing this type of data.
GDPR applies to all EU countries and any individual ororganisation trading with them. Therefore,GDPR will still apply to a company based outside the EU who is processing thedata of an EU data subject.
Article 5(2) of GDPR requires organisation to be able todemonstrate that we comply with the principles of the Regulation and stateexplicitly that this is our responsibility.
The Data Protection principles of GDPR are that personaldata must be:
1
processedlawfully, fairly and in a transparent mannerin relation to the data subject (‘lawfulness, fairness and transparency’);
2
collected for specified, explicit and legitimate purposesand not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3
adequate, relevant and limited to what is necessaryin relation to the purposes for which they are processed (‘data minimisation’);
4
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5
kept in a form which permits identification of data subjects for no longer than is necessaryfor the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6
processed in a manner that ensureappropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Our Organisation demonstrates that we meet the aboveprinciples as we have created policies and procedures which outline themeasures taken to meet the requirements. Our policies are as follows:
- GDPR Policy (this Policy)
- CompletedICO GDPR Documentation Controller Template
- Subject Access Request Policy
- Consent Policy
- Data Breach Recording and Response Plan
- Recordkeeping policy (personal data)
- Privacy Notices (for Staff and clients/investorswhose personal data we hold).
Our procedures are as follows:
- All staff must read this document and confirm,by email[HS1] ,to the Compliance Officer, that they have done so (to ensure they have a basic understandof GDPR).
- The Compliance Officer is the main point ofcontact for data protection at the Organisation.
- The Compliance Officer is responsible forupdating/maintaining the data protection recordkeeping (maintains the ICO GDPRDocumentation Controller Template). Refer to appendix VI (recordkeepingpolicy).
- All subject Access Requests must be forwarded tothe Compliance Officer
- All data breaches must be notified to theCompliance Officer
- Privacy Notices are sent to allclients/investors (upon take-on) and staff (upon joining)
- Any transfers of data outside of the EU must bepre-notified to the Compliance Officer
- Annual regulatory/financial crime trainingincludes an overview GDPR (personnel attending this training are the same asthose working within the non-regulatory business therefore it will apply to allpersons within RLC Ventures).
- The appendices to this document are our workingpolicy documents and we monitor these as part of our compliance monitoringprogramme.
After due consideration, our Organisation has determinedthat it does not require a Data Protection Officer (“DPO”). This is on the basis that the GDPR onlyrequires the following to appoint a DPO:
The organisation is a data controller and therefore, as acorporate entity, must comply with GDPR. The Governing Body of the Organisation has nominated the ComplianceOfficer as having responsibility for the general day-day oversight of the Organisation’sGDPR compliance. Any concerns relatingto the Organisation’s adherence to GDPR must be escalated to the Governing Body(via the Compliance Officer) who have ultimate responsibility for the dataprotection systems and controls and the Organisation’s compliance with GDPR.
Chapter 5 of GDPR requires that certain conditions must be met before personal data can be transferred outside of the EU. These are outlined below. Note that the Firm may use a Server services which are based outside of the EU. However, this is not a ‘transfer of data’ but a ‘transit’ (as the datais not accessed/manipulated in the Server’s jurisdiction) therefore the ruleson transfer of data to do not apply in this instance[3].
The transfer of personal data may take place where theEuropean Commission has decided that the third country/territory/specific sector within that third country has an ‘adequate level of protection’ in terms of holding and processing of data. Therefore, personal data may not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
At the time of writing, the European Commission recognizes the following third country jurisdictions as meeting the adequacy requirements:
- Andorra
- Argentina
- Canada (commercial organisations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Jersey
- New Zealand
- Switzerland
- Uruguay
- US (limited to the ‘Privacy Shield Framework’[4])
At the time of writing, adequacy talks are ongoingwith respect to:
- Japan
- South Korea
Please note that the above adequacy decisions do notcover data exchanges where required under Art 36 of the Police Directive.
Where anOrganisation wishes to transfer data to a third country for which there is not an EC decision on data protection adequacy, it may only do so if it has made sure that certain ‘appropriate safeguards’ are in place and that enforceable data subject rights and effective legal remedies for data subjects are available[5]. The following section outlines what is meant by ‘appropriate safeguards’.
We maytransfer personal data outside the EU (and to a country which has not receiveda positive ‘adequacy decision’ from the EC) where the counterparty receivingthe personal data has provided adequate safeguards, individuals’ rights areenforceable and effective legal remedies are available following transfer. Adequatesafeguards include:
Where data istransferred intra-group, Organisations are most likely to ensure thatappropriate safeguards are in place by ensuring that there are bindingcorporate rules in place governing the transfers. This might be documented inthe Organisation’s procedures manuals, compliance manual or IT security policy.
We maytransfer data to another company within our Group and we understand that wehave a corporate responsibility to ensure that individuals rights under GDPRare enforceable and legal remedies must be available to them post-transfer. Anytransfers which sit outside of the documented corporate rules relating totransfers outside of the EU should be approved by the Compliance Officer priorto transfer.
Where data istransferred to an external entity (where that entity is not within ajurisdiction with an ‘adequacy decision’), Organisations are most likely toensure that appropriate safeguards are in place by ensuring that there is astandard clause in place. Where the Organisationrelies on third party service providers such as Administrators, Custodians, LawOrganisations it must ensure that the Third Parties outside of the EU have inplace sufficient levels of protection that are equivalent to those required bythe Act.
Whereadequate safeguards cannot be met, the Organisation should terminate itscontract or ensure that no personal data is being transferred.
Where the Organisation contracts with a non-EU thirdparty, it expects that the European Commission approved standard contractualclauses (or equivalent) which regulate the transfers of certain Personal Databetween itself and other non-EU service providers are in place. All third-party transfers should be approvedby the Compliance Officer prior to transfer outside the EU.
Although not encouraged, there are anumber of limited circumstances where Personal Data can be transferred outsideof the EU:
1. Consent. Where the Organisation can transferpersonal data overseas if it has the individual’s consent, which should begiven clearly and freely and may later be withdrawn by the individual
2. Contract performance. Where it is necessary to perform a contractof services.
3. Substantial Public interest. This is ahigh threshold to meet and it is most likely to be relevant in areas such aspreventing and detecting crime; national security; and collecting tax.
4. Vital Interest. The Organisation cantransfer personal data overseas where it is necessary to protect the vitalinterests of the individual. This relates to matters of life and death.
5. PublicRegisters. The Organisation can transfer overseas part of the personal data ona public register, as long as the person transferred complies with anyrestrictions on access to or use of the information in the register.
6. LegalClaims. Where necessary for the execution of legal proceedings
7. Whereit is being sent to a country recognized by the Commission as offering adequateprotection (this would include to US organisations which are EU-US PrivacyShield Certified.)
Please revert to the Compliance Officer if in any doubt.
Even where ‘adequacy’, ‘appropriate safeguards’,‘derogations’ do not apply, personal data may still be transferred outside of the EU. However, it is subject tocertain conditions which include the requirement to inform the relevant supervisory authority of the transfer and provide additional information toindividuals (under Art 13 and 14 of GDPR) and inform them what ‘compelling legitimate interests’ are being pursued. Transfers of data on this basis are only permitted where it:
GDPR protects the following 8 rights of individuals:
GDPR requires that Organisations are specific about how theyuse the personal data that they hold on individuals and they must activelyinform those individuals about what information they hold, the basis forprocessing their data, the types of data held and shared with others (ifapplicable) and their individual rights.
Organisationsmust provide individuals with a ‘Privacy Notice’ which contains the aboveinformation (so called ‘privacy information’) in a clearly worded andtransparent way. This must be providedto individuals ‘within a reasonable period’ of obtaining the personal data andno later than 1 month. The Privacy Noticemust be accessible to individuals and individuals must be made aware ofit. For instance, if an Organisation publishesit’s Privacy Notice on it’s website, it should ensure that Clients are aware ofit.
TheOrganisation has separate Privacy Notices (for Staff/contractors and forClients/website) which may be found at Appendices IV and V to this document.
GDPR allows individual data subjects to access theirpersonal data (and supplementary information) so that they aware of and canverify the lawfulness of the processing.
Where an individual makes a ‘subject access request’ toaccess personal data, the Organisation must provide that information promptly,in a commonly used electronic format and at the latest within one month receipt(unless the requests are complex or numerous in which case it must be providedwithin a further two months). Organisationsmay refuse a request where it is manifestly unfounded or excessive (or they maycharge a reasonable fee based upon the cost of processing the request).
Individuals have a right to request the rectification ofinaccurate or incomplete personal data and the Organisation has one month torespond. This refers to the accuracyprinciple whereby data ‘every reasonable step must be taken to ensure that personaldata that are inaccurate, having regard to the purposes for which they areprocessed, are erased or rectified without delay’[7].
Individuals can exercise their right to have their personaldata erased in certain circumstances, for example, where it is no longernecessary for the original purpose it was collected, or the individual objectsto their data being held for direct marketing purposes. However, the right to erasure is notabsolute. An individual may not havetheir personal data erased where, for instance, it is necessary to comply witha legal obligation or for the establishment, exercise or defence of legalactions, or, where it is in the public interest. Where a valid request under the right toerasure is
Similar to the right to erasure, the right to restrictprocessing is not an absolute right. Individuals can request that the processing of their personal data isrestricted in certain circumstances, for instance, when the individual believesthere are inaccuracies in the data the Organisation holds and wishes torestrict processing whilst it is verified, or, where the Organisation no longerneeds to process the personal data but the individual wishes the Organisationto retain it to establish, exercise or defend a legal claim. Processing is ‘restricted’ where the Organisationstores the personal data but may not use it. The Organisation must take measures to ensure that the data is flaggedas restricted or inaccessible to persons who may inadvertently process it. An Organisation may only process storedrestricted data where the individual consents or where there are applicablelegal or public interest reasons for doing so.
Individuals may obtain and transfer their personal data fromone IT platform/service to another, without undue obstruction, where the datais being processed by automated means e.g. price comparison websites.
Where the Organisation processes personal data on the basisof ‘legitimate interest’ (or public interest/official authority), directmarketing (including profiling) and for scientific research/statisticspurposes, the individual has a right to object. The Organisation must ensure that it’s privacy notice explicitlynotifies individuals of this right, and in any event, ‘at the point of firstcommunication’. If the Organisationreceives an objection in relation to its direct marketing activities, it mustcease processing data for this purpose immediately (and where such marketingtakes place online the Organisation must offer an opt-out). The Organisation may only continue to processdata following an objection if it can demonstrate compelling legitimate groundswhich override the interests, rights and freedoms of the individual, or, theprocessing is for the establishment, exercise or defence of legal claims.
There are separate and detailed requirements relating towhere Organisations process data in line with automated individual decisionmaking and profiling. Organisationsconducting such activities should refer to the detailed guidance has beenissued by the Article 29 Working Party (WP29) and the ICO:
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
Please note that the following is HIGH LEVEL GUIDANCE ONLY(as this document does not purport to be specialist IT advice). It is for the Organisation to consider its ITarrangements/controls in line with GDPR.
One of the principles under GDPR - the ‘security principle’- requires that data must be processed securely and in line with ‘appropriatetechnical and organisational measures’. This is not a new requirement as the Data Protection Act alreadyrequired Organisations to have data security measures in place. The keyrequirement is that Organisations must be able to prevent the personal datathat they hold from being accidentally or deliberately compromised. This applies in relation to (a) cybersecurity(the protection of networks and information systems) and (b) physical and organisationalmeasures, and is outlined in more detail below.
GDPR requires Organisations to put in place IT securitymeasures that are proportionate. Art32(1) of GDPR states:
“taking into accountthe state of the art, the costs of implementation and the nature, scope,context and purposes of processing as well as the risk of varying likelihoodand severity for the rights and freedoms of natural persons, the controller andthe processor shall implementappropriatetechnical and organisational measures to ensure a level of security appropriateto the risk”.
Where an Organisation is processing data, they shouldconsider the following factors, as proportionate:
Obscuring
Consider whether pseudonymisation and encryption is appropriate
(updated ICO guidance on encryption not available yet)
‘CIA triad’
Ability to ensure the ongoing ‘confidentiality, integrity, availability’ of information security. The Organisation’s IT security measures should guarantee all 3 are met.
Resilience
Are the processing systems and services able to continue operating under adverse conditions e.g. a physical/technical incident and can they be restored to a working state.
Security Event
Consider how the Organisation would restore the availability and access to personal data in a ‘timely manner’ if there was a physical/technical incident e.g. ensure there is a back-up process.
Testing
GDPR requires Organisations to test the effectiveness of IT security measures. Frequency and detail of these depends upon the nature and scale of processing.
Code of certification
If your security measures include a product/service which adheres to a GDPR code of Conduct (once these have been approved) or Certification (once these have been issued), this can demonstrate your compliance with the Security requirements.
The ICO’s guidance on security suggests that Organisationslook at the following factors when reviewing IT systems (and whether specialistexternal advice is required, depending on the sophistication of your systems,usage requirements and technical expertise of staff):
System security
Check the security of your network and information systems, including those which process personal data
Data security
Check the security of the data held in the Organisation’s systems e.g. ensuring appropriate access rights/authorisations and that data is held securely.
Online security
Check the security of your website and any other online service or application you use
Device security
Consider implementing policies on ‘Bring-your-own-device’ (BYOD) if applicable.
Note that this link relates to pre-GDPR guidance on BYOD is currently under review by the ICO (so please check the website for updates).
You may wish to consider the requirements of ‘CyberEssentials’ (the Government scheme which outlines basic IT security controlswhich are simple enough to be self-implemented by companies themselves). Cyber Essentials provides guidance on fivetechnical controls which, if implemented, will indicate that you are operatingunder an appropriate (minimum) level of security. They are, in summary:
1. Use afirewall to secure your internet connection: A firewall creates a ‘bufferzone’ between your IT network and external networks whereby incoming trafficcan be filtered to determine whether it poses a threat to your network or not.
2. Choosethe most secure settings for your devices and software: Check the settingson new software and devices to ensure that any default settings (which maypresent more opportunities for cyber attackers to gain unauthorised access toyour data) are changed. Change alldefault passwords and implement extra security such as two-factorauthentication (2FA) where appropriate.
3. Controlwho has access to your data and services: implement access controls forsoftware, settings, online services and device connectivity functions to ensurepermissions are appropriate to the functions staff or users are performing.
4. Protectionfrom viruses and malware: implement anti-malware systems, consider‘whitelisting’ (creating a list of applications allowed on a device wherebyunlisted applications are then blocked) and ‘sandboxing’ (sandboxedapplications run in an isolated environment with very restricted access to therest of your device/network).
5. Keep yourdevices and software up to date: Ensure staff click on any updates tosoftware/applications issued by the manufacturers/developers as these fixsecurity vulnerabilities in addition to adding new features.
Organisations should, as a matter of good practice, reviewthe above guidelines on the Cyber Essentials website and complete thechecklists on the ‘advice’ page (you are advised to keep a record of yourcompleted checklist):
https://www.cyberessentials.ncsc.gov.uk/advice/
The ICO’s guidance on security suggests that Organisationslook at the following factors when reviewing the Organisation’s physicalsecurity:
Access (pre-entry)
Review the quality of doors and locks and the protection of the premises by alarms, security lighting or CCTV.
Access (post-entry)
How is physical access controlled e.g. visitor passes, on-duty receptionist/onsite security officer, temporary fob access to restricted areas
Disposal of data
Check how hard copies of personal data destroyed e.g. office shredder, secure disposal outsourced to third party (what due diligence performed at outset)? Electronic waste e.g. decommissioning of computers/devices.
Storage
How is IT equipment stored, in particular mobile devices – how secure is this? Are cabinets containing hard copies of personal data lockable/fob-entry room?
If one or more organisations process personal data on the Organisation’sbehalf, these are data processors under GDPR. Organisations must be aware that, as data controller, they remainresponsible for ensuring compliance with GDPR. However, the data processor must also comply with the securityprovisions under GDPR.
Data controllers using a data processor must ensure thatthey obtain the following assurances from a Data processor which is processingdata on their behalf:
· Obtain sufficient guarantees from the dataprocessor about its security measures;
· Ensure that the contract stipulates that theprocessor takes all measures appropriate to the nature, scope, context andpurposes of processing under Art 32 of GDPR (‘security of processing’) i.e.
o Pseudonymisation and encryption of personal data
o Ability to ensure the ongoing confidentiality,integrity, availability and resilience of processing systems and services
o Ability to restore availability and access topersonal data in a timely manner in the event of a physical or technicalincident
o Process for regularly testing, assessing andevaluating the effectiveness of technical and organisational measures ensuringthe security of the processing.
· Ensure that the contract includes a requirementthat the processor makes available all information necessary to demonstratecompliance i.e. to enable the Organisation/authorised third party to audit andinspect the processor
Recital 83 and art 32(4) of GDPR require that any person acting under the Organisation’s authority, with access to personal data, only processes that data where they have been explicitly instructed to do so. The ICO additionally interprets this provision as requiring Organisations to train staff so that they understand theOrganisation’s security policy and procedures relating to personal data.
The ICO recommends that Organisation’s conduct both initial and refresher training, by a suitably knowledgeable person, including thefollowing topics:
· The Organisation’s responsibilities as a data controller
· Staff responsibilities for protecting personal data – outlining that they may commit a criminal offence if they deliberately access or disclose personal data without authority.
· Proper procedures to identify callers
· The Dangers of people attempting to get hold of personal data by deception (incl. how to identify ‘phishing’ attacks or encouraging staff to alter information when they are not permitted to do so).
· Restrictions on the personal use of systems bystaff e.g. to avoid computer viruses/spam).
The Organisation includes a high-level summary of GDPR aspart of it’s annual regulatory and financial crime training provided to allstaff at the Organisation and notifies staff where the Organisation’s GDPR policies are located.
The Compliance Officer is responsible for the Organisation’s data retention procedures, including determining the Organisation’s dataretention, archiving, and destruction schedule of all (physically stored dataand electronic storage device) data – this may vary from different investmentservice or investment product. In doing so, the Compliance Officer shall haveregard to the legal, compliance, business needs and privacy obligations.
The Organisation must document the following, and in doing so may seek to rely on the Information Commissioner’s Office (ICO) pro formatemplates:
· An information audit (or data-mapping exercise)of what personal data we hold and where it is stored; and
· Why personal data is used, who it is shared with and how long it is kept.
The (ICO) pro forma templates can be found here, and includes a template for both Controllers and DataProcessors:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
Data Retention periods
In establishing the Organisation’s data retention periods, the Compliance Officer must:
· Consider applicable legal, compliance and data protection requirements;
· Consult with senior management and different business units (if applicable) on the collection, storage and archiving ofdata;
· Identify both internal and external entities that collect, store or archive Organisation data; and
· Consider specific retention requirements for sensitive data and procedures for handling stored information during litigationperiods.
During the data retention period, the Compliance Officer is responsible to ensure that archived data is retrievable. This specificallyincludes ensuring that as/when new software or hardware is implemented that theIT team ensures that the new system(s) can read legacy data, and that encrypteddata is easily retrievable.
When establishing retention periods, the Compliance Officer may seek to rely on the Information Commissioner’s Office (ICO) guidance:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/
Overview
The purpose of this policy is to provide the Organisation with the procedure should it receive a Subject Access Request (“SAR”) from adata subject.
What is a SAR?
A SAR is a request for personal information that the Organisation may hold about a data subject. If a subject wishes to exercise their subjectaccess right, the request must be made in writing. The purpose of a SAR is to make subject aware of and allow them to verify the lawfulness of processing oftheir personal data.
Under the GDPR a data subjects have the right to obtain confirmation as to whether personal data is being processed. If personalinformation is being processed, they are entitled to access the following information:
Procedure
The Organisation has one month to respond to a SAR, anySAR’s should be reported directly to the Compliance Officer and the followingprocedure initiated:
The Organisation does not currently rely upon consent as thelawful basis for processing.
If a member of staff believes/wishes to apply consent as alawful basis for processing, please refer to the Compliance Officer in thefirst instance.
Overview
In accordance with Article 34 and 35 of the General DataProtection Regulation the Organisation is required to have in place a PersonalData Breach Policy. This policy in concerned with how breaches in person data is reported.
What is a Data Breach?
A databreach can be defined as the following "a breach of security leading tothe accidental or unlawful destruction, loss, alteration, unauthoriseddisclosure of, or access to, personal data transmitted, stored or otherwiseprocessed".
Thereare three different types of beaches listed:
1. Breachin Confidentiality – an unauthorised or accidental disclosure of, or access to,personal data.
2. Breachin Integrity – an unauthorised or accidental alteration of personal data.
3. Breachin Availability – unauthorised or accidental loss of access to, or destructionof, personal data e.g. deletion of data accidentally or by an unauthorisedperson, a lost decryption key in the case of encrypted data, or unavailabilitydue to a power failure or service attack.
What should the Organisation do in theevent of uncovering a breach?
Firstlythe Organisation should assess whether the breach is notifiable to the ICO. Notall breaches are reportable, if the information is encrypted, the informationis already in the public domain etc
UnderArticle 33 of the GDPR the Organisation should asses the risks posed to thedata subject including loss of controlover or confidentiality of personal data, identity theft, damage to reputation,discrimination, fraud and financial loss.
Next theOrganisation must assess the likelihood and impact of the breach taking intoaccount the following factors:
Notification Requirements
A Organisation has 72 hours to notify the DPA once it hasbecome aware of a data protection breach. In the event that any member of staffis aware of a data breach the Compliance Officer should be informedimmediately.
In the event that a breach affects individuals in more thanone member state, the Organisation will need to notify its lead supervisoryauthority. Once its been assessed that the breach requires reporting, thenotification should include the following information:
The data subject must be notified without “undue delay”. Thenotification must contain information including in plain English the nature ofthe breach, the contact details of the Organisation and the consequences of thebreach to the subject.
Record Keeping
The GDPR requires controllers to keep records of any personaldata breaches, even if the breaches were not notifiable. These records mustcontain details of the breach, its effects and consequences, and any remedialaction taken. The Organisation should also suggests documenting anyjustifications for not reporting the breach.
Penalties for Failure toComply
The fine for a failure to report a breach can be up to thehigher of 2% turnover or €10 million. The Organisation should note however thata failure to notify may show systematic security failures which couldconstitute a separate breach of the GDPR and attract a separate fine up to thesame level.
Introduction
RLC Ventures (the“Organisation”) is committed to protecting and respecting your privacy. ThisPolicy explains how your personal information is processed by the Organisation,including any affiliates listed in the Data Controllers and Contact sectionbelow (hereinafter also collectively referred to as “us”, or “we”).
This Policycovers personal information relating to you that we may collect in relation toyour employment. This policy describes how you can access and make certainchoices about how we use your personal information.
Your personalinformation that we may collect
We maycollect and process data the below listed information with respect to youremployment.
We maycollect this information from a number of sources, including directly from you,via our affiliates, delegates, partners, service providers, professionaladvisors, or third-party entities with whom we undertake due diligence checksupon you. In doing so, we will ensure that the information we collect isproportionate to our stated purposes.
Whererelevant, we may collect and process personal information related to personsrelated to you. In such circumstances, it is your responsibility to ensure youhave permission from that third-party for us to collect their information andyou remain responsible for ensuring that the third-party understands how theirinformation is being used.
Individualstaff or contractors employed by the Organisation
We maycollect and process your: personal details, including your name, address, emailand telephone numbers, date of birth, nationality; previous employment details,including your previous employers’ name, your position or title and otherreference related materials obtained you’re your previous employer; details inorder for the Organisation to meets its obligations under Financial ConductAuthority rules (or in line with applicable legal or statutory requirements inrelation to our non-regulated business), including information required toundertake required criminal/credit background checks, information on yourfitness and propriety, and any information relating to you that we are requiredto maintain in respect of any regulatory investigation; detail of your bankingrecords, in order to allow us to pay you in respect of your employment contract/ contract for services.
Our legal bases andpurpose for holding your personal information
Unlessspecifically stated otherwise in a Privacy Notice provided to you, we use yourpersonal information in the following ways and based upon the following lawfulbases:
Individualsconnected with our investment services
When we may discloseyour personal information
We maydisclose your personal information with the following category of recipients,and based upon the legal bases and purposes set-out above:
How and where we storeyour personal information
We storeyour physically held personal information in our UK offices. Whereas we storeyour electronically held personal information on backed-up servers provided byour service providers which might not be located in the EU.
We take allreasonable steps to protect your personal information; however, where youchoose to transmit your personal data to us via the internet, we do notguarantee the security of the personal information transmitted and thereforeany transmission is at your own risk.
We maytransfer your personal information to our affiliates, partners or serviceproviders that are based outside of the European Economic Area. In suchcircumstances, we will ensure that your personal information is adequatelyprotected to European Commission approved standards.
Your rights as a Datasubject
In certaincircumstances, in relation to your data, you have the right to:
Furtherdetails of your rights can be found at the ICO website, however, please notethat your rights are subject to our overarching legal responsibilities:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wishto exercise any of these rights, please contact the relevant data controller(listed below).
How long we retainyour personal information
We reservethe right to retain your personal information for as long as we reasonablybelieve it to be necessary in order to facilitate our legitimate interests, inorder for us to comply with our legal or regulatory obligations, where basedupon reasons of substantial public interest, or where your personal informationremains public information by your own actions. For further information, pleasecontact the relevant data controller (listed below).
Our responsibilitieswhen we make changes to our Privacy Policy
We may makechanges to our Privacy Policy at any time and may do so without expresslynotifying you of these changes. However, should the legal bases or purpose forprocessing your personal information changes then we shall expressly notifyyou.
Our Data Controllersand how to contact us
Questionsor individual data requests relating to this Policy should be addressed to therelevant data controller. For the purpose of the data protection legislation,the relevant data controllers are:
Data Controller
Responsible for
RLC Ventures Ltd
91-93 Buckingham Palace Rd
Victoria, London
SW1W 0RP
GDPR contact person: Reece Chowdhry
All investment and business administration activities.
Introduction
RLCVentures (the “Organisation”) is committed to protecting and respecting yourprivacy. This Policy explains how your personal information is processed by theOrganisation, including any affiliates listed in the Data Controllers andContact section below (hereinafter also collectively referred to as “us”, or“we”).
This Policycovers personal information relating to you that we may collect through anymedium, including specifically in relation to the investment services weprovide to you, via our partners and service providers, or through our website.This policy describes how you can access and make certain choices about how weuse your personal information.
Your personalinformation that we may collect
We maycollect and process data the below listed information with respect to personsconnected with the Angel networking and investment services that we provide. Aswell as collecting personal data from our clients, we may also process personaldata about relevant persons connected with the investment services, for exampleinvestors in our funds, co-investors, directors of investee startup companies,etc.
We maycollect this information from a number of sources, including directly from you,via our affiliates, delegates, partners, service providers, professionaladvisors, or third-party entities with whom we undertake due diligence checksupon you. In doing so, we will ensure that the information we collect isproportionate to our stated purposes.
Whererelevant, we may collect and process personal information related to personsrelated to you. In such circumstances, it is your responsibility to ensure you havepermission from that third-party for us to collect their information and youremain responsible for ensuring that the third-party understands how theirinformation is being used.
Individualsconnected with our investment services
We maycollect and process your: personal details, including your name, address, emailand telephone/fax numbers, date of birth, nationality; employment details,including your employers name, your position or title and your corporatecontact details; information on your financial circumstances, including yourprofession, income, assets and liabilities, as well as sensitive and/orcriminal data as part of our standard due diligence process.
Individualsconnected with our partners and service providers
We maycollect and process your: contact information, including your name, address,position, email and telephone/fax numbers; financial details, includingrelevant details for invoicing and billing; and KYC documentation, if and whererequired under relevant Anti-Money Laundering or Counter Terrorism Financing(“AML/CTF”) legislation.
Individualsconnected with our website
We maycollect and process your: personal details, including your name, address, emailand telephone/fax numbers, as well as your login identification and passworddetails; and technical information, including your IP address, browserinformation, and details relating to your visit behavior on our website.Further details are provided under our ‘CookiePolicy’ heading below.
Our legal bases andpurpose for holding your personal information
Unlessspecifically stated otherwise in a Privacy Notice provided to you, we use yourpersonal information in the following ways and based upon the following lawfulbases:
Individualsconnected with our investment services
1. In order to achieve our legitimateinterests. In doing so, we ensure that:
a. your rights and interests areconsidered and protected and there is a minimal privacy impact upon you;
b. we are able to demonstrate that weuse your data in a proportionate manner and you would not likely be surprisedor likely to object to our usage;
c. we can lawfully disclose personaldata to a third-parties where we can demonstrate that this disclosure isjustified;
2. To comply with our legal or regulatoryobligations. For instance, under the UK Financial Conduct Authority Conduct ofBusiness rules and/or relevant AML/CTF legislation;
Individualsconnected with our partners and service providers
Individualsconnected with our website
When we may discloseyour personal information
We maydisclose your personal information with the following category of recipients,and based upon the legal bases and purposes set-out above:
How and where we storeyour personal information
We storeyourphysically heldpersonalinformation in our UK offices. Whereas we store yourelectronically heldpersonal information on third party backed up serversthat might not be located in EU. We understand that we have to ensure thatservice providers do comply with GDPR requirements.
We take allreasonable steps to protect your personal information; however, where youchoose to transmit your personal data to us via the internet, we do notguarantee the security of the personal information transmitted and thereforeany transmission is at your own risk.
We maytransfer your personal information to our affiliates, partners or serviceproviders that are based outside of the European Economic Area. In suchcircumstances, we will ensure that your personal information is adequatelyprotected to European Commission approved standards.
Your rights as a Datasubject
In certaincircumstances, in relation to your data, you have the right to:
Furtherdetails of your rights can be found at the ICO website, however, please notethat your rights are subject to our overarching legal responsibilities:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wishto exercise any of these rights, please contact the relevant data controller(listed below).
How long we retainyour personal information
We reservethe right to retain your personal information for as long as we reasonablybelieve it to be necessary in order to facilitate our legitimate interests, inorder for us to comply with our legal or regulatory obligations, where basedupon reasons of substantial public interest, or where your personal informationremains public information by your own actions. For further information, pleasecontact the relevant data controller (listed below).
Our responsibilitieswhen we make changes to our Privacy Policy
We may makechanges to our Privacy Policy at any time and may do so without expresslynotifying you of these changes. However, should the legal bases or purpose forprocessing your personal information changes then we shall expressly notifyyou.
Our Data Controllersand how to contact us
Questionsor individual data requests relating to this Policy should be addressed to therelevant data controller. For the purpose of the data protection legislation,the relevant data controllers are:
Data Controller
Responsible for
RLC Ventures Ltd
91-93 Buckingham Palace Rd
Victoria, London
SW1W 0RP
GDPR contact person: Reece Chowdhry
All investment and business administration activities.
SFC Capital Partners Ltd
Co registration no: 09226119
1-6 SPEEDY PLACE
CROMER STREET
LONDON
ENGLAND
WC1H 8BU
GDPR contact person: Marguerite Crossfield
Investment and business administration activities related to our regulated activities. Principal firm to Appointed Representatives.
Bennet Brooks[HS2]
Co registration no: 02648803
St. George's Court
Winnington Avenue
Northwich
CW8 4EE
0845 330 3200
Provision of delegated investment services by the Organisation.
Our Cookie Policy
A cookie isa small piece of data sent from a website and stored on the user's computer bythe user's web browser while the user is browsing. We only use cookies that arerequired for the essential operation of our website. These cookies aretypically deleted from your device once the browsing session is terminated.
You canchoose to block cookies that we may deliver to your device through settings onyour web-browser; however, in doing so you may not be able to access or utiliseall aspects of our website.
Overview
As a data controller, we are required to document theinformation required under Art30(1) of GDPR, namely:
(a) the name andcontact details of the controller and, where applicable, the joint controller,the controller's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and ofthe categories of personal data;
(d) the categories of recipients to whom the personal datahave been or will be disclosed including recipients in third countries orinternational organisations;
(e) where applicable, transfers of personal data to a thirdcountry or an international organisation, including the identification of thatthird country or international organisation and, in the case of transfersreferred to in the second subparagraph of Article 49(1), the documentation ofsuitable safeguards;
(f) where possible, the envisaged time limits for erasure ofthe different categories of data;
(g) where possible, a general description of the technicaland organisational security measures referred to in Article 32(1).
Recordkeepingprocedure (Compliance Officer and Staff)
The Organisation ensures that it keeps a record of the aboveinformation, for the RLC Ventures, by completing the ICO’s ‘DocumentationTemplate for Controllers’ (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/).
It is the Compliance Officer’s responsibility to ensure thatthis spreadsheet is maintained, kept up to date and saved in a suitably securelocation with restricted access.
It is company policy that staff observe the following (inorder that our records remain up to date):
- Notify the Compliance Officer of any changes totheir own personal data or are put on notice of any changes to that of the Organisation’sclients/business contacts.
- Notify the Compliance Officer of any potential/actualbreaches of data protection
- Notify the Compliance Officer of any datasubject access requests
- Check with the Compliance Officer before sharingor transferring personal data to a third party or location outside the Organisation’ssecure IT environment.
[1]Art 4(7), GDPR
[2]Art 4(8), GDPR
[3]Principle 8, Data Protection Act.
[4]The Privacy Shield Framework took effect in Aug 2016 and protects thefundamental rights of anyone in the EU whose personal data is transferred tothe US for commercial purposes. Pleaseclick this link for more information: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en
[5]Art 46(1), GDPR
[6]European Commission model contract clauses for data transfers between EU andnon-EU countries may be found at this link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
[7]GDPR, Art 5(1)(d)
[HS1]Iassume you removed the sign-off page at the beginning because you would preferstaff to confirm by email that they’ve read this? Have reworded this slightlyto reflect that.
[HS2]Asabove.