The General Data Protection Regulation (GDPR – EU 2016/679) came into force on 25th May 2018 and replaces the Data Protection Directive (95/46/EC) which was transposed into UK law by way of the Data Protection Act 1998 (DPA).
GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. The GDPR applies to all firms that process personal data and as a European Regulation is directly binding upon Halo Global Asset Management Ltd (‘Halo’ or ‘the firm’).
Although the firm has previously been subject to, and has complied with, the data protection requirements arising under the DPA, the GDPR sets higher requirements on the obligations of firms and the processing of personal data.
This policy also contains the following Annexes:
Annex I: Definitions of some commonly used terms in the GDPR
Annex II: Lawfulness of processing
Annex III: Information to be provided to the individual concerned
Annex IV: The six principles of processing personal data.
This policy applies to all individuals employed by the firm (whether permanent, fixed term or temporary) and contractors of the firm (collectively Employees).
Although this Policy is based upon the firm’s responsibilities under GDPR, all Employees have a role to play in ensuring that the firm complies with these responsibilities.
Whilst the GDPR provides for the imposition of administrative fines for breaches of its obligations of up to €20m (or 4% of worldwide total turnover if higher) it is also, under UK law, a criminal offence for a person to obtain, disclose or retain personal data without the consent of the controller. In this regard, the DPA is expected to be supplemented with further data protection criminal offences.
This document sets out the firm’s policy for adherence to the GDPR and expected behaviours and applies to all of the firm’s employees and outsourced service providers when personal data is processed. Unless specified to the contrary, any reference to the firm’s processing data can also be read to refer to third parties that process data on behalf of the firm.
1.3 RELATED POLICIES AND PROCEDURES
- Data Protection Privacy Statement (on the website)
- Data Retention Policy
2. WHO DOES GDPR APPLY TO & HOW DOES IT AFFECT THE FIRM?
The GDPR is directly applicable to anyone who is a controller or processor of personal data. Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a file reference etc. Processing includes, but is not limited to, collecting, storing and using personal data. For the purposes of the GDPR, the firm will be primarily a ‘data controller’ but will also process personal data.
All controllers must ensure that personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
3. DATA COLLECTION
Personal data can be collected by the firm in respect of:
- Staff for the purposes of e.g. maintaining employment and sickness records, payroll etc.
- Clients/investors (either actual or proposed)
- Firms providing services to HGAM.
All personal data will be collected and processed in accordance with the ‘lawfulness of processing’ (‘legal basis’) obligations under the GDPR (see Annex II). Generally, personal data relating to clients/investors and the firm’s employees will be for the purposes of ‘legitimate interests’. However, each case will be considered and determined in line with the ‘lawfulness of processing’ requirements. Where deemed appropriate e.g. for marketing purposes, then freely given specific consent will be requested (see Annex II).
For these purposes ‘freely given’ means that the individual has made a positive decision to consent to the processing of their personal data. As such, a pre-ticked box or a general statement etc. that consent is assumed will not be deemed to be freely given.
Where the provision of a service is conditional on consent being given to the processing of personal data that is not necessary for the provision of that service e.g. a requirement to consent to the receipt of marketing material then this will not be deemed to be freely given.
Personal data will be retained no longer than is necessary for the purposes for which it processed, subject to any legal or regulatory obligations imposed upon the firm.
4. INFORMING DATA SUBJECTS
When personal data is collected directly from the data subject then that individual will be provided with the information required under the GDPR at the time the personal data are collected. This includes, but is not limited to, the purposes of the processing, the legal basis for the processing and whether there is an intention to transfer personal data outside the EU (‘third-country’) (see Annex III).
Where personal data is collected from someone other than the data subject then the latter will be informed of this in accordance with GDPR requirements.
5. LIMITATION OF DATA COLLECTED AND PURPOSE
The collection of personal data by the firm will be limited to that necessary for:
- Providing services, including administration services, to clients/investors
- The general day-to-day running of the firm.
- Marketing, including newsletters.
6. SPECIAL CATEGORIES OF DATA (SENSITIVE DATA)
The GDPR imposes further requirements on the processing of sensitive data. Such personal data includes e.g. that revealing ethnic origin, political opinions, criminal convictions and offences etc. HGAM neither collects not processes such personal data, with the exception of criminal convictions/offences. This data is purely processed to assist the firm with the completion of FCA approved person applications or whilst conducting background employment checks.
7. DATA TRANSFERS
The firm makes use of services provided by various third-parties (‘outsourcing’).
Due diligence on these providers has been undertaken by the firm to ensure they are able to meet the standards expected by the firm. Some of these entities will be involved in the transfer of, and the processing of, personal data on behalf of the firm and as such will be ‘data processors’.
For such firms, the due diligence performed by the firm will include a review of the procedures and processes developed to ensure compliance with the GDPR and the security of personal data processed. In addition, processing of personal data will be governed by a contract whose terms are in accord with that specified in GDPR.
The firm makes use of hosted exchange and VoIP telephony services. These services use Transport Layer Security (TLS) and Secure Socket Layer (SSL) cryptographic protocols that provide security for communications over networks. TLS and SSL encrypt segments of network connections to ensure secure end-to-end transit. Put simply, emails to and from the firm are sent through an encrypted tunnel. Although some of this data may be transferred to the United States (which is defined as a “third-country” by the GDPR), our datacentres are certified under the Privacy Shield Framework Agreement (www.privacyshield.gov/welcome). These services are required by the firm in order to perform its own services (see Limitation of Data Collected and Purpose).
Any intention to transfer personal data to a third-country must be notified to the data subject when the data is collected (see ‘Informing data subjects’ above). Transfers to a third-country are only permissible in limited situations including:
- Where the European Commission has determined that third-country offers equivalent protection for personal data (‘adequacy decision’)
- Where appropriate safeguards are in place such as appropriate contractual clauses authorised by the supervisory authority
- Where the transfers will be subject to binding corporate rules (only relevant between members within a group of undertakings or engaged in a joint economic activity)
- Where the individual has explicitly consented to the proposed transfer after being made aware of the potential risks
- Where the transfer is necessary for the performance, or conclusion, of a contract
8. RIGHTS OF DATA SUBJECTS
The GDPR provides data subjects with the following rights:
- An individual has the right to confirmation of whether their personal data is being processed and, if such is the case, its purpose and envisaged storage period (‘right of access’)
- An individual has the right to require ‘without undue delay’ rectification of inaccurate personal data (‘right to rectification)
- An individual has the right to be forgotten, subject to the limited circumstances set out in GDPR, including when consent is withdrawn (‘right to erasure’)
- An individual has the right to restrict processing of personal data in certain circumstances including where the accuracy of the data is contested by the individual (right to restriction of processing’)
- An individual has the right to receive personal data concerning the individual and the right to have it transmitted to another data controller (‘right to data portability’)
- An individual can object to the processing of personal data which is being processed on the basis of ‘legitimate interest’ unless the controller demonstrates compelling legitimate grounds. Where the processing is for direct marketing purposes then the controller must desist from any further processing for these purposes (‘right to object’)
- An individual has the right not to be subject to a decision based solely upon automated processing or profiling
Not all of the above rights will be applicable to the firm’s business model e.g. ‘profiling’ and nor are they absolute e.g. the right to be forgotten will not apply to the extent that the processing is in compliance with a legal obligation. The firm will consider any such requests from data subjects on a case-by-case basis.
9. COMMUNICATION WITH DATA SUBJECTS
Information provided to data subjects, whether as a result of the exercise of a data subject’s rights or when informing the individual that their personal data is being collected and its purpose, will be free of charge. However, where such requests are excessive or manifestly unfounded then the firm reserves the right to charge a reasonable fee.
10. DATA PROTECTION OFFICER
The appointment of a ‘Data Protection Officer’ (DPO) is required for those firms that process large amounts of sensitive data or that undertake regular and systematic monitoring of data subjects. As such this obligation does not apply to the firm.
The firm has appointed Rupert Perry as Focal Person (FP) and part of the Incident Response Team, whose responsibility it will be to:
- Work with the Senior Management of the firm to implement GDPR
- Oversee the firm’s continuing compliance with GDPR
- Act as the focal point for the notification of any personal data breaches
- Act as the firm’s contact person with the ICO
11. PERSONAL DATA: BREACHES
Any personal data breach(es) must be immediately notified to Rupert Perry or, in his absence, the Chief Executive. Where possible, such notifications should include:
- The nature of the breach including categories and approximate number of data subjects concerned and data records concerned
- A description of the likely consequences of the personal data breach
- A description of any measures taken, or proposed, to address the data breach and to mitigate its possible adverse effects
The firm is required to notify the ICO within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result to result in a risk to the rights and freedoms of natural persons
Where it is deemed that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons then the data subjects must also be notified “without undue delay”. Exceptions to this requirement include:
- When the data affected is e.g. encrypted so that the data in unintelligible to persons not authorised to access it
- If it would involve disproportionate effort, in which case a public communication, or similar measure, will be required
- Where subsequent measures are taken to ensure that the high risk to the rights and freedom of data subjects is no longer likely to materialise
The FP will document and assess the breach to determine the need to alert data subjects and/or the ICO. An assessment will also be made of the need to inform the FCA as the supervisory authority for the firm’s day-to-day activities.
The Operational Committee are responsible for maintaining the Data Breach Log and reporting on a monthly basis to the Compliance Committee.
Annex I – DEFINITIONS
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
See ‘personal data’ below.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A data subject can request receipt of their personal data which they have provided to a controller and has the right to transmit it to another data controller without hindrance (or can request that data be transmitted directly to another data controller where technically feasible).
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing then it will be considered to be a controller.
Data Protection Impact Assessment
An assessment of the impact of processing operations on the protection of personal data. Sometimes referred to as a ‘privacy impact assessment’ also known as the Legitimate Usage Assessment.
Lawfulness of processing
Personal data must be processed lawfully and in a transparent manner in relation to the data subject. Article 6 of the GDPR (reproduced in Annex I) sets out six scenarios, including consent to the processing being given by the data subject, which will comply with ‘lawfulness of processing’.
Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A low bar is set for “identifiable”; if anyone can identify a natural person using “all means reasonably likely to be used” the information is personal data, so data may be personal data even if the organisation holding the data cannot itself identify a natural person (e.g. name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address). Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and radio frequency identification tags all listed as examples.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Privacy impact assessment
Also known as a ‘Data Protection Impact Assessment’ (see above).
Legitimate Usage Assessment
Also known as the Data Protection Impact Assessment or the Privacy impact assessment (see above).
Special categories of personal data (‘sensitive data’)
Terms used in GDPR to refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, also capture genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Article 9 of GDPR prohibits the processing of such data unless it meets one of the conditions set out therein e.g. explicit consent. Article 10 of GDPR imposes stricter requirements on the processing of personal data relating to criminal convictions and offences.
Focal Person (FP) as smaller firms like HGAM do not need a DPO we have instead appointed a Focal Person.
Incident Response Team: the team to go to in case of a data breach who will document it, and report it to the ICO within the required time
Annex II – LAWFULNESS OF PROCESSING
Processing is lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Annex III – INFORMATION TO BE PROVIDED TO THE DATA SUBJECT
Information to be provided where personal data are collected from the data subject (refer to Article 14 for information to be provided where personal data have not been collected from the data subject)
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) (‘consent’) or point (a) of Article 9(2) (‘explicit consent’ re ‘special categories’), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where the controller intends to further process the personal data for a purpose other than that for which the
personal data were collected, the controller shall provide the data subject prior to that further processing with
information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information
Annex IV – PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
A data controller is responsible for, and be able to demonstrate compliance with, the following principles.
- Lawfulness, fairly and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Appendix 1 – The Subject Access Request Form
|Subject Access Request Form
Halo Global Asset Management Ltd (‘Halo’ or ‘the firm’) collects, holds, and processes certain personal data about our staff, clients, investors and firms providing services to HGAM (all such, data subjects). As a data subject, you have a legal right, under EU Regulation 2016/679 General Data Protection Regulation (GDPR) to find out about our use of your personal data as follows:
- Confirmation that your personal data is being processed by us;
- Access to your personal data;
- How we use your personal data and why;
- Details of any sharing or transfers of your personal data;
- How long we hold your personal data;
- Details of your rights under the GDPR including, but not limited to, your rights to withdraw your consent to our use of your personal data at any time and/or to object to our processing of it.
No fee is payable under normal circumstances. We reserve the right to charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. Such charges will be based only on the administrative cost that we will incur in order to respond.
Please complete the required information overleaf and return it to us by email or by post addressed to the firm’s focal person. You do not have to use this form and may instead write to us using the same contact details.
After receiving your subject access request, we may contact you to request additional supporting information and/or proof of your identity. This helps us to safeguard your privacy and personal data.
We will respond to all subject access requests within one month of receipt and will aim to provide all required information to you within the same period. If we require more information from you, or if your request is unusually complicated, we may require more time and will inform you accordingly.
If you are making a subject access request on someone else’s behalf, please contact Alex Luke at the above address before making your request.
Information Being Requested
Please provide specific details below (along with any relevant dates) of the information being requested and any additional information that may help us to locate your personal data and to confirm your identity. Please detail how you would like the information to be sent to you e.g. electronically or paper based. Please note that usually electronic information will be sent to the email address that you have provided. If you wish to have hard copies of the information you will need to provide us with a postal address or make arrangements for collection.
By completing this form, you are making a subject access request under the GDPR for personal data collected, processed, and held about you by us that you are entitled to receive.
By signing below, you confirm that you are the data subject named in this Subject Access Request Form. You warrant that you are the individual named and will fully indemnify HGAM for all losses and expenses incurred if you are not. We cannot accept requests in respect of your personal data from anyone else, including members of your family.
|Signature and Date:
Appendix 2 – Data Protection Breach Procedure
HGAM (‘the firm’) is committed to handling personal data in line with best practice and as such this Policy details the procedures to use when dealing with and responding to data protection breaches. This is to ensure that incidents are responded to promptly, risks are minimised, learnings identified and remedial actions are implemented.
These procedures apply to all staff, suppliers, contractors, agency workers, volunteers, clients or anyone else who may handle or have an interest in personal data on behalf of the organisation.
Data Protection Breaches
A data protection breach occurs when personal data (which includes any information that allows an individual to be identified), is processed without authorisation, and which may result in its security being compromised. For the purposes of this policy, data protection breaches included both confirmed and suspected breaches.
This procedure is concerned with the management of such data protection breaches, which involves the detection and reporting of breaches as well as learning from the breach and implementing appropriate remedial actions.
Most commonly, data protection breaches occur as a result of human error, theft, unauthorised access, equipment failure, hacking or loss i.e. of a memory stick or confidential papers left on public transport etc. When a data protection breach has been discovered, whatever the reason for the breach, the following procedure should be implemented: –
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, a Data Protection Breach Reporting Form should be completed (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to the focal person of the firm as soon as possible and within 12hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email.
Once a data protection breach has been reported, an initial assessment will be made concerning the content, quality of data involved and the potential impact and risk of the breach.
Following a discovery of a breach and the receipt of such a report, consideration will be made regarding whether the matter needs to be reported to the Information Commissioner’s Office (ICO) and whether individuals who are potentially affected need to be informed.
Current legislation states that any data protection breaches (irrespective of their severity) should be reported to the ICO as soon as possible and no later than 72 hours after their discovery, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals concerned.
In addition to this, the individuals affected by the breach should be informed if the breach is likely to pose a high risk to them. The individuals should be informed of the nature of the data breach and the steps that you are taking to protect their data.
The incident should also be logged in the Data Protection Breach Register.
Containment and Recovery
As soon as possible after the discovery of an actual or suspected data protection breach, consideration should be given to: –
- whether the breach has been contained as far as possible and whether any further steps can be taken to contain the data from further loss;
- whether any steps can be taken to mitigate the impact and risk of the loss;
- whether anything can be done to recover the data.
Following the initial discovery/reporting of an incident, an investigation should be initiated to understand the full facts regarding the data protection breach. The extent of the investigation will be a matter for the Company to decide and may simply involve the collation of documents, or may be involve interviewing staff involved in the breach/collecting witness statements, CCTV etc.
Once the full facts have been ascertained, and the investigation has been concluded, consideration will be given to the learnings from the breach and most importantly, what remedial actions the organisation needs to take to prevent a recurrence of the incident, this may include any appropriate disciplinary action for individuals implicated in the breach.
Actions should be documented on an action plan, which is reviewed on a regular basis thereafter to ensure that the actions have been carried out.
During and/or at the end of the completion of the investigation the Data Protection Breach Reporting Form and the Data Protection Breach Register will be updated to ensure that all the details of the events have been properly documented.
Any “Workers” who act in breach of this policy or who do not implement it, may be subject to formal disciplinary proceedings, which may involve dismissal depending on the relevant circumstances.