Couple holding keys and with new car New car

Data Protection Policy

  • 1. Purpose
    • a. The purpose of this policy is to outline the company procedures on handling personal data.
    • b. In order to abide by GDPR and the Data Protection Act, we have strict processes in place in which we expect all employees to abide by.
    • c. We also expect any contractors, consultants or anyone affiliated or working on behalf of the firm to abide by this policy.
    • d. We take our regulatory responsibilities very seriously, and all staff and parties we work with should be aware of their responsibilities and duty of care under this policy.
  • 2. Regulation
    • a. In order to work with personal data, we are required to be registered with the Information Commissioner's Office (‘ICO’). Our registered number is Z9040030.
    • b. It is the responsibility of Senior Management to ensure that our ICO details are accurate, maintained and up to date.
    • c. As a company we will ensure we keep up to date with any regulation changes and updates, making any changes or updates to our process to reflect any changes.
    • d. There are some key words and definitions we feel it is important for you to be aware of to fully understand this policy, we have listed these below.
    • e. If at anytime there are parts or terms within this policy you do not understand, please consult Andrew Crowther
      Personal Data Information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data
      Sensitive Data Sensitive data is a specific set of “special categories” that must be treated with extra security. Examples of these categories are: 
      • Racial or ethnic origin;
      • Political opinions;
      • Religious or philosophical beliefs
      Controller A controller determines the purposes and means of processing personal data
      Processor A processor is responsible for processing personal data on behalf of a controller
      GDPR General Data Protection Regulation
  • 3. What information do we need and/or collect?
    • a. For the purpose of obtaining a consumer a potential finance acceptance, we will collect the following personal data:
      • Name
      • DOB
      • Address and residential status
      • Marital status
      • Employment status and details
      • Income
      • Licence type
      • Bank details
      • Marketing preferences
      • IP information
    • b. We will not request sensitive data, or any additional personal information that is not required.
    • c. Personal data can be processed and controlled and dependent upon the source of our applications, we can be either.
  • 4. Principles
    • a. GDPR sets out 8 principles, which define the obligations of the firm as a registered data user of personal data. Article 5(1) sets out that data shall be: -
      • (a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
      • (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
      • (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
      • (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
      • (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
      • (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
      • Article 5(2) adds that:
        The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
  • 5. Internal Process and Responsibility
    • a. Training
      • i. All employees will receive training on initial induction, and at least annually to cover GDPR and our responsibilities to our customers as a company.
      • ii. If at any time an employee feels they require further training, this will be arranged as soon as possible.
      • iii. Should we make any changes within the business, we will go over this with staff in a training/team environment to explain these changes.
    • b. Subject Access Request (‘SAR’)
      • i. It is important that ‘SAR’ are recognised and dealt with quickly.
      • ii. A ‘SAR’ may be as simple as a letter from one of the firm’s customers asking what information we hold about them or a phone call requesting this information.
      • iii. If a request is received the enquirer must be sent:
        • A copy of the information held on them, this includes both computer and relevant written paper records.
        • A description provided as to why that information is processed.
        • Anyone it may be seen by or passed to.
        • The logic involved in any automated decisions.
      • iv. ‘SAR’s will be dealt with by Andrew Crowther, he will be responsible for managing subject access requests.
      • v. Before any request is actioned, Andrew Crowther, should verify the identity of the person making the request. This must be done over the phone so we can verify security with the customer before actioning such a request.
      • vi. If it is determined relevant, proof of ID may be requested such as but not limited to – In date Driving Licence or Passport, Proof of address within the last 60 days.
      • vii. A ‘SAR’ must be dealt with within 28 days from the date of receipt. If further time is needed, should the request be potentially deemed excessive, we will make the individual aware how long this request would take. In the event information contains details of another individual, information may be refused or redacted.
      • viii. All information sent in response to a ‘SAR’ should be easy to understand and therefore the sending of computer printouts may not be acceptable without a covering explanation on codes used. All information will be sent in the most protected format, this may depend on each individual circumstance.
      • ix. We will not charge a fee for a SAR unless the request is deemed excessive and will take up a large proportion of an employee's time.
    • c. System Security
      • i. IT Equipment
        • All systems should be locked if you need to step away from your desk, and completely shut down at the end of the day.
        • All our technology is fitted with firewall and antivirus software, this is tested on a regular basis to ensure full protection.
        • No documentation should be stored on your individual hard drive, this must be saved to our systems or internal drives.
        • You must delete any documentation kept on your hard drive daily.
        • Emails will be deleted after a certain time period, so no information is kept via email.
        • This may differ for certain members of the management team for record keeping purposes.
      • ii. Passwords
        • Passwords should be changed on a regular basis, and if you believe someone knows your password, it needs to be changed immediately.
        • Any passwords created must be classed as ‘strong, meaning they must include uppercase, lowercase, numbers and special characters.
        • You must not disclose your password to any party.
        • In the event a member of staff leaves the company, all system passwords or office codes need to be changed.
      • iii. Systems
        • Internal systems are strongly encrypted through the programme protection.
        • We use Dealtrak to hold, process and secure our customer data.
        • We use this system to communicate with all customers to ensure the most secure line of communication.
        • For internal storage of company information or documentation, we use [X]. We have chosen this method as we believe that this is the best system for us with its security and encryption process.
    • d. Office Security
      • i. Access to business areas is restricted, do not let anyone in the office area without first confirming who they are, their purpose for visiting and who they are here to see.
      • ii. When leaving the office premises ensuring that everything is locked, and the office is fully secured.
      • iii. To ensure protection, we have locks on all doors and any cabinets containing information are locked with only Andrew Crowther having access.
    • e. Physical Information
      • i. No staff member is permitted to take physical information off site.
      • ii. All documentation containing customer information must be disposed of in confidential waste at the end of each day.
      • iii. This includes any print outs or any noted information you may have made.
      • iv. Any documentation you need to keep either needs to be locked away securely or scanned onto our electronic systems and disposed of.
    • f. Phone Security
      • i. Before divulging customer information, you must confirm adequate data protection in the form of a customer’s name, date of birth and postcode.
      • ii. Should you have any reason to suspect that the customer is not who they say they are after further questioning, you must terminate the call and close down the application.
      • iii. All calls are recorded for training and compliance purposes, before a customer is put through it advises the customer that it will be recorded. If you are making an outgoing call you must make your customer aware of this.
      • iv. Never repeat customer information to them, as this may be heard by someone on another call or a visitor on site.
      • v. Without consent from the customer, you are unable to discuss the application with another individual e.g spouse. You must ensure you have permission from the customer before doing so and this is noted on the system.
      • vi. You must always confirm a customer's identity via phone call before communicating any personal information or information relating to their application in any other method, for example but not limited to text, whatsapp, messenger or email.
      • vii. Please note where possible all communication is recommended to be done via phone call so you can confirm identity.
      • viii.  All quotes must be confirmed via call.
    • g. Mobile Phones
      • i. Mobile phones are not permitted within the office, should you need to use your personal phone, you need to take it outside of the office.
      • ii. You are not permitted to use a personal mobile phone for work use and should not access any systems, emails etc. through this.
    • h. Personal IT
      • i. Customer data cannot be taken off site by staff, salespeople, suppliers, IT consultants or contractors where laptops and other devices (USB sticks, CDs, hard disks etc.) are not encrypted.
      • ii. No member of the team is permitted to use their own IT equipment or hold information on personal IT equipment i.e emails on personal mobiles without prior written approval from a director.
    • i. Confidentiality
      • i. No member of staff is permitted to discuss any company, consumer or employee information whether inside or outside the company, that is not relevant or productive to a consumer’s application.
      • ii. Information is to be kept confidential at all times, even when or if employment with our firm has ended.
      • iii. All contractors or third parties we work with must have confidentiality terms in place to protect the information we hold.
      • iv. You must follow all data protection processes set out within this policy to ensure confidentiality at all times.
    • j. Consent
      • i. Credit searches on an individual must not be conducted without the consent of that individual.
      • ii. The firm’s policy is to obtain this consent in writing, normally as part of the application process, however, verbal consent of the customer will be considered in certain circumstances (e.g gaining consent once an application has expired).
      • iii. Staff should contact senior management or compliance if they are unsure if adequate consents have been obtained.
      • iv. It is essential that we gain consent for the lawful basis we are going to process the consumers information.
      • v. In the event an application has expired, consent must be regained.
      • vi. Any joint applicant or guarantor must provide their explicit consent before going on the application.
      • vii. If a customer retracts or withdraws their consent, this must be noted, lenders updated and where possible an application completely paused until we can manage further actions. If at any point you are unsure on the steps to take, consult Andrew Crowther.
    • k. Credit Reference Agencies
      • i. Should a customer wish to know information regarding their credit profile, we are unable to divulge information.
      • ii. There are two major credit reference agencies in the UK at present, Experian and Equifax. Their main purpose is to supply factual information to providers of financial services in order to establish peoples credit histories.
      • iii. Customers have a legal right to have access to the data held by credit reference agencies. Customers also have a right to request that the agency remove/amend incorrect data.
      • iv. Customers can write to the agency to obtain a copy of their credit file.
        • Equifax Europe UK Limited Experian Plc.
          PO Box 3001 PO Box 8000
          Glasgow Nottingham
          GS1 2DT NG1 5GX
    • l. Marketing
      • i. To comply with the requirements of the Data Protection Act all customers both new and existing have to be given the right to opt out from receiving advertising and marketing material from the firm.
      • ii. Likewise, customers have to be informed if the firm intends to pass information to a third party for marketing purposes.
      • iii. Customer’s personal data is collected on application forms and the election for customers not to receive marketing material is covered through the inclusion of an ‘opt-out’ box.
      • iv. We will ensure no consumer is automatically ‘opted in’ for marketing.
    • m. Retention
      • i. We will never keep information for longer than is necessary, and we will store consumer data for 6 years.
      • ii. Once this retention period is over, we will dispose of all information confidentially.
      • iii. The purpose of us storing data this long is for record keeping.
      • iv. Staff information will be kept as long as they are employed by ourselves and for as long as is necessary for accounting purposes once no longer employed by the firm.
    • n. Privacy Impact Assessments (PIA)
      • i. When required, due to a change in our business that concerns our data, we will carry out a PIA.
      • ii. This will be documented and saved internally showing our findings.
      • iii. These findings may show highlighted areas of risk that we need to resolve, or that the change can proceed as planned.
      • iv. A PIA must be done in advance of the change in order to evaluate and prepare for any risks.
      • v. A PIA must contain -
        • a. at least a general description of the processing operations and the purposes;
        • b. an assessment of the risks to the rights and freedoms of individuals;
        • c. the measures envisaged to address those risks;
        • d. the safeguards, security measures and mechanisms in place to ensure we protect the personal data; and
        • e. a demonstration of how we are complying with GDPR, taking into account the rights and legitimate interests of the data subjects and any other people concerned.
      • vi. In the event a PIA highlights high risk which we are unable to resolve, Andrew Crowther must inform the ICO in writing to resolve, before action is taken.
    • o. Data Protection Office (DPO)
      • i. Due to the size of the firm, at this time we have not appointed a DPO.
      • ii. As sole director Andrew Crowther is responsible for the overall management and oversight of the firm.
      • iii. Thy responsible for enforcing the responsibilities and actions listed within this policy.
      • iv. This will be regularly reviewed as we grow.
  • Monitoring and Compliance
    • a. In the event the company breaches this policy, or any regulation set out by the ICO, this must be reported immediately.
    • b. Both the customer and the ICO must be made aware within 72 hours and kept up to date of any investigations or changes following the breach.
    • c. Breaches will be recorded on our compliance monitoring plan and used for management information.
    • d. Processes and procedures will be regularly assessed to ensure compliance with guidelines and law.
    • e. Andrew Crowther is responsible for ensuring the above process is followed.
  • Review
    • a. This policy will be reviewed on at least an annual basis.
    • b. Any updates will be reissued to our team, along with any training to ensure they fully understand the changes that have been made.
    • c. Andrew Crowther is responsible for approving this policy and process.
  • Confirmation
    • a. By signing the below, you can confirm that you have fully read and understood the above policy, received adequate training on the subject and provided the opportunity to ask any questions.
    • b. Breaching the responsibilities in this policy may result in legal or disciplinary action, therefore you can confirm you will carry out the above duties in a compliant manner and in line with company policy.
Am I Eligible