Breach!!!!!

A breach occurs any time someone who is not authorised gains access to Personal or Sensitive data.

This means there is a breach if you:

• send a letter/email to the wrong person containing someone else’s personal data
• mention someone’s personal data in a conversation with anyone who has no right to that information
• email ANY personal information to your home email addresses where a family member can access it.
• lose a USB key, Laptop, Phone with client information on it

All instances MUST be reported to the GDPR Response Team, immediately.  If in doubt, report…better safe than sorry!

Be on your guard at all times and constantly think – do they have the legal RIGHT to see that data and who has given them that RIGHT?

Data Access Request

These can come into the firm in many different ways, email, telephone, letter, social media post, face to face conversation.

In all cases, the staff member who receives the Data Access Request must ascertain which client this relates to and refer the individual back to the client for a response.

If necessary, you can explain that, generally, our client is the Data Controller and we take out instructions from them.

If however, the matter refers to an AUDIT, then we are normally the Data Controller and we should acknowledge their request, obtain their contact details (if not with the request) and email the enquiry (and any paperwork) to the GDPR Response Team for immediate assessment.

For internal requests (e.g. ex, current or potential employees), follow the same procedure.

If in doubt, report…better safe than sorry!

RG approved methods of transfer of Personal Data

GDPR places the onus of responsibility on US to ensure we send things securely, therefore the RG policy is ALL electronic communications beyond basic salutations have to be sent securely.

What does securely mean?

• Sent in a manner that cannot be intercepted and read the information with little or no effort on the part of the person intercepting or receiving the file.

How do we do this?

• The Firms preferred method of delivery is to use one of the secure Portals, CCH OneClick, Caseware Portal, SageDrive, Mimecast Portal as these retain the data in a secure area until the client actively goes to pick it up.
• If sending by email all data must be in a password protected ZIP file.  The password should be the client date of birth (or agreed with the client beforehand) in the DD/MM/YYYY format. DO NOT include the password in your email.

Exceptions

• Data can only be transmitted without a password where the client has clearly stated that they do not wish to use the password / portal system. Please ensure your email states “attachment sent without password protection as requested by you” and file any requests in CCH Document Centre.
• Dropbox or other online data storage/data transfer applications can only be used where the client has instructed RG to do so.  RG staff cannot recommend any data transfer solutions outside of the above methods.

Any concerns about how data is being transmitted must be raised to the GDPR Response Team immediately.  If in doubt, ask…better safe than sorry!