This note sets out the steps Dixon Wilson are taking to ensure the firm complies with the General Data Protection Regulation (GDPR).

The GDPR requires all businesses to demonstrate they are processing data legally and protecting the rights of individuals regarding the personal data held. 
Understanding what data the firm holds and uses across the business helps the firm comply with the regulations. For this reason, a full data audit has been carried out internally. This audit involved:

1. Identifying the personal and sensitive data the firm holds.
2. Documenting where the data is stored, how the data is used and with whom the data is shared.
3. Establishing from where the data came from and identifying the legal basis for holding and processing it.
4. Determining whether the data has been stored outside the firm’s agreed retention period and considering whether we need to continue to hold that data.

We have reviewed relevant security measures to ensure systems are robust and personal data is safeguarded.  This has helped the firm identify any potential risks of non-compliance or any weaknesses in our data storage and handling systems.

Cyber essentials certification and ISO 27001

We have continued to upgrade cyber security systems over the last few years irrespective of GDPR. The firm is  certified under the Cyber Essentials Scheme.

The Cyber Essentials Scheme is a government-backed scheme to help organisations protect themselves against common cyber attacks. In order to obtain accreditation, businesses need to contact one of the relevant certification bodies and carry out an assessment.

Data encryption

We have tightened our policy on e-mail encryption. Where encryption of the e-mail in transit is not supported by the recipient’s e-mail server, e-mails are automatically sent using a secure messaging portal.

Dixon Wilson has been engaging with the handful of organisations with which we share data.

We have also identified arrangements where it is necessary to have data sharing agreements and contracts in place with third party processors which set out respective responsibilities under GDPR. 

Dixon Wilson is not required to have a Data Protection Officer (DPO). However, we have appointed a senior member of staff as “Head of Data Privacy”. This is to increase the status attached to and priority given by staff to data protection within Dixon Wilson.

We have clear policies in place for reporting a data breach. This is not simply so the firm can notify the ICO (Information Commissioners Office) but also anyone (including employees and clients) whose data may have been compromised. Our instructions to employees are that if any employee becomes aware of a data breach, it should be reported to the Head of Data Privacy immediately.

It is important that all businesses identify the legal basis for processioning data and document it. We concluded on the most appropriate way to achieve this - a combination of “legitimate interest” and as required for performance of a contract.

We are currently issuing a new engagement letter to all clients. 

Data controllers are required to continue to provide transparent information to data subjects. The firm has reviewed its privacy notices to ensure they are in line with GDPR and are in clear and plain language.

The information to be provided must be more comprehensible and inform the data subject of their rights and the period for which data will be stored.

We intend to ensure that privacy is considered when implementing any new product or service. We will endeavour to bring this into all projects we contemplate early in the process and not as an afterthought so as to ensure and be able to demonstrate compliance with the GDPR.

We have ensured that procedures are in place to deal with individual’s enhanced rights under GDPR, such as the right to erasure.

All employees have been made aware of the new data protection regulations and the implications of non-compliance.