General Data Protection Regulation (GDPR)

We are a small entity and the Company is a data controller and processor.  We hold extremely limited information about our members who are all accountancy and business practices.  Files containing any personal information will be passworded.

Staff information

The payroll is processed by Ensors Chartered Accountants and therefore is covered by their privacy policy.  All documents sent via email will be password protected.

Member information

All information relating to our members is stored on a database that is passworded.  We hold limited personal information.

Cookies

 

Prospective member information

The information we hold on file is obtained from public sources such as websites, LinkedIn and public directories.

CPA EMEA will comply with the provisions of the Data Protection Act 1998, GDPR and any other similar national privacy legislation.

  1. CPA EMEA holds personal data relating to members, prospective members and employees which may include names, addresses, dates of birth, NI numbers, salaries, dates of retirement and dates of death, bank details and some information on pecuniary interests. In most cases it is unlikely that CPA EMEA will hold sensitive personal data (i.e. that reveals a person’s racial or ethnic origin, their physical or mental health, religious or political beliefs and sexual orientation).
  1. Electronic data is protected by both physical and cyber security controls as set out in the attached Security Statement.
  1. Changes to data will be made by staff and directors working on the member/prospective member and under the supervision of the regional Chairman. Most records are maintained electronically.
  1. CPA EMEA retains data relating to members/prospective members where there is a legitimate need to do so. In most cases, member/prospective member records are retained for a period of 7 years.
  1. CPA EMEA does not generally use sub-contractors (with the exception of payroll). CPA EMEA does not generally use sub-contractors to process data, although CPA EMEA may, with the member’s consent, refer members to other specialists.  In the event that subcontractors are used they will be subject to due diligence checks before their appointment and the contracts will include provisions to ensure at least equivalent levels of data security. In addition, CPA EMEA may share data with our software application providers, solely for the purposes of testing, diagnosing and resolving software application issues.  Data will be transported via secure means and we will have a data sharing agreement in place between ourselves and the software provider that ensures data remains confidential.
  1. In accordance with the legal requirement, CPA EMEA will be able to provide members/prospective members with copies of their personal data within one month of a request being made.
  1. CPA EMEA has a policy for responding promptly to any suspected data breach and identify any reporting requirements. CPA EMEA maintains a Register of Breaches and potential data breaches.  In each case a report is prepared to clarify the effect of the breach, assess the risks arising, identify causes and set out any action to avoid a recurrence.  Each report is signed off by the Regional Chairman.
  1. CPA EMEA acknowledges that members/prospective members provide data to the Association to enable us to provide the contracted services. CPA EMEA will:
  • comply with the provisions of the Data Protection Act 1998, GDPR and any other similar national privacy legislation.
  • take all reasonable steps to keep client information confidential except where we are required to disclose it by law, by a court or regulatory bodies, by our insurers or as part of an external peer review.
  • only use this data for the purpose for which the member/prospective member has provided it.
  1. CPA EMEA recognises the importance of protecting ICT systems, networks and data in cyber space and has established physical and digital security controls which are reviewed and updated on a regular and ongoing basis.

These include:

  • The association’s network is protected by industry-standard firewalls, anti-virus and SPAM filtering software which is kept fully updated.
  • Policies are in place to ensure operating systems on all devices are kept up to date.
  • The main systems and applications are regularly updated.
  • All data is held on servers in secure locations.
  • Access to CPA EMEAs domain is controlled by a single user account with a password that is changed regularly.
  • All staff are subject to clear policies on the use of data, ICT equipment and systems and confidentiality.
  1. On occasions data might be transferred outside the EEA.

Risk Management Procedures

 

P100 Procedure for Dealing with Data Breaches

 

A data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure or, or access to, personal data.  This includes the loss of any device (phone, USB stick, laptop, etc) containing CPA EMEA data whether encrypted or not.

There is a statutory requirement to inform the Information Commissioner within 72 hours where a breach is likely to result in ‘a risk to the rights and freedoms of individuals’.  The 72 hours includes nights, weekends and statutory holidays.

If any employee or Director suspects that a personal data breach has occurred the following actions must be taken.

  1. The person discovering or suspecting that a breach has occurred must alert the Chairman and ICT Director (or in their absence the Regional Manager) without delay.
    1. They should provide as much information as they have about
      1. The circumstance of the breach
      2. The personal data that is or might have been lost or accessed
      3. Any particular issues or sensitivities that they are aware of

Information might be difficult to come by at this stage, but a lack of detail must not lead to any delay in reporting the breach or potential breach.

  1. The Chairman or ICT Director (or in their absence the Regional Manager) will immediately assess the risks and identify the appropriate next steps. They will also notify
    1. other directors (unless the breach is very minor and unlikely to be repeated)
    2. the Regional Manager who will add this to the Register of Breaches.
  1. The Chairman or ICT Director (or in their absence the Regional Manager) will decide whether the breach will need to be reported and whether the affected individuals will be informed.
  1. There is a statutory requirement to inform the Information Commissioner within 72 hours where it is likely to result in ‘a risk to the rights and freedoms of individuals’. This could mean that it might lead to discrimination, damage to reputation, financial loss, loss of confidentiality or other significant social or economic disadvantage.
  2. The affected individuals need to be informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  1. The Chairman or ICT Director (or in their absence the Regional Manager) will ensure that the incident is allocated a case number and recorded on the Register of Breaches within 72 hours.
  1. The Chairman will nominate a Director or the Regional Manager to conduct an investigation and prepare a report using the attached template.
  1. The investigation report must be completed as soon as reasonably practicable and be sent to the Chairman or ICT Director (or in their absence the Regional Manager) who will:
  1. determine any further action required, including actions to avoid a recurrence and
  2. sign off the completed report
  1. The signed report must be sent to the Regional Manager for filing with the Register of Breaches.
  1. The Directors will review the Register of Breaches at least twice a year.

Data Breach Investigation Report

 

Case number …………….….

 

1.        What was the breach and when did it occur?
2.        What data was released? 
3.        How many people were affected, and who were they (clients, staff, etc) 
4.        How did this happen? 
5.        

Has this ever happened before? 

YES / NO / NOT AS FAR AS WE ARE AWARE 

 THE INVESTIGATOR’S ASSESSMENT:
6.        

Assessment of risk made by the investigating Chairman/Director/Regional Manager (see examples at end of this form) 

HIGH / MEDIUM / LOW 

7.        

Was this reported to the ICO?

Name of person who decided/authorised this

YES (give date, time) / NO 

8.        

Were the affected data subject(s) informed?

YES / NO

On reflection do they need to be informed now? YES / NO 

9.        What action is recommended to avoid a recurrence? 
10.    Any other comments? 
 

This report was prepared by: 

Signature …………………………………………………………. 

Print name ………………………………………………………. 

Date ………………………………………………………………..

 

 Comments by Chairman / ICT Director 

 

 

 Actions approved by Chairman / Director Responsible
   
   
   
   
 

 

Authorised by:

 

………………………………………………………………

Chairman

 

Date…………………………………………….

 

………………………………………………………………

Director

 

Date…………………………………………….

 

    

 

 

Examples of assessment of risk:

HIGH               large volume of data, sensitive data, ma be accessible to others, suspicion of crime/fraud

MEDIUM       not High or Low

LOW                small number affected, less risk of harm to data subject, limited data, no sensitive data, paper document only and we know where the data went

Scroll to Top