GDPR Policy

DL Accounts Ltd ensures that we are compliant with all Data Protection Legislation, including the Data Protection Act 1998 and the EU General Data Protection regulation (GDPR) due for enforcement with effect from 25th May 2018. DL Accounts Ltd acknowledges that although GDPR is EU Legislation, it is already on the UK statute books, and will therefore apply to the UK after we leave the EU (Brexit).

DL Accounts Ltd collects, processes, stores and shares information in accordance with this legislation. More information can be found in our Data Protection Policy and Privacy Notice.

The GDPR states that organisations shouldn’t process or retain extraneous personal data. That means data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. DL Accounts Ltd complies with this.

Step 1: Awareness

Everyone in the business needs to understand what GDPR is and what impact it will have on them.

The business has formal GDPR policies and statements in place which staff are required to read and be familiar with to ensure they understand what GDPR is and the impact it has on them.

The company also holds weekly team meetings during which any updates to GDPR or data changes are discussed. The business also has a named employee, Angela Wilkinson, who has responsibility for GDPR in the company alongside the Director, Dexter Lawrence.

Decision makers and key people in the business demonstrate support for Data Protection legislation and promote a positive culture of data protection compliance across the business.

Step 2: Information You Hold

The business needs to identify all the different data and data types held in the business.

DL Accounts Ltd collects different types of client data.

The business regularly maps the data it collects, and documents the Personal, Sensitive and Financial Data held, when and where data comes from, the legal basis for processing data, when data is updated, how long data is retained for and on what basis, where the data is stored and processed and who the data is to disclosed to and why.

The business has carried out extensive Data Mapping and regularly updates this to identify :

  • Why data is collected and processed by the business.
  • Whose Personal Data is processed by the business.
  • When and where Personal data is processed by the business.

The business has identified the following types of data in the business :

  • Personal Data is data which can be used to identify you, and includes name, date of birth, address, telephone number(s), emails etc.
  • Financial Data is data that includes things like National Insurance Number, UTR (Unique Tax Reference Number), Taxation Records, Bank Account/Credit Card/Loan Agreement/Mortgage details, business accounts, income records such as P45’s or P60’s, pension information, Attachment of Earnings Orders.
  • Sensitive Data is information related to any of the following : racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

The only sensitive data DL Accounts Ltd may have access to is in relation to the employees of payroll clients when a GP Fit Note is submitted.

  • DL Accounts Ltd also uses CCTV for the purposes of crime prevention in its offices located in Burton House, Trinity Street, St Austell.

We collect this data in a variety of ways.

Clients provide us with data at an initial client meeting, via an initial meeting form, and then regularly via information submitted verbally, electronically or in writing or by submission of documentation to us as part of the contract they have with the business. For example, providing data which enables us to fulfil our contractual obligations to them and statutory obligations to third parties, for example to HMRC, pension providers etc.

Step 3: Communicating Privacy Information

The business needs to ensure its privacy notices are GDPR compliant, and also ensure that it tells people about how the business uses their data.

Our GDPR and Data Protection Policy and Privacy Notice are published on our website, or alternatively copies can be requested directly from the business.

This privacy notice tells people what to expect when we collect personal information. It applies to information we collect about:

  • Visitors to our website and other social media including Facebook and Twitter;
  • People who use our services;
  • Job applicants and our current and former employees.

Step 4: Individual Rights

The business must ensure procedures are in place so that individuals can exercise their rights.

DL Accounts Ltd is aware of the following rights for individuals :

  • The Right to be Informed
  • The Right of Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Restrict Processing
  • The Right to Data Portability
  • The Right to Object
  • The Right not to be subject to automated decision-making including profiling.

DL Accounts Ltd regularly reviews, and where necessary, updates our privacy information, and brings any new uses of an individual’s personal data to their attention before we start the processing.

DL Accounts Ltd has a separate policy document outlining or procedures for dealing with Individual Rights

Step 5: Subject Access Requests

The business must have a GDPR compliant procedure for providing people with copies of their data.

DL Accounts Ltd tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998 and under the new GDPR starting in May 2018.

We issue the following notice to clients :

If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to DL Accounts Ltd for any personal information we may hold you need to put the request in writing (post or email) or verbally. Please address requests to Mr Dexter Lawrence, at the following address :

DL Accounts Ltd, Burton House, Trinity Street, St Austell, Cornwall, PL25 5LS.

However, if you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting DL Accounts Ltd.

We will respond to your request within 1 month, and we do not usually charge you for processing this request.

Step 6: Lawful Basis for Processing Personal Data

The business must identify the lawful basis for processing personal data for everything the business does.

The business has identified the lawful bases processing data and documented these.

DL Accounts Ltd has two main lawful bases for processing Personal Data:

  • In order to fulfil our contractual obligations towards that person in the provision of services, and because they may have asked us to do something prior to entering into a contract. In this case, the  processing is necessary, as the business could not reasonably fulfil our contractual obligations to that client without processing this personal data.
  • In order to process personal data to comply with a common law or statutory obligation. In this case, the  processing is necessary, as the business could not reasonably comply without processing this personal data.

For example, in the course of providing contractual services, the business needs to submit Tax Returns to HMRC, Submissions to Companies House, Salary details to HMRC and pension contribution details to Workplace Pension providers.

In addition, DL Accounts Ltd might also use client details such as business name, logo, and business description from time to time on the ‘Clients’ section of our website (www.dlaccounts.co.uk) for marketing purposes. Consent for which is also obtained via the Consent Document.

Step 7: Consent

The business must review how consent from people is sought, recorded and managed.

Clients are asked to acknowledge the following :

  • That they have read and understood the information contained in the DL Accounts Ltd’s consent form.

Clients are asked to :

  • Give their consent to collect, store and process personal, financial and sensitive data for the purposes explained in the Consent Document.
  • Give their consent to share personal, financial and sensitive data for the purposes explained in the Consent Document.
  • Give consent to be contacted via the following methods of contact : Email, Telephone, In Writing, Social Media, and being given the option to delete these as necessary, in connection with the purposes explained in the Consent Document.

Clients also have the right to withdraw their consent at any time.

This needs to be put in writing to DL Accounts Ltd, Burton House, Trinity Street, St Austell PL25 5LS

Alternatively, clients can email the business.

This procedure is clearly documented in the company’s Consent Document.

Step 8: Children

The business must identify any instances where consent is obtained directly from children.

DL Accounts Ltd does not currently obtain consent directly form children.

In the case of carrying out Direct Payments payroll services, the business always deals with and enters into correspondence and contracts with an adult client whether it be a parent or guardian or other responsible adult, acting on behalf of the minor.

However, DL Accounts Ltd recognises that we may hold certain personal information relating to children, and is aware that children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.

Step 9: Data Breaches

The business must have a GDPR compliant procedure for detecting, reporting and investigating personal data breaches.

DL Accounts Ltd recognises that the GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority, within 72 hours of becoming aware of the breach, where feasible.

For example :

The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences.

When notifying the ICO DL Accounts Ltd will give :

  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we are also aware that those individuals affected must be informed without undue delay.

When notifying the individuals affected DL Accounts Ltd will :

  • Describe in clear and plain language, the nature of the personal data breach,
  • The name and contact details of a member of staff from whom more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

DL Accounts Ltd ensures that there are effectives processes in place to identify, investigate, assess, report, manage and resolve any personal data breaches. We have a specific Data Breach Template in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals. Responsibility for dealing with data breaches lies with the Director, Dexter Lawrence.

In accordance with GDPR legislation, we also keep a record of any personal data breaches, regardless of whether we are required to notify.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Personal Data Breaches can include :

  • Access by an unauthorised third party.
  • Deliberate or accidental action (or inaction) by a controller or processor.
  • Sending personal data to an incorrect recipient.
  • Computing devices containing personal data being lost or stolen.
  • Alteration of personal data without permission, and
  • Loss of availability of Personal Data.

Step 10: Data Protection by Design and Data Protection Impact Assessments (DPA’s)

The business must ensure that Data Protection is built into all systems, projects and procedures.

We operate a multi-level security policy in the business.

DL Accounts Ltd has a comprehensive DPIA Policy and Assessment procedure.

Details of which are contained in our DPIA Policy and Assessment documents.

Step 11: Data Protection Officers, Data Controllers and Data Processors

The business must identify who the Data Controller(s) and Data Processor(s) are in the company, and appoint a Data Protection officer if required.

The business must also register with the ICO if required.

The business has clearly identified and documented both Data Controller(s) and Data Processor(s) within the business.

A Data Controller is someone who is responsible for data and who must make sure that data is processed according to the law. For example, they are responsible for making sure that information held about someone is accurate and that it is kept secure.

The Directors and staff of DL Accounts are Data Controllers and Data Processors in common.

This means that all persons in the business are responsible for data when they use it to provide a service to clients or a third party.

Under the GDPR, you must appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

DL Accounts Ltd does not engage in any of the above activities and therefore, does not need to appoint a Data Protection Officer.

The business is registered with the Information Commissioner’s Office (ICO) as required by law to do so.

Step 12: International

The business needs to identify the lead Data Protection Regulatory Authority and document this.

DL Accounts Ltd has its offices in the UK. The ICO is therefore DL Accounts Ltd’s regulatory authority.

The business is registered with the Information Commissioner’s Office (ICO) as required by law to do so.

DL Accounts Ltd does not operate in more than one EU Member State and does not engage in cross border processing.