GENERAL DATA PROTECTION REGULATION (GDPR)
Our access and handling of this information is subject to the General Data Protection Regulations (GDPR). This replaces the Data Protection Act of 1998.
THE DATA WE COLLECT
Any issue we manage on your behalf typically makes it necessary to provide us with information. This could be about you, your business and possibly one or more of your employees.
Depending upon the nature of the issue, the specific information may vary. However, we will only request information that is relevant and required for managing the issue in question.
If the matter includes the gathering and assessing of evidence, that evidence may include information that would be subject to GDPR and this policy.
For example, we collect personal information such as names and contact details via contact forms on our website and/or through voluntary subscriptions to newsletters or electronic marketing communications.
HOW THIS DATA IS PROTECTED
Personal information may be stored in a number of locations, depending upon the nature of the information and how it was acquired (e.g. through being engaged to handle a matter or through a consensual subscription or contact request).
Information relating to engagements typically resides in our email correspondence with you as we handle the matter. This includes any documents that you send us or that we produce. Our email is held on a secure server and is accessed via an encrypted network connection. Documentation is stored in a client-specific folder, which is maintained on a cloud drive. There may be working copies and backups of those documents on a system within our office.
Information relating to matters that we handle is only retained as long as necessary. This typically means that once a matter has been completed, we will only retain your information for long enough to ensure that any supplementary queries or further actions can be handled.
We would not retain information for more than one year beyond the end of our engagement unless there is a specific requirement to do so.
Once an engagement is completed we may, with your consent, retain your information in our customer database so that we can follow up with you in future on possible engagements or keep you informed via our newsletters.
We store personal information acquired via consent-based subscriptions or contact forms in local or cloud-hosted customer management systems, e.g. a third-party mailing list service provider such as MailChimp.
YOUR RIGHTS REGARDING YOUR DATA
You have the right to request access (i.e. copies of) all your personal information held by us. We will provide this information within thirty days of having received your request. Where applicable, you can have your data in a “portable” format.
You have the right to ensure any information we retain is accurate. You can inform us of any changes to your personal information and we will update our records.
You have the right to have your personal information erased, provided it is no longer required for the handling of any unresolved matter or legal proceeding.
You have the right to restrict the use of your information under certain circumstances. This means that while we retain the information, it will not be processed until those circumstances are addressed.
You also have the right to object against the use of your personal information, for example by withdrawing consent to be contacted for direct marketing purposes.
HANDLING OF DATA BREACHES
A data breach is any occasion where security measures have been deliberately or accidentally circumvented in order to access, alter, disclose or destroy personal information.
For example, if unauthorised parties have gained access to and potentially obtained copies of your personal information from our systems.
Outside of documents pertaining to matters we have handled, we generally do not retain anything except contact names, email addresses and telephone numbers (i.e. the information provided with consent). As such, the information we retain is generally low risk.
In the unlikely event that there is a personal data breach that represents a risk to individuals or their businesses, we will inform the Information Commissioners Office (ICO) within 72 hours of becoming aware of it.