Our data protection policy in accordance with the EU General Data Protection Regulation (GDPR)
This document sets out the approach that City Capital Financial Planning LLP takes in relation to your private data which we hold as a necessary precursor for us to provide clients with rigorous, informed, independent financial planning advice.
The new GDPR regulations came into force on 25th May 2018. Periodically, City Capital Financial Planning LLP may update and revise our policy, to bring it into line with best practice.
We’ll be happy to assist you with any issues or questions you may have!
From the team at City Capital Financial Planning LLP
Telephone: 020 7953 8524
City Capital Financial Planning LLP Firm Reference 584402 is an Appointed Representative of ValidPath Ltd which is authorised and regulated by the Financial Conduct Authority under Firm Reference Number 197107.
City Capital Financial Planning’s Data protection policy
Goal of the data protection policy
The goal of our data protection policy is to summarise the legal data protection implications of the new regulations in one simple document. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.
City Capital Financial Planning LLP is a financial-planning intermediary with a strong culture of independent financial advice. Due to the sophistication of our advice model, as well as the overarching requirements of the government’s Regulator (the Financial Conduct Authority, or FCA), we tend to work with quite detailed financial data for each of our clients, which may be re-used within appropriate analytical systems and also with approved third parties (such as product-providers that our clients wish to access). This, necessarily, means that we must take reasonable steps to obtain, safeguard, and use accurate personal financial data: without such information, we cannot deliver a service to our clients.
Security policy and responsibilities in the company
• City Capital Financial Planning LLP’s data protection policy is dictated by the characteristics of the kind of information which we hold in relation to our clients, which we categorise as ‘extremely sensitive’;
• Roles and responsibilities:
o Data Controller: David Schiller
o Operational Data Protection Officer: Allyson Burris
o Data Processors: administrative staff designated competent
o Day to day Operational Manager: Allyson Burris
• City Capital Financial Planning LLP is committed to the continuous improvement of our data protection management system;
• City Capital Financial Planning LLP is committed to the training, awareness and responsibility of our staff.
The legal framework of the company
• City Capital Financial Planning LLP is authorised and regulated by the Financial Conduct Authority (FCA), whose rules both encompass GDPR standards and impose higher responsibilities on the way we deal with our clients;
• Most third parties (product-providers) that we deal with our bound by exactly the same regulatory framework;
• City Capital Financial Planning LLP is a UK-registered company, registered with the Information Commissioner’s Office.
• Our own procedures are subject to ongoing internal scrutiny, and we also periodically submit our written processes for external scrutiny by reputable legal and compliance consultants
• Our processes and standards are primarily driven by the requirements set out by the FCA
Existing technical and organisational measures (TOM)
Appropriate technical and organisational measures have been implemented and tested, taking into account the purpose of the processing, the functionality of the technology available and the implementation costs.
Examples of our internal safeguards include:
• Guidelines for the rights of data subjects – published within our own internal written procedures, but also published (open access) on our website, for the benefit of our clients;
• Access control – sensitive data is available only to City Capital Financial Planning’s staff who have the requisite security permissions, and access via our secure systems;
• Information classification (and handling thereof) – all client data is designated ‘sensitive’;
• Physical and environmental-related security for end-users such as:
o Our GDPR policy is directly influenced by our adherence to the FCA’s ‘Treating Customers Fairly’ (TCF) values-based framework;
o The methodology and process for transferring client data (say to an authorised third party) will depend upon (a) the nature of the data, and (b) the purpose for which it is being transferred;
o Mobile devices will generally only retain email or MSG data, but may have access to client data stored securely in the Cloud, accessed only via a password and encrypted link;
o Access to relevant software systems is (a) password-protected, and (b) only available to those members of staff whose job-function makes such access necessary.
• Data back up – all client data is backed up remotely in a secure Cloud-based environment;
• Information transfer – is considered carefully in each instance, and a risk-based approach is taken; Wherever possible, shared data-servers are used for this purpose;
• Protection against malware – City Capital Financial Planning LLP have in place functional, industry-standard protection;
• Handling technical weak points – City Capital Financial Planning LLP operate in a collaborative manner in order to identify such weaknesses and plan accordingly;
• Encryption measures – initially, City Capital Financial Planning LLP has adopted Microsoft’s ‘Azure’ encryption technology, and at the time of writing this introductory guide are embarked upon a move to an enhanced level of security;
• Communication security – at the time of writing, our anti-phishing provisions are deemed to be fit for purpose;
• Privacy and protection of personal information – City Capital Financial Planning LLP has written procedures in place governing the storing, protection and transmission of personal information, and staff are required to abide by these procedures;
• Supplier relationships – City Capital Financial Planning LLP collaborate with several software providers in order to store, analyse and manage client information securely, and we ensure that all of them are fully compliant with the requirements imposed by GDPR.
Version (1) of City Capital Financial Planning LLP’s Data Protection Policy has been signed off by Kevin Moss of Validpath LTD.
Dated: 21 May 2018
Our customers have the right to access, correct and delete personal data relating to them, and to object to the processing of such data, by addressing a written request, at any time. The Company makes every effort to put in place suitable precautions to safeguard the security and privacy of personal data and to prevent it from being altered, corrupted, destroyed or accessed by unauthorized third parties. However, the Company does not control each and every risk related to the use of the Internet and therefore warns the Site users of the potential risks involved in the functioning and use of the Internet. The Site may include links to other web sites or other internet sources. As the Company cannot control these web sites and external sources, the Company cannot be held responsible for the provision or display of these web sites and external sources, and may not be held liable for the content, advertising, products, services or any other material available on or from these web sites or external sources.
You can view or edit your personal data online for many of our services. You can also make choices about our collection and use of your data. How you can access or control your personal data will depend on which services you use. You can choose whether you wish to receive promotional communications from our web site by email, SMS, physical mail, and telephone. If you receive promotional email or SMS messages from us and would like to opt-out, you can do so by following the directions in that message. You can also make choices about the receipt of promotional email, telephone calls, and postal mail by visiting and signing into Company Promotional Communications Manager, which allows you to update contact information, manage contact preferences, opt-out of email subscriptions, and choose whether to share your contact information with our partners. These choices do not apply to mandatory service communications that are part of certain web site services.
Our website collects data to operate effectively and provide you with the best experiences with our services. You provide some of this data directly, such as when you create a personal account. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device. We also obtain data from third parties (including other companies). For example, we supplement the data we collect by purchasing demographic data from other companies. We also use services from other companies to help us determine a location based on your IP address in order to customize certain services to your location. The data we collect depends on the services and features you use.
Our web site uses the data we collect for three basic purposes: to operate our business and provide (including improving and personalizing) the services we offer, to send communications, including promotional communications, and to display advertising. In carrying out these purposes, we combine data we collect through the various web site services you use to give you a more seamless, consistent and personalized experience. However, to enhance privacy, we have built-in technological and procedural safeguards designed to prevent certain data combinations. For example, we store data we collect from you when you are unauthenticated (not signed in) separately from any account information that directly identifies you, such as your name, email address or phone number.
We share your personal data with your consent or as necessary to complete any transaction or provide any service you have requested or authorized. For example, we share your content with third parties when you tell us to do so. When you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction. In addition, we share personal data among our controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data in order to provide those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose. We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets.