Our data protection policy in accordance with the EU General Data Protection Regulation (GDPR)
This document sets out the approach that Aspire Financial Planning (Aspire FP) takes in relation to your private data which we hold as a necessary precursor for us to provide clients with rigorous, informed, independent financial planning advice.
The new GDPR regulations came into force on 25th May 2018. Periodically, Aspire FP may update and revise our policy, to bring it into line with best practice.
We’ll be happy to assist you with any issues or questions you may have!
From the team at Aspire Financial Planning
Telephone: 01242 248181
Aspire Financial Planning is an appointed representative of ValidPath Ltd which is authorised and regulated by the Financial Conduct Authority Number 197107.
Aspire FP’s Data protection policy
Goal of the data protection policy
The goal of our data protection policy is to summarise the legal data protection implications of the new regulations in one simple document. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.
Aspire FP is a financial-planning intermediary with a strong culture of independent financial advice. Due to the sophistication of our advice model, as well as the overarching requirements of the government’s Regulator (the Financial Conduct Authority, or FCA), we tend to work with quite detailed financial data for each of our clients, which may be re-used within appropriate analytical systems and also with approved third parties (such as product-providers that our clients wish to access). This, necessarily, means that we must take reasonable steps to obtain, safeguard, and use accurate personal financial data: without such information we cannot deliver a service to our clients.
Security policy and responsibilities in the company
Aspire FP’s data-protection policy is dictated by the characteristics of the kind of information which we hold in relation to our clients, which we categorise as ‘extremely sensitive’;
Roles and responsibilities:
- Data Controller: John Tibble
- Operational Data Protection Officer: John Tibble
- Data Processors: administrative staff designated competent
- Day to day Operational Manager: John Tibble
- Aspire FP is committed to continuous improvement of our data protection management system;
- Aspire FP is committed to the training, awareness and responsibility of our staff.
Legal framework of the company
- Aspire FP is authorised and regulated by the Financial Conduct Authority (FCA), whose rules both encompass GDPR standards and impose higher responsibilities on the way we deal with our clients;
- Most third parties (product-providers) that we deal with our bound by exactly the same regulatory framework;
- Aspire FP Ltd is a UK-registered limited company, registered with the Information Commissioner’s Office.
- Our own procedures are subject to ongoing internal scrutiny, and we also periodically submit our written processes for external scrutiny by reputable legal and compliance consultants
- Our processes and standards are primarily driven by the requirements set out by the FCA
Existing technical and organisational measures (TOM)
Appropriate technical and organisational measures have been implemented and tested, taking into account the purpose of the processing, the functionality of the technology available and the implementation costs.
Examples of our internal safeguards include:
- Guidelines for the rights of data subjects – published within our own internal written procedures, but also published (open access) on our website, for the benefit of our clients;
- Access control – sensitive data is available only to Aspire FP staff who have the requisite security permissions, and access via our secure systems;
- Information classification (and handling thereof) – all client data is designated ‘sensitive’;
- Physical and environmental-related security for end users such as:
- Our GDPR policy is directly influenced by our adherence to the FCA’s ‘Treating Customers Fairly’ (TCF) values-based framework;
- The methodology and process for transferring client data (say to an authorised third party) will depend upon (a) the nature of the data, and (b) the purpose for which it is being transferred;
- Mobile devices will generally only retain email or MSG data, but may have access to client data stored securely in the Cloud, accessed only via a password and encrypted link;
- Access to relevant software systems is (a) password-protected, and (b) only available to those members of staff whose job-function makes such access necessary.
- Data backup – all client data is backed up remotely in a secure Cloud-based environment;
- Information transfer – is considered carefully in each instance, and a risk-based approach is taken; Wherever possible, shared data-servers are used for this purpose;
- Protection against malware – Aspire FP have in place functional, industry-standard protection;
- Handling technical weak points – Aspire FP operate in collaborative manner to identify such weaknesses and plan accordingly;
- Encryption measures – initially, Aspire FP has adopted Microsoft’s ‘Azure’ encryption technology, and at the time of writing this introductory guide are embarked upon a move to an enhanced level of security;
- Communication security – at the time of writing, our anti-phishing provisions are deemed to be fit for purpose;
- Privacy and protection of personal information – Aspire FP has written procedures in place governing the storing, protection and transmission of personal information, and staff are required to abide by these procedures;
- Supplier relationships – Aspire FP collaborate with several software providers to store, analyse and manage client information securely, and we ensure that all of them are fully compliant with the requirements imposed by GDPR.
Version (1) of Aspire FP’s Data Protection Policy has been signed off by John Tibble.
Dated: 21 May 2018
Aspire Financial Planning is an appointed representative of ValidPath Ltd which is authorised and regulated by the Financial Conduct Authority