This statement covers the EFM Group of companies including:
e-Financial Management Limited
EFM Financial Management Ltd
De Novo Partners Ltd
Description of the technical and organisational security measures implemented by the data processor:
The EFM team are all UK based.
The EFM office is equipped with surveillance cameras, and footage is monitored periodically by authorised individuals. Access is controlled into the building using biometric access control. Fire alarms are in place to detect and mitigate damage in the unlikely event of a fire. Regular fire drills are also conducted by the premises management team to educate employees about emergency evacuation procedures. A policy has been implemented to approve and regulate visitor access into the building, which is controlled by a third-party reception desk.
Unless processing takes place on 3rd party platforms, all of the EFM’s online data is secured by our third-party data manager, Ashgoal, and their cloud products/services and data are hosted within tier 4/3 Data Centre facilities, with the highest level of security.
Our supplier, Ashgoal, provides a location to store data, and manages the security settings on our behalf, with our approval. The Ashgoal team has access to our data on production servers. Changes to any application, infrastructure, deployment processes are documented extensively as part of Ashgoal’s internal change control process and ensures compliance with Ashgoal’s internal ISMS policies. Backups are taken every sixty minutes and are stored at a third tier 3 facility. Should an unlikely catastrophe occur in one of the Data Centres, we would lose only 60 minutes of data. The backups are retained for 90 days, and stored within the UK, and encrypted using AES 256 bit standards (key strength – 1024), with the keys being managed and stored in a dedicated safe held by Ashgoal. All data in transit is encrypted over a secure socket connection.
Where we transfer data to third parties for processing, we notify our clients to get their consent to this activity, and from the third party, we get confirmation of their GDPR compliance.
When a contract or other form of relationship with one of our customers ends, we take written instruction from the customer on how they wish for us to deal with their data. Our customers have already received their data after we have processed it, however have the ability to export their electronic data before final deletion, if deletion is requested. If deletion is requested, we will do so within 14 days of receiving the request in writing.
In the absence of anything in writing from a customer, we will destroy all client data securely 12 months after the relationship ends
For on-going customer relationships, our deletion policy is:
Accounting data – original data is returned to the client 12 months after the year-end. Retained other data is deleted 6 years after the financial year end
Payroll Data – data is deleted 3 years after the tax year end. We are unable to delete individual records for ex-employees within this timeframe as it may corrupt the integrity of files, spreadsheets and documents previously sent
Other personal data – this is only retained whilst a business relationship or legitimate business reason exists. Data is deleted 1 year after the relationship ends.
The EFM group of companies have clear change management processes, logging and monitoring procedures, and fall-back mechanisms as part of its operational security directives. Members of the board of directors are present to oversee and approve all organisation-wide security policies. Operational security starts right from recruiting an employee to training and supervising their on-going work. The recruitment process includes standard background verification checks and references (including verification of academic records) on all new recruits. All employees are provided with adequate training about the information security policies of the company and are required to sign that they have read and understood the company’s security-related policies. Confidential company information is available for access only to select authorised EFM employees. Employees are required to report any observed suspicious activities or threats. We take the appropriate disciplinary action against employees who violate organisational security policies. Security incidents (breaches and potential vulnerabilities) can be reported by customers via email.
EFM maintains an inventory of all information systems used by our employees. Only authorised and licensed software products are installed, and no software may only be installed on our Cloud other than by our nominated provider, Ashgoal. We have obtained the GDPR policies from our primary third-party software providers that we may use to assist us in our role as a processor of data. This includes branded off the shelf accounting, payroll, and marketing software. Furthermore, where we use sub-contractors to aid us in our role to process data, we have obtained their compliance statement to ensure it meets our requirements.
All formal processes and security standards are designed to meet regulations. For our clients, we are the data processors and not the data controllers of the information on our platform for purposes of the European Union (“EU”) Directive 95/46/EC on Data Protection (“EUDirective”). Our customers are responsible for complying with the Directive and relevant data protection legislation in the relevant EEA member state before sending personal information to us for processing.
EFM’s USE OF PERSONAL DATA FOR MARKETING
EFM controls and processes personal data in order to deliver marketing messages, materials, events and related activities. These communications are managed in compliance with PECR, legitimate interest and consent.
Contacting people using corporate email addresses under PECR
The majority of our subscribers are ‘corporate contacts’ and the Privacy and Electronic Communications Regulations 2003 (PECR) allow us to contact people via their business emails.
‘Corporate contacts’ are people using contact details from companies, LLPs, Scottish partnerships and government bodies. Contact with ‘corporate contacts’ is covered by the ‘legitimate interest’ ground for processing and is also permitted under PECR.
Under PECR we can contact individuals via their corporate email address and we do not need to have their consent or have had any previous dealings with them. Most of our marketing contacts are business contacts rather than consumers so PECR is relevant here. However, they have certain rights, particularly where their name is part of their address, including the right to added to the ‘do not contact’ preference services or to ask us not to contact them again.
An ‘Individual’ is a sole-trader, some partnerships and those using a non-corporate email address.
Contacting people using the grounds of legitimate interest:
Legitimate Interest is another lawful basis for processing data under the GDPR.
Legitimate interest enables the data controller to undertake marketing for their own business or a third party so long as the data is used in ways that the recipients of the marketing would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
When using legitimate interest as a basis for processing, EFM commits to balance the assumed interests against the individual’s. If they would not reasonably expect the processing, their interests are likely to override the legitimate interest ground.
By relying on legitimate interest rather than consent to process personal data, EFM understands that we take on extra responsibility for considering and protecting people’s rights and interests and we guarantee that we will do this.
Contacting people using the grounds of consent.
Consent is another lawful basis for processing data and the GDPR makes it clear that an indication of consent must be unambiguous and involve a clear affirmative action (i.e. an opt-in).
Where EFM relies on consent, we commit to not use pre-ticked opt-in boxes, and require individual consent options for distinct processing operations.
Consent will be separate from our other terms and conditions.