ValidPath Data Privacy Policy 

Goal of the data protection policy

The goal of our data protection policy is to summarise the legal data protection implications of the new regulations in one simple document.  This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.

Preamble

ValidPath Ltd is a financial-planning intermediary network with a strong culture of independent financial advice.  Due to the sophistication of our advice model, as well as the overarching requirements of the government’s Regulator (the Financial Conduct Authority, or FCA), we tend to work with quite detailed financial data for each of our clients, which may be re-used within appropriate analytical systems and also with approved third parties (such as product-providers that our clients wish to access).  This, necessarily, means that we must take reasonable steps to obtain, safeguard, and use accurate personal financial data: without such information we cannot deliver a service to our clients.

Security policy and responsibilities in the company

ValidPath’s data-protection policy is dictated by the characteristics of the kind of information which we hold in relation to our contacts and clients, which we categorise either as 'low risk' (business contacts) or ‘extremely sensitive’ (retail clients);

Roles and responsibilities:

  • Data Controller:  Kevin Moss
  • Operational Data Protection Officer:  Heledd Richards
  • Data Processors:  administrative staff designated competent 
  • Day to day Operational Manager:  Heledd Richards

ValidPath Ltd is committed to continuous improvement of our data protection management system;

ValidPath Ltd is committed to the training, awareness and responsibility of our staff.

Legal framework of the company

  • ValidPath Ltd is authorised and regulated by the Financial Conduct Authority (FCA), whose rules both encompass GDPR standards and impose higher responsibilities on the way we deal with our clients;
  • Most third parties (product-providers) that we deal with our bound by exactly the same regulatory framework;
  • ValidPath Ltd is a UK-registered limited company, registered with the Information Commissioner’s Office.

Documentation

  • Our own procedures are subject to ongoing internal scrutiny, and we also periodically submit our written processes for external scrutiny by reputable legal and compliance consultants
  • Our processes and standards are primarily driven by the requirements set out by the FCA

Existing technical and organisational measures (TOM)

Appropriate technical and organisational measures have been implemented and tested, taking into account the purpose of the processing, the functionality of the technology available and the implementation costs. 

Examples of our internal safeguards include:

Guidelines for the rights of data subjects – published within our own internal written procedures, but also published (open access) on our website, for the benefit of our clients;

  • Access control – sensitive data is available onlyto ValidPath staff who have the requisite security permissions, and access via our secure systems;
  • Information classification (and handling thereof) – all clientdata is designated ‘sensitive’;
  • Physical and environmental-related security for end users such as:
    • Our GDPR policy is directly influenced by our adherence to the FCA’s ‘Treating Customers Fairly’ (TCF) values-based framework;
    • The methodology and process for transferring client data (say to an authorised third party) will depend upon (a) the nature of the data, and (b) the purpose for which it is being transferred;
    • Mobile devices will generally only retain email or MSG data, but may have access to client data stored securely in the Cloud, accessed only via a password and encrypted link;
    • Access to relevant software systems is (a) password-protected, and (b) only available to those members of staff whose job-function makes such access necessary.
  • Data backup – all client data is backed up remotely in a secure Cloud-based environment;
  • Information transfer – is considered carefully in each instance, and a risk-based approach is taken;  Wherever possible, shared data-servers are used for this purpose;
  • Protection against malware – ValidPath Ltd have in place functional, industry-standard protection;
  • Handling technical weak points - ValidPath Ltd operate in collaborative manner in order to identify such weaknesses and plan accordingly;
  • Encryption measures – initially, ValidPath Ltd has adopted Microsoft’s ‘Azure’ encryption technology, and at the time of writing this introductory guide are embarked upon a move to an enhanced level of security;
  • Communication security – at the time of writing, our anti-phishing provisions are deemed to be fit for purpose;
  • Privacy and protection of personal information – ValidPath Ltd has written procedures in place governing the storing, protection and transmission of personal information, and staff are required to abide by these procedures;
  • Supplier relationships - ValidPath Ltd collaborate with several software providers in order to store, analyse and manage client information securely, and we ensure that all of them are fully compliant with the requirements imposed by GDPR. 


Version (1) of ValidPath’s Data Protection Policy has been signed off by Kevin Moss.

Dated:  21 May 2018
 

Kevin Moss, 24/05/2018