Braithwaite Network's Data Protection Policy

1. Introduction

a) Purpose of the policy

Braithwaite Tax Recovery Consultants Ltd, registered in United Kingdom (company number 05269190) and Braithwaite Technology Consultants Limited, registered in Ireland (company number 506246) ("Braithwaite") and its group companies (together "we", "us", "our") are committed to protecting and respecting data. Data is important to us and we are committed to protecting and safeguarding data privacy rights. This policy has been created to ensure Braithwaite complies with GDPR and ensure Braithwaite and all its employees follow best practice to protect clients, employees, suppliers, and all other individuals whose data we hold. This policy also outlines the steps Braithwaite take to protect data in accordance with GDPR.

The companies within the Braithwaite group are:

An organisation that handles data and makes decisions about its use is known as a Data Controller. Braithwaite are the Data Controller for the purposes of this policy. Braithwaite, as a Data Controller, is responsible for ensuring compliance with the GDPR requirements outlined in this policy. Braithwaite is fully committed to ensuring continued and effective implementation of this policy, and expects all Braithwaite employees, clients and suppliers to share in this commitment.

This policy applies to all Braithwaite companies where data is processed for the purposes of providing tax credit advisory services and covers all employees of Braithwaite working in the offices, remote working and working at client sites. It also applies to all processing of data in electronic form (including email and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to data.

This policy has been designed to establish a high quality standard for the processing and protection of data by all Braithwaite companies. Where the law imposes a requirement which is stricter than imposed by this policy, the requirements in the law must be followed. Furthermore, where the law imposes a requirement that is not addressed in this policy, the relevant law must be adhered to.

This policy also covers the following Data Processors acting on our behalf:

b) Types of data

We are the Data Controller for the following data types held by Braithwaite:

We hold client data in order to fulfil our contractual obligations. We hold prospect data with their consent. We hold employee Data for their legitimate interests.

c) Policy statement

We, on behalf of all the individuals whose data we hold, promise to:

d) Key Risks

The key risks to data in Braithwaite are:

2. Governance and Responsibilities

a) Data Protection Officer

To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, Braithwaite has appointed an Data Protection Officer. The Data Protection Officer operates with independence and is an suitability skilled individual granted all necessary authority. The Data Protection Officer reports to Braithwaite’s CEO and whose duties include:

b) Employees

All employees are required to read, understand, and accept any policies and procedures that relate to the data they may handle in the course of their work. Infringements of this policy are dealt with according to our formal HR procedures. All employees are given regular data protection training to ensure that all employees responsible for the processing of data are aware of and comply with the contents of this policy. New employees will have data protection incorporated into new staff induction training.

c) Suppliers and Third Parties

Braithwaite will make sure all suppliers and third parties engaged to process data on their behalf (i.e. Data Processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all suppliers and third parties, whether companies or individuals, prior to granting them access to data controlled by Braithwaite.

d) Data Protection by Design and Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) will be conducted, in cooperation with the Data Protection Officer, when designing new systems or processes and/or when reviewing or expanding existing systems or processes to ensure that all data protection requirements are identified and addressed in these situations. A DPIA will also be conducted for all new and/or revised systems or processes for which Braithwaite has responsibility.

The subsequent findings of the DPIA must then be submitted to the CEO for review and approval. Where applicable, the IT Officer, as part of its IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of data held by Braithwaite.

3. Data Security

a) Scope

Our Data Security measures are detailed below. These are beyond Data Protection and adopted as best practice

b) Security levels

The greater the consequences of a breach of confidentiality, the tighter the security. We have three levels of security for Customer Data:

We have two levels of security for Employee Data:

We have one level of security for Prospect Data:

c) Security measures

Level 1: Stored digitally in AWS, HubSpot, and G Suite. Access for all Braithwaite employees through password identification.

Level 2: Stored digitally in the relevant system. Google Drive, Secure File Server in Toronto, and OneDrive. Access for restricted Braithwaite employees only through permission control and password identification.

Level 3: Stored digitally in encrypted file the Toronto Office. Access for restricted Braithwaite employees only through permission control and password identification.

All IT hardware is monitored with anti-virus, anti-spam, anti-malware and ransomware protection through Norton Antivirus.

Our digital data systems are monitored through our own in-house expertise and respective third party hosting:

We proactively maintain and monitor all IT infrastructure including server, router, and switches and install the latest updates and patches on release.

d) Specific risks

We complete a starter and leaver form for every change of employee status to ensure appropriate access to data

We remote wipe any lost mobile device upon instruction

We ensure all hardware containing data is correctly wiped and destroyed

We have activated Data Loss Prevention on our hosted email

We have a password policy for all users on the network

We have network reporting to ensure visibility of threats

Level 2 information requested over the phone will be provided with acceptable proof of identity e.g. confirmation of company address, key decision-maker, and another key identifier

Level 3 information will never be provided over the phone or by email

4. Data recording and storage

a) Accuracy

Client data will be confirmed for accuracy regularly and only changed with our consent in accordance to our terms & conditions. For employee data, it is the employee’s responsibility to update us on changes to ensure accuracy. Prospects data will be confirmed for accuracy too.

b) Storage

All data is stored in a combination of secure online and offline computer storage facilities and paper-based files. All data in physical form such as documents will be stored securely at our offices or at a secure storage facility. All data in electronic form is stored on our secure servers.

Please note that our third-party suppliers have also confirmed they hold personal information in a combination of secure online and offline computer storage facilities too and any paper based files are also stored securely at their offices.

c) Retention

To ensure fair processing, data will not be retained by Braithwaite for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which Braithwaite need to retain data takes into account legal and contractual requirements (including tax authority requirements), both minimum and maximum, that influence the retention periods. All data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

5. Data subject access requests

The Data protection officer is responsible for data subject access requests. Data subject access requests should be made by email or post. You should receive a response and action with one calendar month in accordance with ICO guidelines. These requests must provide photo ID and proof of their authority to make the request if they are not known to Braithwaite. We reserve the right to seek legal access on complex requests should they arise.

6. Data Breaches

Any individual who suspects that a data breach has occurred due to the theft or exposure of data must immediately notify the Data Protection Officer providing a description of what occurred. Notification of the incident can me made by email or phone. The Officer will investigate all reported incidents to confirm whether or not a data breach has occurred. If a data breach is confirmed, the Officer will follow the relevant authorised procedure based on the criticality and quantity of the data involved. The officer will also determine whether the data breaches are of a certain type that require notification to the ICO within 72 hours.

7. Lawful Basis

Braithwaite hold client data in order to fulfill contractual obligations and employee data for their legitimate interests. Clients and employees are not able to opt out of their use of their data if they wish to continue to receive contractual services or provide employment respectively. They both have the right to withdraw consent but this may mean that contractual obligations can not be fulfilled or a contract of employment cannot continue.

8. International data transfers

Braithwaite is a global organisation and therefore data we hold may be transferred outside the EEA to the overseas companies in the group. Such transfers will occur where they are necessary in providing tax credit advisory services or where the transfer is authorised by law. Please note that all the companies in the Braithwaite group including overseas companies comply with GDPR. The Data Protection Officer covers the whole of the Braithwaite group and ensures data protection based on GDPR is strictly enforced in all overseas companies.

9. Supervisory Authority

Braithwaite, as a Data Controller, are registered with the ICO.

10. Policy review

The Data Protection Officer is responsible for conducting the next review of this policy and this review will be done in 3 years ie. May 2021.