Promise Data Protectionand GDPR Policy

Document Reference: PM-GDPR-001 Version: v1.4 Owner: Compliance Team — Promise Money Next Review Date: [To be confirmed]

---

PROMISE GENERAL DATA PROTECTION REGULATIONS (GDPR) POLICY

We handle substantial volumes of data which are captured by our web applications, e-mail, telephone system, paper and other IT resources. The Data Protection Act (enhanced by the General Data Protection Regulations introduced in May 2018) is deemed to apply at all times.

The type of data we capture is referred to in legislation as “personal data'' which means anything that can be used to identify the person to whom it relates. Obvious examples being date of birth, address or employment details however legislation goes much further than this. Personal data could be regarded as your computer's IP address, browsing history or buying preferences.

Our expectation is that all data captured by the firm is for use within the European Economic Area and afforded the IT and legislative protection that this brings. Should a transfer outside of the EEA be considered necessary appropriate steps would be taken to ensure suitable protection exists. Should such an assurance prove to be impossible the data transfer would not take place.

Staff are required to maintain a satisfactory understanding of DPA/GDPR legislation which is tested once per year, and for new starters within their first month. We are registered as a Data Controller with the Information Commissioner (registration Z8661889).

The firm seeks to ensure at all times that it:

Complies with data protection law and good practice

Protects the right of it’s staff, customers and partners

Is open about how it stores and processes data

Protects itself from the risks of a data breach

The key pieces of legislation applicable are the Data Protection Act 1998 and the General Data Protection Regulations (GDPR) 2018. This legislation establishes principles which we set out to comply with which demand data must:

Be processed fairly, lawfully & transparently

Be obtained only for specific lawful purposes

Be adequate relevant and not excessive

Be accurate and kept up to date

Not be held for any longer than necessary

Be processed in accordance with the rights of data subjects

Be protected in appropriate ways

Not be transferred outside of the European Economic Area unless the host country ensures adequate protection

Risks & Penalties

Failure to adhere to this policy could lead to some very real risks which include:

Breaches of confidentiality, for example information being given out inappropriately or to someone who does not have the right to receive it

Failing to offer the data subject a choice of how the company uses data relating to them

Reputational damage caused by hackers gaining access to sensitive information

A senior member of staff designated by the Managing Director will carry out an audit of risks a minimum of once per year. This will include:

An analysis of personal data being captured. Why is it being collected, how is it being used, how is it being stored, when is it being deleted.

An analysis of how “fit for purpose” the method of storage is.

An analysis of our retention and deletion policy. Do we keep data un-necessarily, too long / too short.

A report will be fed into the Senior Management Team for decisions on what actions to take.

Responsibilities

All staff - share a responsibility for data to be handled in a lawful manner. Ignorance of the law is not an acceptable defence of a breach or failing.

The Directors - share an obligation to ensure the company meets it’s obligations and are required to provide the necessary information and training to bring about satisfactory compliance by all staff.

The appointed Data Protection Officer (DPO) - is responsible for leading on keeping the company abreast of latest developments and the handling of subject access requests. The firm’s DPO is Steve Walker.

The IT Consultant – is responsible for ensuring adequate levels of IT security are in place and fit for purpose

General do’s and don’ts

You should only deal with data that has a legitimate work purpose

Customers must be provided with a privacy policy which explains their rights and how data will be used

Data should not be shared informally at any time. Access to data of a confidential nature should be addressed via a Director.

Regular training will be offered to help build understanding and awareness.

Strong passwords should be used at all times.

Personal data should not be disclosed to unauthorised people either internally or externally.

Data no longer required, out of date or irrelevant should be deleted and disposed of in accordance with policy (sign off required).

If you need help, ask the Data Protection Officer or a Director.

Data storage

When data is stored on paper it should be kept in a secure, lockable place. The company maintains an adequate supply of drawers, filing cabinets and rooms. It should not be left where unauthorised people can see it, for example left on desk overnight and seen by cleaners. Printouts no longer needed should be shredded or disposed of as confidential waste.

When data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. This is achievable by way of good housekeeping, common sense and robust IT resource management. General tips & actions we take:

Use strong passwords & never share them

Ensure your computer is locked when you are away from it

Data saved on removable media (disc, memory stick) should be kept locked away when not in use

Only use designated drives and servers

Back ups take place daily

Never save data directly to a device, save to network only.

Robust security software and firewalls are in use

Data accuracy

The law requires data stored to be as accurate as reasonably possible and all staff (data handlers) share a responsibility to bring this about. Some general guidance:

Store data in the fewest places possible. Do not create unnecessary data sets.

Take every opportunity to ensure data is updated. Some loan applications take months to complete, circumstances may change.

Data subjects should be offered maximum co-operation when requesting their details be updated.

Inaccurate data should be removed or amended immediately. For example, don't leave a wrong telephone number on the system.

All e-shot bounce backs are to be acted on to avoid repetitive marketing to inaccurate names/addresses/contact details

Subject access requests

Data subjects have a right to make a “subject access request” at any time. This would result in Promise supplying the data subject with a record of all personal data held using a medium that is easy for them to use. Requests must be processed within 1 month and are free from charge. Requests considered vexatious, or highly complicated may be afforded more time and attract a nominal fee. We would take reasonable steps to evidence the identity of the data subject before releasing any data.

Data subjects are entitled to:

A privacy notice detailing why we are collecting the data and how it will be used / managed.

Access to it using a medium that is easy for them to use e.g. by e-mail or printed to paper.

Request it be changed if it is deemed to be inaccurate

Request it be fully or partially erased (right to be forgotten – see below). If we have passed the data on to a 3rd party we must ensure that it also removes the data in line with the data subject’s request.

Request the processing of it be restricted. For example, do not submit my data to lender XXXXX.

Request it be transferred to another platform (though not necessarily using the same medium as the platform it is going to). For example a request to transfer data from Loan Brain to a rival sourcing system.

Object to how it is being processed

Object to being subjected to an automated decision making process for example credit scoring. Given credit scoring is an essential part of the underwriting process with most lenders a data subject insisting on this would effectively be cancelling their application as we could not proceed without exposing the application to a credit score.

When processing a subject access request (SAR) we determine which lenders have shared in the subject’s personal data (e.g. we have sent a DIP or populated a data capture platform). All lenders that have shared in the personal data are made aware of the SAR, typically within 24 hrs of us having received it. Our status is usually that of “shared controller” with the lender with each party responsible for meeting it’s own data protection obligations.

Disposal of personal data (Right to be forgotten)

A customer can ask to have their data removed / deleted at any time. Requests are likely to be rare and should be passed to a manager to handle (verbally with confirmation by e-mail). A copy of the email should be sent to the Data Protection Officer at the same time.

NOTE: MAKE SURE CLIENTS REALLY WANT ALL DATA DELETED – IT CAN’T BE REVERSED

Explain first we don’t use the data unless they reapply and only then to speed matters up.

If clients insist on deletion, the firm can only dispose of data when it is permissible to do so. On occasions some data must be held in case we are subjected to FCA action or even PPI claims. When a request is made to dispose of / delete data the steps to take are:

By the member of staff handling the request - take action to ensure the request is genuinely being made by the data subject. Acceptable ways of doing so include:

Verbal DPA check

In writing with a signature match

Full proof of ID

By the manager handling the actual deletion - confirm detail of the data to include:

Why it was obtained in the first place

Reasons why it is being stored. Why hasn’t it already been deleted.

How it is being stored e.g. PROMPT, paper file, PQ.

How it can be deleted e.g. shredding paper, permanent deletion of a computer file.

Should some / all of the date be retained for some overriding legal / company reason

In every case the DPO or a Director must sign off any data deletion or destruction having regard to the GDPR and the requirements of the company and it’s regulators. All requests and outcomes will be recorded in our Data Disposal Register and should be actioned within 28 days of the request being received.

In the event of a delay beyond 28 days the Director concerned will write to the data subject to explain the reason for it. The firm can refuse to comply with a request for erasure if it is saving the personal data for any substantial reason linked to the following:

the right of freedom of expression and information.

to comply with a legal obligation – eg the FCA requires certain data to be kept

to perform a public interest task or exercise official authority

for archiving purposes in the public interest, scientific research historical research or statistical purposes

to exercise a defence of legal claims – eg we need to be able to defend potential claims – mainly on completed cases

for public health purposes in the public interest

for processing that is necessary for the purposes of preventive or occupational medicine.

Most of the above would not apply to a mortgage broker of course but legal obligation and defence of a legal claim might.

All data is backed up to databases stored on the firm’s servers therefore disposal / deletion (if authorised) would be carried out by a member of the IT team. Any files held in paper form in secure storage will be destroyed using shredding machines or third party contractors which are GDPR compliant

Bulk Data Deletion Policy and Procedure

As an FCA regulated firm, Promise needs to retain full and detailed records of all of its customer transactions for a minimum of 6 years in order to meet regulatory requirements.

We have taken the decision to retain all customer records on an indefinite basis to be able to retrieve any of our records, at any time, to respond to, or support, customer or regulator enquiries.

We store data in three ways:

(1) Electronically – on computers, servers, E-cloud.

(2) Paper – in an office

(3) Paper – in a storage warehouse

Our policy is to not dispose of data on a bulk basis as this could damage the service we offer to clients in the future and understanding the detail of financial history is in the client’s interest and a useful weapon against fraud.

Data will only be deleted when specifically requested by the clients in accordance with the procedures above

Data protection impact assessments (DPIA’s)

A DPIA is an exercise that allows us to assess how a change in the way we capture / use personal data might adversely affect the subject. Examples of when we may need to do one include:

If we move to new IT technology eg if we switch from servers to cloud based storage

If we start asking for data that could adversely affect the rights and freedoms of the subject. For example if we start capturing data about criminal convictions.

DPIA’s should contain as a minimum:

A description of how and why we are using the data (in effect why we think we have a legitimate interest in it)

An assessment on it’s necessity and proportionality. Are we asking for the right amount, too much or too little.

An assessment of risk to the data subject. How could it go wrong.

A statement covering controls put in place. Steps we take to minimise the risks.

Data processors (3rd parties we use to manage personal data) may be consulted as part of the DPIA depending on their involvement and level of influence. Examples of data processors include lenders and property valuers.

Data breaches

A breach can be defined as destruction, loss, alteration or unauthorised disclosure of personal data. Breaches will broadly fall in to one of 2 categories:

Major – if it is likely to result in a risk to the rights and freedoms of a data subject. Something significant has gone wrong. For example our servers have been hacked, data stolen and circulated on the internet.

Minor – if something has gone wrong but it is unlikely to be a major problem. For example a passport has been returned to a customer in the post, was believed lost but eventually showed up a bit later than expected.

All major and minor breaches need to be recorded by us in our “record of data breaches”.

Major breaches only need to be reported by us to the ICO within 72 hours of the firm becoming aware of it. In addition it should be reported directly to the data subject without delay. When reporting to the ICO full details of the issue might not be known at the outset. It’s OK to report the outline initially and then follow up with detail when it emerges.

Law enforcement

Information about individuals may be disclosed without the subject's consent in exceptional circumstances and only in accordance with the DPA/GDPR. For example in matters relating to crime or law enforcement.