In order to provide firms with the Turnkey Asset Management Programme, EBI will need to see sight of personal data for the clients that are subscribed members. EBI is committed to protecting and respecting your privacy.
It is believed that the firm is a ‘data controller’. The definition of this is broadly the same as in the Data Protection Act 1998 in that the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
This policy explains when and why EBI collect personal information, how it is used, the condition under which it may be disclosed to others and how it is kept secure.
EBI may amend this policy from time to time without giving any prior notification. You are responsible for regularly reviewing the policy to confirm your continued agreement to them. Continued use of our website following any such changes constitutes your acceptance of those amendments and your agreement to be bound by them.
Who in the firm is responsible for ensuring that adequate data protection is in place?
Each individual completes training to ensure adherence to data protection regulations. Guzz Burgess takes ultimate responsibility to ensure adequate procedures are in place and regularly reviews policies to ensure adherence.
Any questions regarding this policy and our privacy practices should be sent by email to enquiries [at] ebip.co.uk or in writing to Guzz Burgess, EBI Portfolios Ltd, Ledra House, Aldridge, Walsall, WS9 8TH. Alternatively you can telephone 01922 472226.
What personal data does EBI hold?
EBI holds personal data of all individuals that have registered an account with us or have expressed an interest in the services we provide. EBI will also hold data relating to third parties that we currently have or previously have had commercial relationships with. This data will include names, addresses, telephone numbers, email address and general correspondence received via electronic and paper form.
Whilst EBI’s client is the financial adviser, EBI may receive data relating to the end investor. This may include names, addresses, telephone numbers, email address and investment details such as portfolio numbers, balances, transaction history, etc.
EBI will also hold data relating to staff members including names, date-of-birth, addresses, National Insurance numbers, identification, bank details and general correspondence.
Where has this data come from?
When an adviser registers on EBI’s website they will be asked to provide personal data relating to themselves and their firm. Data may also be received via email, telephone & post.
EBI may be provided data by third parties where there is a genuine need for the information.
EBI may collect its own data directly from websites and registers such as the Financial Conduct Authority register.
Who is it shared with?
EBI may pass your information to third party service providers, agents and other associated organisations for the purpose of completing tasks and providing services to you on our behalf. However, when EBI use third party service providers, only the personal information that is necessary to deliver the service is shared. EBI will have a contract in place that requires them to keep your information secure and not use it for their own direct marketing purposes. Please be assured that EBI will not release your information to third parties beyond the firm for them to use for their own direct marketing purposes, unless you have requested EBI to do so, or EBI are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crimes.
EBI will not sell or rent your information to third parties.
EBI will not share your information with third parties for marketing purposes.
What do you do with the data?
The data is used for future communications and to ensure EBI can provide its services to the data subject. The data may be used to recover previous agreements and terms of each individual account holder.
EBI may use client data for MI purposes, account management and adherence to the terms specified within EBI agreements.
EBI may use your data to:
- Act as the basis for any service EBI provide.
- To carry out our obligations arising from any contract entered into by you and EBI.
- Provide information to platforms for the purpose of arranging investment solutions.
- Provide ongoing services to you.
- Meet the regulatory obligations of the services EBI provide.
The EBI website may collect and use your personal information in order to operate and improve the services it provides. These uses include making the website or service easier to use by eliminating the need for you to repeatedly enter the same information and performing research and analysis aimed at improving our products, services and technologies.
We may also capture non-personal information, which is defined as data in a form that does not hold a direct association with any specific individual user. We may capture, use, transfer, and disclose non-personal information for any purpose.
We may collect information such as language, unique device identifier, IP address, geo-location, and the time zone where our website is used so that we can better understand usage habits and improve our products, services, and advertising. This information will always be used in an aggregated form and be used to help us provide more useful information to our users and to understand which parts of our website, products, and services are of most interest. Aggregated data is considered non-personal information.
If for any reason we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined and as such be applicable to the terms describing our handling of personal information.
EBI will make appropriate contact with you to provide the agreed services. EBI will not contact you for marketing purposes by post, email, phone or text message unless you have given your prior consent. You can change your marketing preference at any time by contacting enquiries [at] ebip.co.uk.
What is the legal basis for holding the data?
Contractual - The client requires use of EBI’s resources and financial planning tools having created their own account via EBI’s website and confirmed agreement to EBI’s terms. EBI provides a Turnkey Asset Management Programme as detailed in the licence agreement.
How is data stored and how is this protected?
EBI does not retain any paper files. All paper records are scanned and stored on EBI’s internal systems. The paper records are then destroyed using a secure waste disposal service provided by Veolia.
Data is stored on-site on servers we own. Access to these servers is physically restricted by a locked door, with keys stored in a safe only accessible to relevant employees. Data on these servers is available to workstations in our office, as well as to employees working outside of our office via an encrypted VPN tunnel. This data is only shared to authenticated users of our network domain.
Most data only passes through a workstation as it is being used and is never directly stored on the machines being used by our staff, however some work is saved locally for various reasons. Because of this all workstations (on-site and remote) are protected by domain credentials known only to our employees. All workstations are protected by Microsoft anti-virus software. We also employ a staff policy of locking workstations upon leaving them unattended.
Our on-site servers use backup services provided by Ceejay Software Limited, see https://ceejay.com/gdpr-and-data-security/ for their GDPR and data security statement.
Our email communications are stored by an external service Rackspace US Inc, see https://www.rackspace.com/en-gb/gdpr for information on their GDPR principles and the security mechanisms they employ. A copy of a member of staff’s emails will also be stored on workstations which they use, these are protected as above.
Our phone communications are provided by an external service Yay.com. The majority of phone calls we make and receive are recorded on their servers. Find their statements on GDPR compliance at https://www.yay.com/blog/voip-provider/gdpr-compliance/. Backups of recorded phone calls are also stored on our servers which are protected as above.
Our web services are provided by cloud VPS providers VPSDime and DigitalOcean. Access to the servers we rent is restricted to IT staff via at least 2048-bit RSA public-private key pairs. These keys are stored via LastPass and accessible only to IT staff.
Our cloud servers use backup services provided by Tarsnap Backup Inc. The security of documents stored on their service is examined at https://www.tarsnap.com/security.html. The keys required to access the backups are stored via LastPass and accessible only to IT staff.
Who are your strategic partners and do they have policies in place to be GDPR compliant?
Ceejay Software Limited - See https://ceejay.com/gdpr-and-data-security/
Rackspace US Inc - See https://www.rackspace.com/en-gb/gdpr
Yay.com - See https://www.yay.com/blog/voip-provider/gdpr-compliance/
Tarsnap Backup Inc - See https://www.tarsnap.com/security.html
FinaMetrica – See https://www.riskprofiling.com/News,-Blogs,-Newsletters,-Webinars/news_articles/GDPR-and-FinaMetrica
Campaign Monitor – See https://www.campaignmonitor.com/trust/gdpr-compliance/
Dropbox – See https://www.dropbox.com/en_GB/security/GDPR
Wallace Crooke - See https://www.wallacecrooke.co.uk/disclaimer#privacy
Do you have a process to follow in the event of receiving a data request?
Yes, EBI has a checklist to follow when receiving such requests. This will involve extracting all data within our internal servers (including our CRM system, files, emails, and email attachments) and offsite (cloud servers) systems.
Do you have a process for data erasure and can you be sure this is permanently deleted?
Yes, EBI has a process in place. All data will be stored by electronic means as we do not keep any paper records. Records will be identified in the services listed in the previous question and purged. Additionally, a log of data erasure will be kept in order to purge previously erased data in the case of a data backup being restored to one of our servers.
Do you have a process to ensure data is proactively deleted when the time limit has expired?
The firm can hold data for 30 years. EBI has a system in place so that it can identify when the 30 years is up and also delete any data which is not relevant i.e. data which is trivial or no longer needed.
EBI will complete a six monthly review looking at all data held and identify whether a relationship still exists with the data subject. Data which is no longer required will be erased and all other data will be reviewed to ensure it is still within the specified time limits.
How does EBI ensure that data is accurate and up-to-date?
Periodically, EBI members are asked to confirm their details via EBI’s website. Details will be displayed to members who are asked to review and submit to confirm no changes are to be made. Advisers are also asked to alter their billing page should staff members join or leave their firm.
EBI will also complete its own annual audit to ensure each member is registered with the FCA and has up-to-date authorisation.
Your rights in relation to your information
Where we collect your data directly from you, at the time when we collect data from you, we undertake to:
- Make clear to you in writing the name and contact details of the data controller for that Data, and of their representative.
- Let you have, where appropriate, contact details for any Data Protection Officer appointed by us.
- Make clear to you the purposes for which the data is to be processed, and the legal basis for Processing.
- Inform you in the event that the controller proposes to transfer the data to a country outside those covered by GDPR, details of the safeguards surrounding such transfer and how to obtain a copy of them.
- Inform you of the period for which we propose to hold the data, or, where this is not possible, the criteria which we will apply to data retention.
- Remind you of your rights to request access to data of which you are the data subject.
- Make clear your right to object to processing that is likely to cause or is causing damage or distress.
- Not subject you to automated decision making (including profiling) by use of your data, save as permitted by Data Processing Legislation and in accordance with appropriate measures to protect your rights and freedoms.
- You have the right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed.
- You have the right to claim compensation for damages caused by a breach of the Act.
- You have the right to complain with respect to any processing of your data and any breach of the above rights to the relevant supervisory authority, who in the case of the United Kingdom is the Information Commissioner’s Office, ico.org.uk by means of helpline (0303 123 1113) or online form.
- You have the right to ask us to cease processing information. This means that we will be able to retain it but no longer act upon it. In the event you no longer need our services and terminate them, we will automatically cease processing information.
Where we obtain your data other than directly from you, you will have the same or equivalent rights to those set out above.
EBI has no direct relationship with the investor (your client) but may be provided data from third parties (such as the financial adviser or platform) in this situation the investor will have the same or equivalent rights to those set out above.
How would EBI transfer data to another party upon the client’s request?
EBI would follow the same process for receipt of a subject access request. This would ensure we have collected all the data we hold and make it available for transfer upon the client’s authority.
How would EBI respond to an individual’s request to restrict the processing of their personal data?
EBI would ensure the client is not added to the CRM database or certain information is omitted depending upon the client’s preference.
The obtaining of personal data is on some occasions a necessity. This ensures EBI is sufficiently able to provide its products and services in accordance with the licence agreement. EBI would review each case on an individual basis.
Does EBI have a documented data retention policy?
EBI will comply with Data Protection Law with respect to the data and, in particular, but without limitation, will review the data on a regular and frequent basis to ensure compliance with Data Protection Law, including, but not limited to, putting into effect any deletion or correction of erroneous data requested by you. In the course of any review we will:
- Delete any Data which is trivial or transitory in nature, or which in our opinion is no longer required to be retained for the purposes set out above.
- Update the Data to ensure that any errors or inaccuracies in the Data are corrected.
- Archive the data as set out below.
- Securely delete Data once the legal basis for Processing that Data has come to an end.
We may retain and Process your Data for the following periods, and if more than one period applies to the same Data, to the last such period to expire:
- We will hold agreements (including Licence Agreement, Initial Agreement) between you and us for a period of six years from the termination or expiry of your subscription as an EBI member.
- We will Process Data related to our investment templates which we are managing for you and your clients during the full period of the term in which we are carrying out management of those portfolios and will continue to hold such Data for a period of no more than six years following us ceasing to provide services to you.
- We will hold Data required to be held for the purposes of any Regulator until the end of any limitation period imposed by the Regulator, which in the case of the Financial Conduct Authority is currently six years.
- We will hold Data required to be held for the purposes of any Relevant Third Party until the end of any period required by the Relevant Third Party.
- We will hold Data held for the purposes of any legal proceedings for a period of six years following the conclusion of any proceedings unless a longer period is required pursuant to any court rule or enactment.
- We will hold data for a maximum of 30 years from the date we receive the data.
Use of ‘cookies’
A cookie is a small piece of data sent from a website and stored locally in a website visitor's web browser. Cookies were designed to be a unified and reliable mechanism for websites to remember the state of the website or any pertinent activity the user had taken in the past. This can include accessibility preferences, logging in, shopping cart items or a record of which pages were visited by the user etc.
To make full use of the personalised features of our website, your web enabled device will need to accept cookies, as we can only provide you with the personalised features of this website by using them.
EBI’s cookies do not store any sensitive information, they simply hold the 'key' that, once you're logged in, is associated with this information. However, if you'd prefer to disable cookies, you can switch them off by setting your bowser preferences. Turning cookies off may result in a loss of functionality when using EBI’s website.
Links to other websites
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owner and operators of that third party site and recommend that you check the policy of that third party site.
What is considered to be a breach of data and what steps are followed in the event of a breach?
All data is stored on our internal servers and is not transferred to external memory devices. A breach of data could be any of the following:
- Data sent to the incorrect person.
- Externals persons / organisations gaining access to our servers / workstations.
- Paper files not being destroyed and taken away from EBI premises.
- Employees accessing files without a genuine purpose.
- A bug in software leaking data.
Should a breach occur, EBI will investigate the reasons behind why the breach occurred and take the necessary action whether that be disciplinary action and/or improving processes. Depending upon the severity of the breach, EBI may decide to report the breach to the Information Commissioner’s Office (ICO). If the breach is likely to result in a high risk of adversely affecting individuals rights and freedoms EBI will also inform those individuals without undue delay.
EBI will keep a record of all personal data breaches, regardless of whether EBI are required to notify the ICO.
Do all staff understand the new data protection rules, what is classified as a data breach and what to do in the event of identifying a breach?
All staff receive regular training on data protection and will have an introduction to GDPR. EBI follows a response plan for addressing any personal data breaches. Guzz Burgess has been allocated responsibility for managing breaches. EBI staff are trained to escalate a security incident to Guzz Burgess to determine whether a breach has occurred.
There is a positive culture of data protection compliance within EBI. Staff receive training on an annual basis and understand the importance of safe guarding data. Staff demonstrate knowledge and adherence to company policy.
Has the firm passed ‘Cyber Essentials’?
No, EBI has not completed the course however the self-help guide has been incorporated within our GDPR review. The following areas are covered in the guide:
- Secure internet connection.
- Secure devices and software.
- Control access to your data and services.
- Protect from viruses and malware.
- Keep your devices and software up to date.
Is data transferred outside of the European Economic Area?
EBI does offer a solution to off-shore advisers however all activity relating to this service is within the EEA.
EBI does share data with FinaMetrica, a company based in Australia (outside EEA). The data includes adviser’s names and email addresses. Data is only shared once an adviser has given explicit authority by agreeing to the terms and conditions stated within EBI’s website. By agreeing to the terms and conditions the adviser is requesting to become a member of FinaMetrica. Advisers that do not wish to join FinaMetrica will not have their details shared.