Keoghs LLP GDPR Readiness Statement

The General Data Protection Regulation (GDPR) is a Regulation of the European Union and, from 25 May 2018, it applies to all organisations that collect and process the personal data of EU citizens.

As a responsible, forward-looking business, Keoghs recognises at senior levels the need to comply with the GDPR and ensure that adequate measures are in place to protect the personal data of our customers, employees and other stakeholders, and to ensure that it is processed lawfully, fairly and transparently.

Commitment to the security of personal data extends to senior levels of the organisation and is demonstrated through the relevant policies and the provision of appropriate resources to establish and develop effective data protection and information security controls.

As part of meeting our legal obligations, we have put in place a comprehensive programme to understand and validate our use of personal data and to confirm the legal basis of our processing. 

Further to this, we can confirm that:

• In our normal business operations, Keoghs LLP undertake various forms of work for an on behalf of our clients; as such we represent the role of processors, joint-controllers or controllers depending on the work we are undertaking
• A policy is in place for the protection of personal data within Keoghs LLP which has been approved by management and communicated to all employees and other relevant people
• All employees have received awareness training regarding data protection and the GDPR
• Everyone understands their roles in the protection of personal data, and has received training where needed
• We have identified the personal data we process, including where special categories are involved
• For each occasion we process personal data, we have established the lawful basis of the processing under the GDPR
• Where we have used the lawful basis of legitimate interest and it is not covered by substantial public interest, we have conducted a documented balancing test to assess the benefits versus the impact on the data subject of the processing
• In those cases where our processing is based on consent, we have taken steps to ensure clear, free consent has been given and is recorded
• We have put in place a blended approach, using just in time privacy notices and a layered privacy policy, to ensure that the required privacy information is provided in clear language whenever we collect personal data
• Tested procedures and online user facilities are in place to promptly process and fulfil data subject access requests where we are legally obliged to
• The length of time we keep personal data for, or the way we decide this, has been defined in each area of processing, and has been minimised
• We are keeping records of processing as required by the GDPR
• All of our contracts with our own 3^rd party processors are being updated to comply with the requirements of the GDPR
• Where we act as a processor on behalf of our clients, we have contractually committed to complying with the requirements of the GDPR
• All of our employees are having additional data protection responsibilities added to their job descriptions
• We have investigated our data transfer points and can confirm that we do not transfer personal data internationally
• Where appropriate, a data protection impact assessment approach which is line with the requirements and recommendations of the GDPR and relevant best practice are in place and being used to understand and manage our data protection risks
• By default, we plan for data protection in new or changed services and systems, including minimising our use of personal data and protecting it via techniques such as anonymisation
• We have tested procedures in place to fulfil our obligations in the event of a breach of personal data
• We have policies and other controls in place to provide appropriate protection of personal data, based on a careful assessment of risk
• Keoghs have appointed Ryan Mackie of IT Governance Ltd as our Data Protection Officer (DPO) and have formally informed the ICO of this appointment
• We have our Quality, Risk and Compliance Team in support of the DPO to handle any queries and act as a central point of contact for all Data Protection related queries or issues as per the following contact details:

We will continue to develop and improve our data protection policies and controls over time, guided by legal requirements and the needs and preferences of our customers and partners.