The General Data Protection Regulation (GDPR) is a piece of EU legislation that has come into effect from 25 May 2018 and has superseded the Data Protection Act. The aim is to keep individual’s data safe and provide the ability to identify how their personal information is being used. The GDPR applies to all organisations established in the EU and the processing of personal data of any individual residing in the EU.
The Brunsdon Companies (Brunsdon) recognise the principles enshrined in the General Data Protection Regulation (EU Article 29) and other regulations. Brunsdon already has strong data security processes in place, however we’ve reviewed what we do to ensure our policies, processes and procedures help meet our requirements.
Under these regulations, Brunsdon is a Data Controller of the personal data that it gathers on its clients. Clients can be individual, Corporate or employees of a Corporate client – all references to ‘you’, ‘your’ or ‘our’ relate to either an individual client, corporate client or employee of a corporate client. In addition, references in the ‘third sense’ also refer to our individual clients, Corporate clients or employees of a Corporate client.
By definition the data controller determines the purposes and means of the processing of that data.
As Data Controller, we have an obligation to provide information to our clients and third parties about how we process your data in a fair and transparent manner. This Privacy Statement therefore, explains what type of information we collect, how we may use any personal information we hold, its origin and who it is shared with.
We have appointed the Compliance Director for Brunsdon Financial Services Limited (BFS), as our nominated Data Protection Compliance Manager and contact for the Brunsdon group of companies.
Brunsdon is committed to protecting your personal information.
Our Privacy Statement contains important information about what personal details we collect; what we do with that information; who we may share it with and why; and your choices and rights when it comes to the personal information you have given us.
We may need to make changes to our Privacy Statement. If there are important changes such as changes to where your personal data will be processed; we will contact you to let you know.
This version of our Privacy Statement was last updated 23 May 2018.
Brunsdon Financial Services Limited; Brunsdon Employee Benefits Limited and Brunsdon Asset Management Limited; collectively known as ‘Brunsdon’ of Goodridge House, Goodridge Avenue, Gloucester, GL2 5EA (the Data Controller). Brunsdon is a 100% privately-owned financial services consultancy and insurance intermediary.
If you have any questions about our Privacy Statement or the information we collect or use about you, please contact;
FAO Data Protection Guardian Brunsdon Financial Services Limited, Goodridge House,
Goodridge Avenue, Gloucester
We collect information about you when you engage with us for financial advice, ongoing financial planning services and Corporate / Employee benefits solutions. This information will relate to your personal and financial circumstances. It may also include special categories of personal data such as data about your health, if this is necessary for the provision of our services. Information about you that we collect and use includes:
We may need to gather personal information about your close family members and dependants in order to provide our service to you effectively. In such cases, it will be your responsibility to ensure that you have the consent of the people concerned to pass their information on to us. We’ll provide a copy of this privacy notice for them or, where appropriate, ask you to pass the privacy information to them.
We may collect your personal information directly from you, from a variety of sources, including:
If you are a member of your employer’s pension scheme, or other group schemes; such as Death in Service, Group Private Medical Insurance; Group Income Protection; etc. the information we collect and use will most likely have been provided by your employer on your behalf.
The primary legal basis that we intend to use for the processing of your data is for the performance of our contract with you. The information that we collect about you is essential for us to be able to carry out the services that you require from us effectively. Without collecting your personal data we’d also be unable to fulfil our legal and regulatory obligations.
Where special category data is required we’ll obtain your explicit consent in order to collect and process this information.
We collect information about you in order to provide you with the services for which you engage us.
If you agree, we may email you about other products or services that we think may be of interest to you.
If you agree, we’ll pass on your personal information to our group of companies so that they may offer you their products and services.
We won’t share your information for marketing purposes with companies outside our group of companies.
In order to deliver our services to you effectively we may send your details to third parties such as those that we engage for professional compliance, accountancy or legal services as well as product and platform providers that we use to arrange financial products for you.
Where third parties are involved in processing your data we’ll have a contract in place with them to ensure that the nature and purpose of the processing is clear, that they are subject to a duty of confidence in processing your data and that they’ll only act in accordance with our written instructions.
Where it’s necessary for your personal data to be forwarded to a third party we’ll use appropriate security
measures to protect your personal data in transit, such as password protection and/or encryption of data etc.
To fulfil our obligations in respect of prevention of money-laundering and other financial crime we may send your details to third party agencies for identity verification purposes.
We may share your information with third parties for the reasons outlined in 'Who might we share your
information with?’ and ‘Why do we need to collect and use your personal data?'
These third parties include:
We will never sell your details to someone else. Whenever we share your personal information, we will do so in line with our obligations to keep your information safe and secure.
We will keep your personal information only where it is necessary to provide you with our products or services while you are a client. We’ll take all reasonable steps to keep your personal data up to date throughout our relationship.
We may also keep your information after this period, but only where required to meet our legal or regulatory obligations. The length of time we keep your information for these purposes will vary depending on the obligations we need to meet and subject to regulatory requirements to retain data for specified minimum periods. These are, generally:
These are minimum periods, during which we have a legal obligation to retain your records.
We reserve the right to retain data for longer where we believe it's in our legitimate interests to do so. In any case, we’ll not retain your personal data for longer than 6 years past the end of your policy contract or after our relationship with you has ended.
You have the right to request deletion of your personal data. We’ll comply with this request, subject to the
restrictions of our regulatory obligations and legitimate interests as noted above.
You have the right to request a copy of the information that we hold about you. If you’d like a copy of some or
all of your personal information, please email or write to us using the contact details noted above.
When your personal data is processed by automated means you have the right to ask us to move your personal data to another organisation for their use.
We have an obligation to ensure that your personal information is accurate and up to date. Please ask us to correct or remove any information that you think is incorrect.
If you use our Brunsdon Direct Invest service, your personal information will be gathered through the information that you input onto the system. Your data is collected in order for us to carry out the service for which you engage us. If you’re unsure about the outcome of the automated process you can contact us to discuss or to challenge the outcome.
We take measures to ensure the security of your data. We don’t use any special category data (such as data about your health) in the automated process unless it’s strictly necessary to deliver our service and we have obtained your explicit consent to do so.
We regularly check our systems for accuracy and bias and feed any changes back into the design process.
We’d like to send you information about our products and services and those of other companies in our group which may be of interest to you. If you’ve agreed to receive marketing information, you may opt out at a later date.
You have a right at any time to stop us from contacting you for marketing purposes or giving your information to other members of the group. If you no longer wish to be contacted for marketing purposes, please contact us by email or post.
Our website contains links to other websites. This privacy statement only applies to this website so when you link to other websites you should read their own privacy policies.
You also have a right to lodge a complaint with the supervisory authority for data protection. In the UK this is:
Information Commissioner's Office Wycliffe House
Water Lane Wilmslow Cheshire SK9 5AF
0303 123 1113 (local rate)
Details of how to contact us are provided at the beginning of this Privacy Statement
Brunsdon provides this site for general information purposes. Its content does not constitute client-specific advice.
We make no representation or warranty that the site will be accessible or useable by you. It may contain inaccuracies or typographical errors. We assume no responsibility or liability for any such errors, omissions or inaccuracies.
You are entitled to view, copy, print or otherwise download material for your own personal, non-commercial use, provided you do not remove any notices relating to copyright, or modify the content in any way.
This site may contain links to other websites. Brunsdon bears no responsibility for the content and/or privacy policies of other sites.
In this section, we explain in more detail the measures we take to keep data secure.
As the information within our IT security policy is sensitive we are unable to share the policy itself, however we can provide an overview. The policy is based on four key pillars:
1. Policies– documented policies that staff are required to sign
2. User education– via induction training for new joiners and ongoing training for existing employees
3. Hygiene factors– regular patching and security updates, as well as regular penetration testing and security scans
4. Specific security tools– intrusion detection and prevention systems and firewalls to prevent unauthorised access
The information security function is managed by our IT and systems team and overseen by the Risk committee. This function is supported by two major providers to whom we outsource services:
We take various steps to make sure that our information security management systems are in line with current best practice. The last information security audit we undertook was in the fourth quarter of 2016. A Further information security audit is due to take place in May 2018 and annually thereafter.
Personal data will be stored in our customer relationship management (CRM) systems and internal infrastructure. Our CRM and internal servers are backed up each evening. Data held in the CRM is manged by Intelliflo, hosted in the UK.
Data is stored on specific server drives that are access controlled to ensure only users with the right to access that data have permissions.
Data is not held on company devices and all USB ports are disabled to prevent removal of data via USB for the staff who have access to it.
We operate mainly as a paperless office. We only hold physical customer data on ‘working files’, which are stored securely in lockable cabinets. Once completed, we dispose of these using a specialist confidential waste provider.
Access to data is granted to staff on a role specific basis. All systems are password protected and user access rights are reviewed every 12 months and documented. If a user changes roles or leaves the company then their permissions are reviewed or removed as appropriate. Permissions can only be granted or changed with the approval of a member of the senior management team.
Data held in our CRM system is already encrypted both at rest and in transit, this is managed by Intelliflo.
All incoming and outgoing emails are scanned automatically by our email security software. We also have Transport Layer Security (TLS) and content filters applied to mitigate the inherent risks of email.
We can enable TLS email encryption for a specific company if they want to implement it. Please contact us if you wish to arrange this.
Where we do need to share data with a third-party provider we will either use a secure portal (where possible) or password protect the files.
We use anti-virus software to protect ourselves from threats, as well as an intrusion detection prevention system and various firewalls. This infrastructure is regularly monitored and will trigger alerts in the event of a detected threat. We also have various filters (email and web) to minimise the risk of malicious viruses. In addition, we conduct regular training and awareness sessions with staff to mitigate the risk of these threats.
This infrastructure is kept up to date by our IT and Systems Team. They ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches as soon as possible, with critical patches installed within one month of release.
We use independent security specialists to conduct a full penetration test on a regular basis. All priority items identified in the most recent test conducted in November 2016 have been acted upon.
The main entrance access to our office at Goodridge house can only be made by employees who have allocated key cards or approved and supervised contractors and the building is monitored 24/7 by ADT and Glevum Security Services. There are two locked internal doors with a keypad entry system. Windows are fitted with locks.
We have a business continuity plan in place which is reviewed on an annual basis.
We have a risk management policy and any business event or incident, regardless of its origin, is recorded and tracked in the risk event log. All risk events are reviewed monthly by the Executive Management team at a risk review meeting. In the event of a data breach we will inform any clients affected within 72 hours of becoming aware, with reporting to the appropriate regulatory body.
Brunsdon is the trading name of Brunsdon Financial Services Ltd. (Reg. No. 03434005), Brunsdon Insurance Brokers Ltd. (Reg. No. 03433998), Brunsdon Asset Management Ltd. (Reg. No. 07098607) and Brunsdon Employee Benefits Ltd (Reg. No. 11021460). All companies are registered in England at Goodridge House, Goodridge Avenue, Gloucester GL2 5EA.
Brunsdon Financial Services Ltd. and Brunsdon Insurance Brokers Ltd. are authorised and regulated by the Financial Conduct Authority. Brunsdon Employee Benefits Ltd is an appointed representative of Brunsdon Financial Services Ltd. The FCA does not regulate tax advice and some elements of Automatic Enrolment.
The guidance and/or advice contained within this website is subject to the UK regulatory regime and is therefore restricted to consumers based in the UK.
We aim to deliver the very best service to all our customers, however in the event that you're dissatisfied please contact our Compliance Officer in the first instance at firstname.lastname@example.org
If you would like more information on your rights, or on how to make a complaint, you'll find plenty of information on the website of the Financial Ombudsman. The Financial Ombudsman Service is available to sort out individual complaints that clients and financial services businesses aren't able to resolve themselves. To contact the Financial Ombudsman Service please visit www.financial-ombudsman.org.uk