The Information Commissioner’s Office (ICO) has provided a checklist of questions that must be answered in order to show that an organisation is ready for, and compliant with, the introduction of GDPR.
Below are the responses of Endowment Surrender Plus to those questions which form part of our Privacy Statement:
1.1 Information we hold
We hold basic information supplied directly from the individual (or their agent e.g. IFA, solicitor or accountant) either by them completing our online enquiry form or from a telephone enquiry.
The information we hold consists of the individuals contact details (name, address, contact number and email address) and policy details including the names and dates of birth of the lives assured – sufficient information to enable ESP to search for offers greater than the policy’s surrender value should the policy owners decide to sell it.
The search for offers entails us submitting the policy details (but no personal details) to a number of different Market Makers (companies that deal in traded endowment policies) to try and obtain offers greater than the surrender value offered by the Life Office concerned. When our search is concluded we report back to the policy owner with the results of our search. There is no obligation for them to take the enquiry any further but if they want to accept a Market Makers offer then we have to pass on further information to the Market Maker concerned to enable them to prepare the necessary paperwork – this would be: the name and address of the policy owner(s), and the names and dates of birth of the life or lives assured. We send the paperwork directly to the policy owner(s) and if they decide to go ahead they send the completed paperwork directly to the Market Makers solicitors to process the sale.
We occasionally contact individuals on our database with details of services or products which we believe may be relevant to them – e.g. if we believe they may possibly be able to be compensated if their endowment was mis-sold to them.
1.2 Lawful basis for processing personal data
Any enquiries we receive are from individuals who have contacted us to perform a specific service namely to ascertain if they have the right type of endowment policy to potentially trade on the open-market, and if so what is the best offer we can obtain for them by ‘trawling’ the policy details to a number of different Market Makers should they wish to cash-in their policy.
Without basic policy details and contact details we cannot perform this service so we obviously have a lawful reason to process this limited personal data.
The very fact that individuals complete our secure online Enquiry Form or provide the necessary information by telephone implies that they have given consent for us to perform the service of searching for offers on their policies.
We are in the process of contacting existing enquirers to obtain an opt-in to allow us to provide information about other services or products we believe may be relevant to them.
We are also adding an opt-in, opt-out option on our enquiry form in respect of other services.
1.4 Children’s Data
We do not process children’s personal data.
1.5 Vital Interests
1.6 Legitimate Interests
We have a legitimate interest in processing the limited data we obtain from an individual enquirer as they expect us to perform a search for offers on their endowment policy or advise them why their policy is not the right type to be tradeable – we could not do that without processing the data in the way that we do.
The data we obtain is not particularly sensitive or private and the enquirer expects us to use it in this way.
For our main service it would be pointless to ask for an opt-out, but we will offer an opt-out if an individual does not want us to use their data for marketing purposes.
1.7 Data Protection Registration
Endowment Surrender Plus – ESP has been registered with the Information Commissioner’s Office since 2003. Registration number: Z7923047
2.1 Right to be informed including privacy information
We will have an up to date Privacy Statement on our website before 25th May 2018.
2.2 Children’s Personal Data
We do not process children’s personal data.
2.3 Right of access
We are happy to respond to individuals’ requests to access their personal data – details of where to enquire are detailed on our Privacy Statement.
2.4 Right to rectification and data quality
We are currently in the process of contacting existing individuals on our database which involves checking and correcting where necessary the limited information we hold and obtaining opt-in, opt-out for other relevant marketing opportunities.
2.5 Right to erasure including retention and disposal
We will remove from our database any personal data where specifically requested by an individual, otherwise we will hold data securely for up to 15 years after the maturity date of the policy.
2.6 Right to restrict processing
We have a legitimate interest in processing the data where an individual has asked us to perform a specific task i.e. a search for offers on an endowment policy. Individuals will have the option to opt out of any other processing of their data.
2.7 Right to data portability
Although we cannot imagine any reason for an individual to want to move, copy or transfer the limited personal data we hold, we would obviously be able to supply a secure copy to that individual as long as we could confirm their identity.
2.8 Right to object
We have procedures in place to handle an individual’s objection to the processing of their personal data. Basically they can opt-out of any further contact and their data will be deleted from our database.
2.9 Rights related to automated decision making including profiling
None of our processing operations constitute automated decision making or profiling.
Endowment Surrender Plus has an appropriate data protection policy. We only require fairly limited data from an individual to perform the service we offer. This data is held securely on our database at our UK office. Our database is backed up daily onto UK based servers. This backup is fully encrypted to ISO27001 and any restores are controlled and logged and need the decryption key. Our IT support service log, report and monitor all activity.
We monitor our own compliance with data protection policies and we will regularly review the effectiveness of data handling and security controls.
Endowment Surrender Plus – ESP – are committed to safeguarding your privacy online. The information we collect is only that required by us/or any third party vendor or organisation associated with us in order for us to provide you with the service you have requested.
We handle all information provided in a secure manner and treat it as completely confidential.
ESP provides data protection awareness training for all staff.
3.2 Processor Contracts
We will always ensure that we have a written contract with any processors we use.
3.3 Information Risks
Data related risks are taken very seriously. To this end all transmission of data is end to end encrypted to the highest possible standard.
3.4 Data Protection by Design
Our online enquiry form is secured using SSL which activates the padlock and the https protocol and allows secure connections from a web server to a browser.
3.5 Data Protection Impact Assessments
Our business understands when we must conduct Data Protection Impact Assessments (DIPA) and has processes in place to action this.
We will conduct a DIPA before we begin any type of processing that may result in high risk, such as a change to the suppliers of our IT services or changes to our secure backup facilities.
3.6 Data Protection Officers (DPO)
Our Data Protection Officer is Mark Jon Wayman who can be contacted at email@example.com
3.7 Management Responsibility
All key people within Endowment Surrender Plus are fully aware and actively support the need for compliance with data protection legislation.
4.1 Security Policy
Our business has an information security policy appropriate to the limited data on individuals that we hold. All data submitted to us via our website – www.endowmentsurrenderplus.co.uk – is via an SSL certified (fully encrypted) form. Our database is held on a UK based server and is securely backed up on a daily basis.
4.2 Breach Notification
Our business has effective processes to identify, report, manage and resolve any personal data breaches.
Our systems will identify any data breaches and we have a technical support team available to manage and resolve any breaches.
4.3 International Transfers
We have no intention of transferring any personal data outside the European Economic Area, but should we ever do so we would ensure that there was an adequate level of protection.
Endowment Surrender Plus is the trading name of Endowment Surrender Plus Limited. Registered Office: The Cottage, Lyme Green Park, London Road, Macclesfield, Cheshire. SK11 0LD. Company Number 11378430 (England and Wales).