Responding to COVID-19: insight, support and guidance

GDPR compliance

1 Introduction

This statement of compliance sets out how the Chartered Institute of Public Finance and Accountancy, hereafter referred to as CIPFA, complies with the General Data Protection Regulation (EU) 2016/679 (GDPR).

2 Scope

The scope of CIPFA’s GDPR compliance is geared to our role as a data processor to our clients, as well as a data controller. The scope applies to all CIPFA operations and services involving the handling of personal data concerning an identified or identifiable natural person, this includes the following activities:

  • Processing of student and delegate information to enable administration processes associated with course delivery and examinations.
  • Processing of Memorandum of Understanding member data to enable administration and regulatory requirements of memberships and the delivery of member services.
  • Processing of subscriber data to enable administration process associated with subscription services and the delivery of subscription services. 
  • Provision of software as a service to purchasers of CIPFA Asset Manager and CIPFA FM Model.

Please note that in our role as data processor and while acting on behalf of you the data controller, this statement of compliance references some data controller responsibilities and assumes that as data controller you are fulfilling your obligations under GDPR as data controller, and specifically as stated in 3.1.2 below.

3 Statement of compliance

CIPFA has implemented the following measures to ensure full compliance with GDPR and to protect all personal data that we process from accidental or unlawful destruction, loss, alteration, access or disclosure.

3.1 General technical and organisational information security measures

3.1.1 All CIPFA's policies, procedures and processes have been reviewed and updated for GDPR compliance, including our roles as data processor and data controller and incident/breach management.

3.1.2 We will process personal data only in accordance with the data controller’s written instructions which shall be in line with their specified purpose(s), their legal basis of processing and all other principles stated in paragraph 1 (a-f), Article 5 of the GDPR.

3.1.3 We will assist the data controller in meeting the requirements of GDPR with regard to the notification of personal data breaches and data protection impact assessments.

3.1.4 Information security is embedded in all CIPFA policies, processes and procedures.

3.1.5 We certified to ISO 27001:2013 (Information Security). The requirements of this standard are closely aligned to the requirements of GDPR and demonstrate that our buildings, infrastructure, systems, policies, processes, procedures and controls are adequately robust to protect all personal data that we process.

3.1.6 We have carried out a data audit and produced a full record of our processing activities which is compliant with Article 30, GDPR 2016.

3.1.7 We operate an integrated risk management framework. We regularly assess and manage the risks associated with protecting the confidentiality, integrity and availability of the personal data that we process and their related assets.

3.1.8 We have processes in place that ensure, we can securely destroy any data that is no longer required or has passed its retention period.

3.1.9 We are regularly audited for adherence to the Data Protection Act 1998 and GDPR with no major issues found. We will contribute to reasonable audits and inspections required by the data controller. The scope and timelines of such audits will be agreed with the data controller in writing and in advance.

3.1.10 We are conducting internal audits to validate that we are GDPR compliant and to identify any further areas for improvement.

3.1.11 We have robust business continuity and disaster recovery plans in place to minimise the impact of any disruptive incidents or disasters, and our systems and processes are resilient enough to protect the confidentiality, integrity and availability of personal data.

3.1.12 We have a designated Data Protection Officer (DPO) who monitors our compliance to GDPR and is the central point of contact with the regulator (the ICO).

3.2 CIPFA systems and hardware

3.2.1 We have developed our end-user systems to ensure that they are fully GDPR- compliant, this includes the development of additional functionality to assist our customers and users with managing the data that we hold on them and its use, retrieval, editing, amendment and deletion.

3.2.2 CIPFA’s systems enable us to fulfil our obligations for a data subject’s right of access to, rectification or restriction of personal data. All personal data is backed up, and stored securely. We will inform the data controller of any requests or complaints that we receive from a data subject regarding the exercising of their rights under GDPR.

3.2.3 CIPFA systems are being further developed to enable us to easily fulfil our obligations for the ‘right to be forgotten’ (Article 17, GDPR 2016). Personal physical data can be securely destroyed on receipt of a written request from authorised users.

3.2.4 CIPFA systems enable us to fulfil our obligations for the ‘right to data portability’ (Article 20, GDPR 2016). All personal data can be retrieved from our systems and provided to the data subject on receipt of a written request from authorised users.

3.2.5 Disaster recovery is in place for our critical systems.

3.2.6 All laptops and desktops run the latest security patches and antivirus software. They are also encrypted and contain personal firewalls.

3.3 Supply chain

3.3.1 We operate a preferred supplier policy – suppliers are only approved and used after they have passed a strict application process.

3.3.2 We audit our suppliers for adherence to the Data Protection Act 1998 and GDPR.

3.3.3 We ensure that all our suppliers who may have exposure to confidential information have signed confidentiality/non-disclosure agreements.

3.3.4 We will only engage sub-processors after receiving prior written consent from the data controller and under a written agreement with the sub-processor which includes data protection obligations that meet the requirements of GDPR.

3.4 Staff education, awareness and integrity

3.4.1 GDPR and information security training and awareness is included in our company induction for all new employees.

3.4.2 All existing members of staff receive training on their responsibilities for GDPR, and this is ongoing. They also receive annual training on their roles and responsibilities for information security.

3.4.3 All staff who are authorised to process personal data do so on a strictly ‘need-to-know’ basis as necessary to perform their role in the provision of required services.

3.4.4 All staff have signed a confidentiality/non-disclosure agreement which forms part of their contract of employment.

4 Declaration

We confirm that the above measures are in place. These measures are monitored for their continued suitability and adequacy for compliance with GDPR.

– CIPFA Data Protection Officer, 25/5/2018