Our GDPR

What is your organisation name?

This website refers to the processes put in place by the Armstrong Watson group whose registered office is James Watson House, Montgomery Way, Rosehill, Carlisle, CA1 2UU and comprises of:

  • Armstrong Watson LLP is a limited liability partnership registered in England and Wales, number OC415608
  • Armstrong Watson Audit Limited is registered to carry on audit work in the UK and Ireland by the Institute of Chartered Accountants in England and Wales. Registered as a limited company in England and Wales, number 8800970
  • Armstrong Watson Financial Planning Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 542122. Registered as a limited company in England and Wales, number 7208672
  • Armstrong Watson Trustees Limited is a limited company registered in England and Wales, number 84495652. ​

Who is your GDPR / Data Protection contact?

The role of Head of Privacy is held by one of our directors.” who work closely with our Management Board. The contact details are:

Contact:        Head of Privacy

Address:       James Watson House, Montgomery Way, Rosehill, Carlisle, CA1 2UU

Email:            privacy@armstrongwatson.co.uk

Telephone:   01228 690100

What personal data do you collect, receive or hold?

We aim to only keep data that is required to fulfil our contractual obligation; as a result the exact detail held will differ from service to service. It is however likely to include:

  • Contact details
  • Business activities
  • Family information
  • Income, taxation and other financial-related details
  • Investments and other financial interests
  • Information about management and employees
  • Information about directors, partners and trustees and their families
  • Payroll and other financial related details
  • Investments and other financial interests

We may also occasionally hold data that is defined as sensitive, we will only ask for this data where it is explicitly required. More details can be found in Privacy Statement

What security is in place to protect the firm’s IT infrastructure?

We use a secure offsite data centre to host all our internal servers. This data centre is accredited with PCI DSS for Physical Hosting Services and holds ISO27001 and ISO9001 certification. In addition the centre has been authorised to process HM Government data protectively marked ’Official-Sensitive’.

All laptops have encrypted hard drives using AES (Advanced Encryption Standard) encryption.

The firm uses TLS (Transport Level Security) for all email traffic and SSL (Secure Sockets Layer) for Internet traffic where possible

The firm is certified under the National Cyber Security Centre’s Cyber Essentials certification which is designed to help organisations to protect the confidentiality, integrity and availability of data stored on devices which connect to the Internet.

Such as:

  • desktop and laptop PCs
  • tablets and smartphones
  • all types of server and networking equipment

Further details can be found:  www.cyberessentials.ncsc.gov.uk

What processes are kept in place to ensure access to our servers?

The firm uses an online backup and business continuity service provided by Databarracks which ensures access to personal data in the event of a physical or technical incident. Databarracks holds both ISO 27001 and ISO 9001 certification. Further details can be found www.databarracks.com/company/certifications

Our offsite data centre provides a highly secure computing environment with 24 hour A/C power; UPS with emergency generator backup; ventilation, air conditioning & computer monitored climate control for heating (HVAC); and fire detection & suppression.

What are the processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measure?        

The firm has a Data Protection Impact Assessment (DPIA) based on the guidelines provided by the ICO which is used to ensure that changes to environment or process which are likely to result in a high risk to individuals’ interests are identified and minimised.

From a technical perspective the firm regularly performs phishing and penetration testing across the business as well as simulated DR tests.

How does the firm guard against the risks of accidental or unlawful destruction of personal data, data loss or alteration and unauthorised disclosure of, or access to, personal data, and its’ obligations to notify the individuals involved promptly of any such events occurring?

Access to all systems within the firm is controlled through user account which prevents unauthorised access. All access is revoked and all equipment is returned when an employee leaves the firm.

The firm has a Data Protection policy which explains the duties and responsibilities each member of our team must uphold with regards both electronic and non-electronic records. All new starters are trained on this policy when they join the firm; on-going training is performed as part of our CPD processes. Our employment contracts include clauses an obligation to comply with our information security and data protection policies.

The firm has a defined process for identifying and reporting personal data breaches which follows the guidelines provided by the ICO. The firm has appointed a senior member of the management team to act as Head of Privacy and oversee this and all other data protection processes

What controls are in place to ensure third party systems and contractors adhere to the GDPR?

All contracts with third party systems and contractors are reviewed to ensure that appropriate controls are in place to ensure data security and confidentiality. During the procurement process an assessment is made by the firm to ensure that the use of this system or contractor will not reduce our data security. These controls are reviewed periodically to ensure that the situation has not changed.

What physical security measures do the firm employ?

We use numerous security measures in our offices, some of which are:

  • A connected alarm system
  • A log is kept of the entry and exit of all visitors
  • A clear desk policy is in place within the firm to ensure all confidential documents are stored correctly
  • Confidential waste is stored in locked bins until it is shredded
  • Long term storage of paper files is held offsite by a company that uses secure vetted staff, GPS-tracked vehicles, access control, fire suppressants and air and humidity control. Operations to BS7858:2012, BS1571:2009 and USSA Code of Practice standards