The Bubb Sherwin Partnership Limited
Chartered Certified Accountants
Call us today on 01227 773086



In the course of its business, the Firm needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.

This policy describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed at all times by the Firm, its employees and all those within its scope as set out below.

Why this policy exists

This Policy provides help and guidance to our staff and managers in:

Scope of the Policy

The Policy applies to all employees; fixed term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the Firm’s files and/or computer systems. Collectively these individuals are hereafter referred to as 'users'.All users have responsibility for complying with the terms of this Policy.

Data Protection Law

What is personal data?

The GDPR regulates how organisations must collect, handle and store personal data.  Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We hold data relating to our employees, some of which is classed as sensitive personal data (also known as ‘special category data’) where, for example, it concerns a person’s health and medical status. We also hold a wide range of information about clients, including highly confidential personal financial data such as their individual tax information.

These rules apply to all data stored in any structured way, including both paper files and electronically.

What does the law say?

The Data Protection Principles

The GDPR contains a number of key principles which apply to the collection and processing of personal data and which underpin everything that follows.

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed


Personal data shall be accurate and, where necessary, kept up to date

Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures


The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

For the purposes of the law and these principles, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.  In relation to the majority of our data, we are data controllers, although where we are responsible for eg looking after a client’s payroll, they are the data controller and we are ‘data processors’. A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." Our responsibilities as data processors are dealt with later in the Policy.

Key Responsibilities

Lawful, Fair and Transparent Data Processing

We are responsible as a Firm for ensuring that any personal data we hold is processed in accordance with the principles laid out above. We are permitted to process data where one of the following legal bases applies:

  1. the data subject has given their consent. An example might be where a client has agreed to be contacted about a new tax advice service we are providing
  2. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering a contract with them. An example of this is where we need to retain and file personal information about our clients in order to finalise their accounts or tax affairs, or where a potential client gives us their personal data in order for us to be able to quote for advice that they need, and in order for them to decide whether to instruct us
  3. the processing is necessary for compliance with a legal obligationto which the data controller is subject. An example of this might be where we pass personal data to the relevant money laundering authorities in a situation where we have an obligation to do so
  4. the processing is necessary to protect the vital interests of the data subjector another natural person. An example of this might be where we pass on information to the next of kin of an employee who is gravely ill
  5. the processing is necessary for the performance of a task carried out in the public interestor in the exercise of official authority vested in the data controller. This is usually used by public authorities carrying out vital functions such as provision of public utilities or public safety
  6. the processing is necessary for the purposes of legitimate interestspursued by the data controller or by a third party, except where those interests are overridden by the fundamental rights and freedoms of the data subject and their right to privacy in relation to their personal data. This is a difficult exception to generalise about, but it can be used by business where they have legitimate commercial aims which can override the data subjects’ interests. An example might be the chasing of a legitimate debt, investigating potential dishonesty of an employee, investigating a grievance about sexual or racial harassment. These legitimate aims may require some processing of personal data which may be justified in that context. Any user who wishes to use this basis would be advised to speak to the DPO to discuss it.

Sensitive Personal Data or ‘Special Category Data’

This data has a special status under the law, as it is particularly personal in nature.  It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do soor a clear legal basis. We will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.

Other Personal Data

The Firm will adhere to the following principles:

  1. the Firm collects and processes the personal data set out in the tablebelow, this includes:
    • personal data obtained directly from data subjects, and
    • personal data obtained from third parties
  2. the Firm only collects processes and holds personal data for the specific purposes set out in the tablebelow, or for other purposes expressly permitted by the GDPR
  3. we keep data subjects informed at all times of the purpose(s) for which the Firm processes their personal data
  4. where personal data will be disclosed to third parties, we will only do so where we are legally required to do so, eg to HMRC or to money laundering authorities, or where we have the data subjects’ free and informed consent to the disclosure
  5. we will only collect and process personal data for and to the extent necessary for those specified purpose(s)
  6. in respect of personal data that we collect and process, we will
    • keep it accurate and up to date
    • grant the data subject the right to rectify any inaccurate data in accordance with their right to do so
    • regularly check the data and ensure that  all reasonable steps are taken to promptly rectify or delete any mistakes or inaccuracies as appropriate
    • not keep personal data any longer than is necessary bearing in mind the purpose(s) for which it was collected
    • take all reasonable steps to delete or dispose any data which is no longer required promptly
    • adhere to our Retention Policy, which is available to all staff
    • take measures to ensure the security of the data in  line with the measures set out below

Data Processing

We act as data processors for a number of clients (the data controllers), receiving personal data relating to their employees and processing it for the purpose of payment of salary, and appropriate deductions. We do not expect to receive any data which is sensitive personal data in relation to this. We will:

Accountability and Record Keeping

The Firm will keep written internal records of all personal data collection, holding and processing, and this will incorporate the following:

Privacy by Design – Data Impact Assessments

Part of the Firm’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the GDPR. The Firm will always ensure that all such changes are designed and implemented in accordance with the Regulation, and that the DPO is consulted and their recommendations are taken into account in the planning and introduction of such changes.

In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the Regulation, we will carry out a Data Impact Assessment, overseen by the DPO. This will deal with:

Providing Information to Data Subjects

We are required to ensure that, when we collect and process personal data, the data subject is aware of the purposes for which this is being done, and what is happening to the data. We therefore will ensure that the following principles are followed:

Data Subject Access

‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it.  Where a subject access request is being made to us as a payroll processor, we will refer the employee to the data controller (who is their employer or client) to deal with the request.

Rectification of Personal Data

Where a data subject informs us that data we are holding about them is inaccurate or incomplete and requests that it is corrected, we will rectify the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months.

Where the incorrect data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is rectified.

Erasure of Personal Data

Data subjects have a right to require the Firm to erase personal data held about them when:

Where we are obliged to do so, we will erase the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months, and again where the data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is erased.

Restriction of Personal Data Processing

Data Subjects have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing takes place, and we will inform any third parties to whom we have disclosed the data about the restriction on processing (unless it is impossible to do so or would involve disproportionate effort).

Objections to Personal Data Processing

Data subjects have a right to object to us processing their personal data based on our legitimate interests or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject, or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately. 

Personal Data, Collected, Held and Processed

Reference Number

Type of Data



Personal details of employees, such as names, addresses, contact details, age, sex etc

The administration of employment contracts


Personal details of clients, such as names addresses, contact details, age, sex etc

To provide accountancy and related services to clients, in particular for the administration of their tax and personal financial affairs and to comply with both their and our legal obligations including in relation to tax and money laundering. 

To market our services to clients, in accordance with the GDPR


Education and Training details of our prospective employees, employees and contractors

Collected in the course of recruitment with a view to selection, and maintained to track their career progression


Financial Details of employees and contractors ie matters related to income and payroll, tax details, expenses claimed, court orders, pensions, insurance

Collected and maintained in order to ensure timely and accurate payment of staff, and proper accounting for tax purposes


Time recording of work for clients

To provide services to our clients and bill for them, to monitor performance of our employees


Data Security – Transferring Personal Data and Communications

We will ensure that we take the following measures with respect to all communications containing personal data:

Data Storage and General Security

Access to Personal Data

In relation to accessing personal data:

Organisational Measures

The Firm will take the following steps in relation to the collection, holding and processing of personal data:

Data Breach Notification

All personal data breaches must be reported immediately to the DPO.

If such a breach occurs, and it is likely to result in a risk to the rights and freedoms of data subjects eg financial loss, breach of confidentiality, reputational damage, the DPO is required to ensure that the ICO is informed without delay and, in any event, within 72 hours of the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO also needs to ensure that the data subjects affected by the breach are informed directly and without undue delay. The following information must be provided:

Implementation of the Policy

This Policy is effective as of 25 May 2018. No part of the Policy is retrospective in effect and applies to matters occurring on or after 25thMay 2018.

Address 100 High Street, Whitstable, Kent CT5 1AZ

Telephone Number 01227 773086

Email Address

Back to top