Data Protection Policy

1. Purpose

a) The purpose of this policy is to outline the company procedures on handling personal data. 

b) In order to abide by GDPR and the Data Protection Act, we have strict processes in place in which we expect all employees to abide by. 

c) We also expect any contractors, consultants or anyone affiliated or working on behalf of the firm to abide by this policy.

d) We take our regulatory responsibilities very seriously, and all staff and parties we work with should be aware of their responsibilities and duty of care under this policy.

2. Regulation

a) In order to work with personal data, we are required to be registered with the Information Commissioner's Office (‘ICO’). Our registered number is ZA772794.

b) It is the responsibility of Senior Management to ensure that our ICO details are accurate, maintained and up to date.

c) As a company we will ensure we keep up to date with any regulation changes and updates, making any changes or updates to our process to reflect any changes. 

d) There are some key words and definitions we feel it is important for you to be aware of to fully understand this policy, we have listed these below.

e) If at anytime there are parts or terms within this policy you do not understand, please consult Amarah.

Personal DataInformation that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data
Sensitive DataSensitive data is a specific set of “special categories” that must be treated with extra security. Examples of these categories are:
Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs

ControllerA controller determines the purposes and means of processing personal data
ProcessorA processor is responsible for processing personal data on behalf of a controller
GDPRGeneral Data Protection Regulation

3. What information do we need and/or collect?

a) For the purpose of obtaining a consumer a potential finance acceptance, we will collect the following personal data:

  • Name
  • DOB
  • Address and residential status
  • Marital status
  • Employment status and details
  • Income
  • Licence type
  • Bank details
  • Marketing preferences
  • IP information

b) We will not request sensitive data, or any additional personal information that is not required.

c) Personal data can be processed and controlled, we act as a Data Controller, and if we receive an application from an introducer, we can act as a Joint Controller. 

4. Principles

a) GDPR sets out 7 principles, which define the obligations of the firm as a registered data user of personal data. Article 5(1) sets out that data shall be: -

  • processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5(2) adds that:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

5. Data Protection Rights 

a) Under Data Protection Law, individuals have certain rights when it comes to their data. We have detailed these rights below. 

Right to access 

- You have the right to request copies of the personal information we hold about you at any time.  

Right to rectification 

- You have the right to request that we correct any inaccurate personal information we hold about you.  

Right to erasure  

- You have the right to request that we delete your personal information from our records.  

Right to restrict processing  

- You have the right to request that we restrict how we use your personal information.  

Right to object  

- You have the right to object to the collection and use of your personal information at any time.  

Right to data portability  

- You have the right to obtain a copy of your personal information in a legible and compatible. 

format such as Excel or Word.  

Right to be informed 

- You have the right to be fully informed regarding your information throughout our whole journey. 

Rights in relation to automated decision making and profiling.

- If a decision has been made electronically, you have the right to contest this decision. 

b) In the event a customer makes a request to exercise one of these rights, please refer this to a Senior Manager. 

c) We will firstly, verify the customer's identity and then assess if we are able to fully action the request. 

d) Whilst individuals have these rights, it's important that we are complying with all laws and regulations, therefore in some circumstances, we may not be able to fully comply or complete such a request. 

e) In these instances, this will be fully explained to the customer in writing. 

f) The individual responsible for overseeing data rights requests is Amarah.

g) As an employee, if you wish to exercise your rights, you will need to put this request in writing to HR and/or your line manager. 

6. Internal Process and Responsibility 

a) Training

  • All employees will receive training on initial induction, and at least annually to cover GDPR and our responsibilities to our customers as a company.
  • If at any time an employee feels they require further training, this will be arranged as soon as possible. 
  • Should we make any changes within the business, we will go over this with staff in a training/team environment to explain these changes. 

b) Subject Access Request (‘SAR’)

  • It is important that ‘SAR’ are recognised and dealt with quickly.
  • A ‘SAR’ may be as simple as a letter from one of the firm’s customers asking what information we hold about them or a phone call requesting this information. 
  • If a request is received the enquirer must be sent:
  • A copy of the information held on them, this includes both computer and relevant written paper records.
  • A description provided as to why that information is processed.
  • Anyone it may be seen by or passed to.
  • The logic involved in any automated decisions.
  • ‘SAR’s will be dealt with by Amarah, they will be responsible for managing subject access requests. 
  • Before any request is actioned, Amarah, should verify the identity of the person making the request. This must be done over the phone so we can verify security with the customer before actioning such a request.
  • If it is determined relevant, proof of ID may be requested such as but not limited to – In date Driving Licence or Passport, Proof of address within the last 60 days.
  • A ‘SAR’ must be dealt with within 28 days from the date of receipt. If further time is needed, should the request be potentially deemed excessive, we will make the individual aware how long this request would take. In the event information contains details of another individual, information may be refused or redacted.
  • All information sent in response to a ‘SAR’ should be easy to understand and therefore the sending of computer printouts may not be acceptable without a covering explanation on codes used. All information will be sent in the most protected format, this may depend on each individual circumstance. 
  • We will not charge a fee for a ‘SAR’ unless the request is deemed excessive and will take up a large proportion of an employee's time.

c) System Security

1. IT Equipment

  • All systems should be locked if you need to step away from your desk, and completely shut down at the end of the day.
  • All our technology is fitted with firewall and antivirus software, this is tested on a regular basis to ensure full protection.
  • No documentation should be stored on your individual hard drive, this must be saved to our systems or internal drives. 
  • You must delete any documentation kept on your hard drive daily.
  • Emails will be deleted after a certain time period, so no information is kept via email. 
  • This may differ for certain members of the management team for record keeping purposes.

2. Passwords

  • Passwords should be changed on a regular basis, and if you believe someone knows your password, it needs to be changed immediately. 
  • Any passwords created must be classed as ‘strong, meaning they must include uppercase, lowercase, numbers and special characters. 
  • You must not disclose your password to any party. 
  • In the event a member of staff leaves the company, all system passwords or office codes need to be changed.

3. Systems 

  • Internal systems are strongly encrypted through the programme protection. 
  • We use Autoconvert to hold, process and secure our customer data.
  • We use this system to communicate with all customers to ensure the most secure line of communication. 
  • For internal storage of company information or documentation, we use Google. We have chosen this method as we believe that this is the best system for us with its security and encryption process. 

d) Office Security

  • Access to business areas is restricted, do not let anyone in the office area without first confirming who they are, their purpose for visiting and who they are here to see.
  • When leaving the office premises ensuring that everything is locked, and the office is fully secured.
  • To ensure protection, we have locks on all doors and any cabinets containing information are locked with only Senior Management having access.

e) Physical Information

  • No staff member is permitted to take physical information off site. 
  • All documentation containing customer information must be disposed of in confidential waste at the end of each day. 
  • This includes any print outs or any noted information you may have made. 
  • Any documentation you need to keep either needs to be locked away securely or scanned onto our electronic systems and disposed of. 

f) Phone Security

  • Before divulging customer information, you must confirm adequate data protection in the form of a customer’s name, date of birth and postcode.
  • Should you have any reason to suspect that the customer is not who they say they are after further questioning, you must terminate the call and close down the application.
  • All calls are recorded for training and compliance purposes, before a customer is put through it advises the customer that it will be recorded. If you are making an outgoing call, you must make your customer aware of this. 
  • Never repeat customer information to them, as this may be heard by someone on another call or a visitor on site.
  • Without consent from the customer, you are unable to discuss the application with another individual e.g spouse. You must ensure you have permission from the customer before doing so and this is noted on the system. 
  • You must always confirm a customer's identity via phone call before communicating any personal information or information relating to their application in any other method, for example but not limited to text, whatsapp, messenger or email. 
  • Please note where possible all communication is recommended to be done via phone call so you can confirm identity.
  •  All quotes must be confirmed via call.

g) Mobile Phones

  • Mobile phones are not permitted within the office, should you need to use your personal phone, you need to take it outside of the office. 
  • You are not permitted to use a personal mobile phone for work use and should not access any systems, emails etc. through this. 

h) Personal IT

  • Customer data cannot be taken off site by staff, salespeople, suppliers, IT consultants or contractors where laptops and other devices (USB sticks, CDs, hard disks etc.) are not encrypted.
  • No member of the team is permitted to use their own IT equipment or hold information on personal IT equipment i.e emails on personal mobiles without prior written approval from a director.

i) Confidentiality

  • No member of staff is permitted to discuss any company, consumer or employee information whether inside or outside the company, that is not relevant or productive to a consumer’s application.
  • Information is to be kept confidential at all times, even when or if employment with our firm has ended. 
  • All contractors or third parties we work with must have confidentiality terms in place to protect the information we hold. 
  • You must follow all data protection processes set out within this policy to ensure confidentiality at all times. 
  • Employee information will not be shared outside of the firm unless we are required to do so for legal reasons. For example (but not limited to) the Financial Conduct Authority, The Information Commissioners Office, HMRC, Accountants etc. 

j) Consent

  • Credit searches on an individual must not be conducted without the consent of that individual. 
  • The firm’s policy is to obtain this consent in writing, normally as part of the application process, however, verbal consent of the customer will be considered in certain circumstances (e.g gaining consent once an application has expired). 
  • Staff should contact senior management or compliance if they are unsure if adequate consents have been obtained.
  • It is essential that we gain consent for the lawful basis we are going to process the consumers information. 
  • In the event an application has expired, consent must be regained. 
  • Any joint applicant or guarantor must provide their explicit consent before going on the application. 
  • If a customer retracts or withdraws their consent, this must be noted, lenders updated and where possible an application completely paused until we can manage further actions. If at any point you are unsure on the steps to take, consult Amarah.

k) Credit Reference Agencies

  • Should a customer wish to know information regarding their credit profile, we are unable to divulge information. 
  • There are two major credit reference agencies in the UK at present, Experian and Equifax. Their main purpose is to supply factual information to providers of financial services in order to establish peoples credit histories.
  • Customers have a legal right to have access to the data held by credit reference agencies. Customers also have a right to request that the agency remove/amend incorrect data. 
  • Customers can write to the agency to obtain a copy of their credit file.
  • Equifax Europe UK Limited
    PO Box 3001
    GS1 2DT
  • Experian Plc.
    PO Box 8000 
    NG1 5GX


l) Marketing

  • To comply with the requirements of the Data Protection Act all customers both new and existing have to be given the right to opt out from receiving advertising and marketing material from the firm.
  • Likewise, customers have to be informed if the firm intends to pass information to a third party for marketing purposes.
  • Customer’s personal data is collected on application forms and the election for customers not to receive marketing material is covered through the inclusion of an ‘opt-out’ box. 
  • We will ensure no consumer is automatically ‘opted in’ for marketing.

m) Retention

  • We will never keep information for longer than is necessary, and we will store consumer data for 7 years. 
  • Once this retention period is over, we will dispose of all information confidentially. 
  • Our systems are programmed to remove this information after such period however this is consistently checked by Senior Management to ensure compliance. 
  • The purpose of us storing data this long is for record keeping.
  • The below lists the term of which we will store and retain all data. 

Employee Data7 years after they have left the firm
Interview Candidates DataTBC
Customer Data6 years on our CRM
7 years for accounting purposes
Customer Enquiries (not full applications)1 year

n) Privacy Impact Assessments (PIA)

1) When required, due to a change in our business that concerns our data, we will carry out a PIA.

2) This will be documented and saved internally showing our findings.

3) These findings may show highlighted areas of risk that we need to resolve, or that the change can proceed as planned.

4) A PIA must be done in advance of the change in order to evaluate and prepare for any risks. 

5) A PIA must contain - 

  • at least a general description of the processing operations and the purposes;
  • an assessment of the risks to the rights and freedoms of individuals;
  • the measures envisaged to address those risks;
  • the safeguards, security measures and mechanisms in place to ensure we protect the personal data; and
  • a demonstration of how we are complying with GDPR, taking into account the rights and legitimate interests of the data subjects and any other people concerned.

6) In the event a PIA highlights high risk which we are unable to resolve, Amarah must inform the ICO in writing to resolve, before action is taken.

7. Data Protection Office (DPO)

  • Due to the size of the firm, at this time we have not appointed a DPO.
  • As a Director, Amarah is responsible for the overall management and oversight of the firm.
  • They are responsible for enforcing the responsibilities and actions listed within this policy.
  • This will be regularly reviewed as we grow.

Monitoring and Compliance

  • In the event the company breaches this policy, or any regulation set out by the ICO, this must be reported immediately. 
  • Both the customer and the ICO must be made aware within 72 hours and kept up to date of any investigations or changes following the breach. 
  • Breaches will be recorded on our compliance monitoring plan and used for management information.

Processes and procedures will be regularly assessed to ensure compliance with guidelines and law.

  • Directors are responsible for ensuring the above process is followed. 


  • This policy will be reviewed on at least an annual basis. 
  • Any updates will be reissued to our team, along with any training to ensure they fully understand the changes that have been made.
  • Directors are responsible for approving this policy and process. 


  • By signing the below, you can confirm that you have fully read and understood the above policy, received adequate training on the subject and provided the opportunity to ask any questions.
  • Breaching the responsibilities in this policy may result in legal or disciplinary action, therefore you can confirm you will carry out the above duties in a compliant manner and in line with company policy.


Signed:                                Date: