Data privacy & IT security
Privacy Notices are published in clear language in a form that is open and honest about the nature, uses and retention of personal data. Those notices also provide data subjects with the information they need to exercise any of their statutory rights. Each business unit in the Quilter group of companies employs a dedicated data protection team managed by a specialist “Data Guardian” (under the guidance of the GDPO) exercising operational procedures to deliver data subjects’ rights and investigate personal data related incidents and breaches, should they occur.
Our information management framework includes robust processes and controls to govern the way we look after customer and colleague information. Our Information Management Policy and our Information Security policy, along with a numerous more detailed standards and our Code of Conduct set out how we protect and manage data and how we proactively and continually manage the cyber security risks that exist as part of doing business today. Where appropriate we require these controls and standards to be adopted and applied by outsourced services providers, contractors and suppliers, and is central to the terms of our agreement with them.
Despite having numerous IT security, physical and environmental controls in place we recognise that the cyber risks are constantly evolving and it is therefore not to possible to reduce the risk of breaches to zero. Where breaches do occur we believe the resulting impacts can be reduced through effective incident response plans which we have developed and are tested.
The Board IT Committee, chaired by independent non-executive director, Moira Kilcoyne, oversees Quilter’s IT strategy, including our approach to information and data security. At an executive management level the Group Chief Operating Office is responsible for IT strategy and is supported by the Chief Information Security Officer (CISO) and team, with input also from the GDPO and Data Guardians embedded in our operating businesses.
All colleagues and full time contractors are required to complete mandatory annual training to ensure they understand what is required of them with respect to data privacy and IT security.