Privacy Policy

Lynam & Co: Data Protection Policy
Effective Date: 25 April 2025
Review Date: 25 April 2026

1. Policy Statement

Lynam & Co is committed to protecting the privacy and security of personal data. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

We collect, use, store, and dispose of personal data lawfully, fairly, and transparently. This policy outlines our responsibilities and the rights of individuals whose data we process.

2. Scope

This policy applies to:

  • All staff, subcontractors, and partners of Lynam & Co;
  • All personal data processed by or on behalf of the firm;
  • All business functions, including accounting, payroll, and marketing.

3. Data Protection Principles

We adhere to the seven key principles of data protection:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

4. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

  • Contract: Processing is necessary for the performance of a service contract with the client.
  • Legal obligation: e.g. AML requirements or tax compliance.
  • Legitimate interests: e.g. client communications, improving services.
  • Consent: Used only where required and freely given (e.g. for newsletters).

5. Types of Personal Data Collected

Examples include:

  • Names, addresses, contact details;
  • National Insurance numbers, UTRs;
  • Financial and banking information;
  • Employment and income records;
  • Identification documents for AML purposes.

We do not collect special category data unless absolutely necessary (e.g. for payroll compliance) and with appropriate safeguards.

6. Data Subject Rights

Individuals have the right to:

  • Be informed about data collection;
  • Access their personal data;
  • Correct inaccurate data;
  • Erase their data (subject to legal exceptions);
  • Restrict or object to processing;
  • Data portability;
  • Withdraw consent (where relevant);
  • Complain to the ICO.

We will respond to data subject requests within one calendar month.

7. Data Retention and Disposal

We retain personal data only as long as necessary to fulfil our legal and operational obligations:

  • Accounting and tax records: 6 years minimum
  • AML records: 5 years from end of client relationship
  • Payroll records: 3–6 years depending on type

Data is securely destroyed or deleted when no longer required.

8. Security and Access Control

We implement appropriate technical and organisational measures:

  • Encrypted cloud storage and client portals
  • Strong passwords and MFA
  • Secure email systems (e.g. encrypted or portal-based)
  • Access on a need-to-know basis only
  • Regular backups and anti-malware protection

Staff are trained in data handling and confidentiality.

9. Data Breaches

We maintain a data breach response procedure. If a breach occurs:

  • It will be assessed immediately;
  • The ICO will be notified within 72 hours if there is a risk to individuals;
  • Affected individuals will be informed where required;
  • Records of all breaches (even minor ones) will be kept.

10. Third Parties and Data Sharing

Lynam & Co may share personal data with trusted third parties where necessary to deliver our services, meet legal obligations, or protect our legitimate interests. This includes, but is not limited to:

  • Cloud-based software providers, such as:
    • Xero, Quickbooks, etc (accounting software)
    • BrightPay (payroll software)
    • Practice management systems (e.g., Pixie, AccountancyManager)
  • HMRC, Companies House, and other statutory bodies for filing and compliance purposes;
  • Pension providers and banks where payroll services are provided;
  • Legal or regulatory authorities, such as the AAT (AML supervisor), HMRC (MLR supervision), or the ICO, if required by law;
  • ID verification platforms used for AML and Know Your Client (KYC) checks (e.g., Verify365, Credas, or similar), which securely process and verify identity documents and personal information in compliance with GDPR and AML regulations;
  • Secure email and file-sharing platforms, which may process data solely for communication and storage purposes.

All third parties are subject to GDPR-compliant contracts, including data processing agreements (DPAs) where required, to ensure that personal data is:

  • Processed only for the agreed purpose;
  • Protected with appropriate technical and organisational safeguards;
  • Not transferred outside the UK or EEA unless appropriate safeguards are in place (e.g. adequacy decision or standard contractual clauses).

Lynam & Co does not sell or share personal data for marketing purposes. We will only disclose personal data to a third party where a legal basis exists and where doing so is in line with this policy.

11. Data Protection Officer (DPO)

Lynam & Co is not required to appoint a formal DPO but the principal is responsible for data protection compliance:

Name: Bradley Lynam
Email: bradley@lynamandco.com

12. Policy Review

This policy is reviewed annually or in response to changes in data protection law or firm operations.

Signed:
Bradley Lynam
Sole Practitioner, Lynam & Co
Date: 25 April 2025