Wider Plan GDPR readiness statement for employers

Wider Plan’s employee benefit products are administered jointly between Wider Plan and the employer. We consider that Wider Plan and the employer operate as joint data controllers.

In some cases, employers provide Wider Plan with data relating to their employees. In other cases, Wider Plan obtains this information directly from employees during registration. In all cases, use of our services is governed by a contract between the employer and Wider Plan, along with a separate agreement between Wider Plan and each employee. As part of our approach to GDPR readiness, we are reviewing all such agreements.

Wider Plan’s relationship with employees often outlives both the employee’s contract with their employer and the employer’s contract with Wider Plan. We consider that the employer ceases to be a joint data controller at the point of any data processing relating to the termination of either of these contracts being completed. For example, an employee who has left their employment continues to be eligible to spend any childcare vouchers which remain under Wider Plan’s administration. Wider Plan acts as sole data controller in respect of this ongoing processing.

Most of our schemes involve aspects of employee data being shared between Wider Plan and the employer, for example to confirm eligibility and to enable payroll processing. Employers have a responsibility to treat their employees’ data with appropriate care, including ensuring that any data which they pass to Wider Plan is transmitted securely.

The nature of our employee benefit products is detailed in our client contracts. Within this overall framework, day-to-day decisions about the necessity and nature of data processing are the responsibility of Wider Plan. Data is sometimes processed on the specific request of a client. However, it is more commonly processed based on our own decisions as to the optimal way of providing our services.

Wider Plan is currently registered under the Data Protection Act and we take our responsibility for data security seriously. We have been planning for GDPR for some time and continue to allocate resource to ensure all appropriate steps are taken to protect and govern the data we hold within the Wider Plan family of products.

Access to data

The vast majority of the data held in respect of each individual is available for them to view at any time through their own secure online account. However, individuals wishing to exercise their right to access their personal data may contact our Data Protection Officer.

We will conform to the GDPR and provide a full copy of the records that we hold in respect of each individual to them on request. All proportionate requests will be fulfilled free of charge and without delay.

Where a subject access request is received in respect of data for which we are acting as a joint data controller, we will take primary responsibility for managing the request. We will advise the relevant employer promptly in order that a response can be coordinated. Where employers receive a subject access request in respect of any of our services, we request that it is forwarded to our DPO in order that we may take responsibility for the response.

Corrections to data

We make every effort to ensure our data remains accurate. Our standard processing involves regular contact with scheme users, with ample opportunity for users to inform us of any changes or errors.

Erasure and the Right To Be Forgotten (RTBF)

Our policy is to keep full records in respect of a scheme for as long as the scheme is in existence and for at least 6 years after the scheme ceases to exist, in order to answer any queries from HMRC. After this period we will only keep such records as we consider necessary for business analysis, and these would normally be anonymised. Any confidential papers are securely disposed of when they are no longer needed.

Security and storage of personal data

Wider Plan has comprehensive IT, data and physical security arrangements in place, to provide assurance to all our customers.

All our data is held securely within the EU and appropriate back-up procedures are in place.

Our staff are subject to security screening and are trained in the importance of ensuring data is used correctly and not divulged to third parties. We expect any member of staff who has any concerns about data protection to immediately raise the issue with their manager.

In the event of a suspected data breach the DPO must be informed immediately and the data breach investigation process will be triggered. Any clients and individuals affected by a data breach will be notified as appropriate.

Lawfulness of processing

In accordance with the GDPR, Wider Plan will process all personal data lawfully, fairly and in a transparent manner.

Information collected in respect of individuals will vary depending on the service being used. Under no circumstances will Wider Plan collect special category data.

We are reviewing our terms and conditions to ensure they make it clear exactly what data we are collecting and processing and for what purpose.

The majority of our data processing relates to the fulfilment of employee benefit schemes in line with contractual requirements, which is recognised as a lawful basis for processing data. This includes contacting customers to keep them informed of any relevant updates or changes in the service.

Data is also processed in order to produce statistics, insights and financial analyses necessary for good business management, in line with legitimate business interests.

Some of our employee benefit services are used by employers with the specific intention of providing employees with access to discounts and promotions. Where employees register for these services, we will process their data and provide them with promotions in line with our agreement with the employer. Employees can easily opt out of receiving promotions.

Where we would like to contact individuals for any other promotional activity, we will gain a positive opt-in and we will make it easy for recipients to withdraw consent at any time. Wider Plan does not routinely share personal data with any third party, where this is necessary to fulfil a service then this will be made transparent.

How to obtain more information

To help provide you with assurance and accountability of compliance we have a designated data protection officer (DPO) who can be contacted at info@widerplan.com.

We hope this statement is helpful in assuring you of our approach to GDPR compliance. Wider Plan works with thousands of employers, some of which have asked us to respond to their own GDPR questionnaires. It is not feasible for us to absorb the cost of this additional work within our standard charges, but we are willing to respond to questionnaires subject to agreeing a fee to cover our costs. Please email info@widerplan.com with any requests.