Data Security & Privacy Compliance

Our Commitment to You

We guarantee that your financial data is managed with the highest standards of security, confidentiality, and compliance, giving you complete peace of mind.

Legal Compliance We operate under UK GDPR, Irish Data Protection law, and binding international data transfer agreements.

Professional Duty Our team is bound by the strict ethical and confidentiality codes of CIMA, ACCA, and CA professional bodies.

Technical Security Your data is protected by enterprise-grade encryption, access controls, and secure infrastructure.

Transparent Governance We maintain clear policies, conduct regular audits, and have a defined incident response process.

1. Governance & Regulatory Framework

This policy defines how Rowville Consulting protects the confidentiality, integrity, and availability of client data. It applies to all employees, contractors, and third parties processing data on our behalf.

1.1 Primary Regulatory Alignment

Our operations are structured to comply with the data protection frameworks of our primary client jurisdictions:

Jurisdiction	Key Legislation	Our Status
United Kingdom	UK GDPR, Data Protection Act 2018	Full Compliance
Ireland	GDPR, Data Protection Act 2018	Full Compliance
Botswana (Service Delivery)	Data Protection Act 2018	Full Compliance

1.2 International Data Transfers

Client data is processed in Botswana under robust legal safeguards:

Standard Contractual Clauses (SCCs): All client engagements include EU/UK SCCs as part of our Data Processing Agreement (DPA).
Adequacy Decision: We leverage the UK's adequacy decision for Botswana, facilitating lawful data transfer.
Supplemental Measures: Transfers are reinforced by technical measures like encryption and strict organisational controls.

2. Core Security Principles & Controls

Our security program is built on recognized standards (ISO 27001) and follows a defence-in-depth strategy.

2.1 Data Protection by Design & Default

Minimisation: We only collect and process data essential for delivering our contracted accounting services.
Encryption: All sensitive client data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Access Control: Strict role-based access. Multi-factor authentication (MFA) is mandatory for all systems.

2.2 Technical & Organisational Measures

Secure Infrastructure: Use of reputable, enterprise-grade cloud platforms with independent certifications.
Endpoint Security: Company-managed devices with enforced disk encryption, antivirus, and security policies.
Secure Development: Internal applications follow secure coding practices and undergo review.
Training & Awareness: Mandatory annual security and data protection training for all staff.

3. Data Handling, Retention & Your Rights

3.1 The Data We Process

As your finance partner, we may process: Company financial records, management accounts, payroll data, tax information, and employee details (as necessary for reporting). We act as a Data Processor under your instructions for this data.

3.2 Data Retention

We retain client data only as long as necessary for the service, to meet statutory obligations (e.g., HMRC/Revenue requirements), or as specified in our contract. Secure deletion is performed thereafter.

3.3 Upholding Your Data Subject Rights

We fully support your rights under GDPR. Requests concerning data we process on your behalf (Right to Access, Erasure, etc.) will be handled promptly and in coordination with you, the Data Controller.

4. Incident Response & Breach Notification

We have a formal incident response plan to identify, contain, and resolve security events.

Detection & Response: 24/7 monitoring with defined response procedures.
Assessment: Immediate investigation to determine impact and scope.
Notification: We will notify affected clients without undue delay if a breach poses a risk to their rights and freedoms, in line with statutory timelines (72 hours to regulators where required).
Remediation: Action taken to prevent recurrence.

5. Audit, Review & Continuous Improvement

This policy is not static. It is reviewed annually or following significant regulatory changes.

Internal Audits: Regular reviews of controls and compliance.
Third-Party Reviews: Willingness to participate in client-led security assessments (subject to agreement).
Policy Updates: Clients will be informed of material changes to this policy.

Request Our Full Data Processing Agreement

For a complete view of our contractual commitments, technical measures, and third-party sub-processors, please request our formal Data Processing Agreement (DPA).

Email for DPA General Questions

Data Protection Officer: dpo@rowvilleconsulting.co.bw