General Data Protection Regulation (GDPR)

How Mattioli Woods is supporting clients with the General Data Protection Regulation

At Mattioli Woods we place great importance in protecting client data. We are therefore committed to implementing rigorous processes and procedures that are not only compliant with new regulations, but go above and beyond so we can embed good management practices at every stage of our engagement with you. We strive to protect the personal and sensitive/special-category data you trust us to hold.

From 25 May, the UK Data Protection Act 1998 will be repealed and replaced with the EU General Data Protection Regulation (GDPR), and further supported by a new Data Protection Act. At Mattioli Woods we are already working to ensure that:

  • the principles surrounding GDPR are fully embedded into our business policies, processes and procedures

  • our staff are trained and competent to handle data covered by GDPR

  • we have assurance controls in place – such as self, internal and third party independent audits – to assure not only the existing protocols but to identify areas of continuous improvement

We want to share with you some of the GDPR activities taking place at Mattioli Woods, which we hope will give you confidence in the progress we are making.

How Mattioli Woods is managing the GDPR changes

Mattioli Woods has a dedicated project team representing the key areas of our business handling personal and sensitive/special category data. This team is working to ensure our systems, controls, procedures and documents meet GDPR requirements, and has the full support of the executive board, meaning progress is regularly reviewed at senior level.

To lead this team we have employed a highly experienced information manager to undertake the role of data protection officer (DPO), who has the responsibility of driving and co-ordinating our commitment to exceeding the requirements of the regulation. The DPO is also responsible for advising the business and our employees about their obligations to comply with the GDPR and associated data protection and privacy laws. This includes:

  • the managing of internal data protection activities

  • advising on data protection impact assessments

  • training staff and advising internal audits

  • being the first point of contact for supervisory authorities and individuals whose data is processed

The information manager is committed towards a culture of “privacy by design”.

How GDPR will impact upon the data Mattioli Woods processes

A key part of our project work has been identifying personal and sensitive/special category data, where it is held and the lawful basis for holding it, alongside any consent obtained for us to process it. This activity ensures we know exactly what information we hold and the parameters of our legal basis for processing it.

Coupled with this, we are building data protection impact assessments into our processes while creating clarity around data owners in the business. We also recognise we may – to provide our agreed services, and depending on our relationship with clients – need to liaise directly with regard to personal and sensitive/special categories of data.

How Mattioli Woods will ensure the protection of personal data

Mattioli Woods takes a multi-layered approach to cyber security using a blend of dedicated security hardware, monitoring software, strict policies, anti-spam solutions, anti-virus solutions, role-based access controls and user education to create a secure environment. This is supported by robust user policies and procedures and penetration testing to assure the strength of our defences against any fraudulent activity or a cyberattack.

Will Mattioli Woods share client data with any third parties?

The company will only share data with a third party if it is absolutely necessary in respect of the products and/or services clients have agreed with us, or if there is a legal obligation for us to do so. Where it is necessary for data to be passed to third party providers, we will have an agreement in place with each of these parties regarding a) the contract of services and b) an assurance data is not shared further without GDPR obligations being adhered to. We will ensure any data passed on is in a secure manner and limited to what is necessary.

How Mattioli Woods staff are being trained on the company’s GDPR responsibilities

Our training programme began in September through a series of initiatives. First off, key staff undertook the recognised EU GDPR Foundation Course, followed by a more in-depth practitioners’ course, both of which are fully certified, and tested through an exam. In addition, we have an online GDPR training programme containing modules that will form part of our annual “ethics” suite of training.

Further developing our guidance

Mattioli Woods will be monitoring both the Information Commissioner’s Office and the working party advising the EU on GDPR for updates to ensure our own project is working towards the latest guidance. Any further development of revised client agreement wording will be progressed in line with official guidance as it becomes available.

In addition, Mattioli Woods is redeveloping its privacy notices to provide clients with a clear understanding of the transparent way we process personal information. Should you wish to enquire about further information or clarification while this work is ongoing, please contact our information manager at:

Information Manager
Business Operations
Mattioli Woods plc
1 New Walk Place

A word from our clients...

"The technical knowledge is excellent; I have never asked a question they did not immediately know the answer to.

- Peter Waterfield ACII APFS, P W Financial Management Limited

"I would like to thank you for the excellent service you have provided over the last few years."

"We are extremely impressed with your organisation and have been absolutely delighted with the way you have looked after us."

"As always, you’re ahead of the game. Thank you for your efficiency and professionalism!"

"With Mattioli Woods we achieved more in one meeting than we did in three years with a previous provider."