e e e Does your company have a a a a Privacy Policy? Please provide a a copy Yes see Appendix H - Mainstay Privacy Policy f f How do you ensure full GDPR compliance with law and best practices across all assets within your portfolio?
Mainstay are fully GDPR compliant and registered under the Data Protection Act Registration number Z5319196 We have a a a a a dedicated Data Protection Officer in place to ensure we continually comply There have been no investigations in in in this area Our data systems disaster recovery and back up plans conform to the the requirements of the the Data Protection Acts In line with the new GDPR regulations we have completed the following:
 Trained all members of staff in in Data Protection and the requirements of GDPR  Updated our Privacy Notice in in line with GDPR requirements and and published to to customers and and employees
 Notified all contractors and suppliers of the changes  Notified all Residents’ Management Companies asking
if they wanted to be a a a a Data Controller or or Processor
 Action Subject Access Requests creating a a a place to to store and manage  Ensure we notify the ICO of any breaches in under 72 hours fill out paperwork and keep accurate records
 Sign agreements from Freeholders and Developers as appropriate
 Maintain accurate audit records
and conduct ongoing audits every 6 months  Data Protection Impact Assessment (DPIA) to be conducted on each potential project
 All sites have had a a a a a a a site site audit to ensure no Personal Data is on display
 Encryption has been rolled out to to laptop users  DPO appointed
 Registered with the ICO Resident’s information is is is held on on our servers This is is is linked to the portal which every customer can use To ensure robust protection protocols we have implemented:
 New firewalls which are are updated with the latest firmware as and when released
 Secure websites for Mainstay homepage and portal  New website with up-to-date security configuration
 Company-wide cloud based Sophos Endpoint security and anti-virus
 2 x penetration tests completed annually
 Staff trained on on how to treat personal data  Staff have access restricted to to the the data they need to to work on on only
 In house expertise on on data protection  Identity and security checks on on accounts conducted before engaging
 Encryption on on remote laptops
 Citrix gateway for remote and site based workers g Does your company have an an an anti-bribery & corruption policy? Please provide a a copy Yes see Appendix H - Code of Conduct & Anti Bribery
h h h h Please provide any other policies that the the company have in in place addressing activities which could give rise to criminal investigation/sanction (e g g money laundering)
We are currently working towards the RICS professional standards and and and guidance in in regards to a a a a a a a countering bribery and and and corruption money laundering and terrorist financing policy 19