Data Protection Policy

Home » Data Protection Policy

Version 2.0, issued 23/09/2023

This document forms the Data Protection policy of Croftech Ltd and sets out the standards to be met regarding the processing of personal data in accordance with data protection law, including the UK GDPR and Data Protection Act 2018. This policy applies to all personal data processed by Croftech Ltd within England and Wales.

2. Scope

  1. Croftech Ltd
    • Incorporated and registered in England and Wales with company number 13093853
    • Registered address is at 20-22 Wenlock Road, London, England, N1 7GU
    • (“the Data Controller”)

Data Protection Principles

  1. Background

(A) This policy is drafted pursuant to the requirements of data protection laws in England and Wales, including the UK General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and Data Protection Act 2018 (together “Data Protection Laws”). These laws regulate the processing of personal data.

(B) Croftech Ltd engages in ERP Support and Development Services. In the course of these activities, Croftech Ltd collects, stores, and processes personal data about the following:

  • Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, e-mail address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password (if applicable), purchases or orders made by you, your interests, preferences, feedback, and survey responses.
  • Usage Data includes information about how you use our website, products, and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

(C) Croftech Ltd is committed to complying with Data Protection Laws and protecting the privacy rights of individuals whose personal data is processed.

(D) This policy sets out the way Croftech Ltd aims to comply with Data Protection Laws, ensure personal data is respected and upheld, and explain individuals’ rights in relation to their personal data.

(E) Adherence to this policy ensures legal compliance and maintains trust and confidence among individuals whose personal data is processed.

1. Lawful Basis for Processing

2. Definitions

  • Personal data means any information relating to an identified or identifiable living individual.
  • Special category personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
  • Data subject means the living individual to whom personal data relates.
  • Data controller means the entity that determines the purposes and means of processing personal data. Croftech Ltd is a data controller.
  • Data processor means an entity that processes personal data on behalf of a data controller.
  • Processing means any operation performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available.
  • Supervisory authority means the UK Information Commissioner’s Office (ICO).

3. Data Subject's Rights

  • Right to be informed. The Company will provide the data subject with privacy notices containing details of the personal data processed, the purposes for which it is processed, the lawful basis for processing, retention periods and information about the data subject’s rights in relation to their personal data. Privacy notices will be provided at the time personal data is obtained from the data subject and/or when the Company starts to process their personal data.
  • Right of access. The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to his or her personal data. The Company shall provide the data subject with a copy of his or her personal data, and where applicable supplementary information, free of charge.
  • Right to rectification. The data subject shall have the right to obtain from the Company, without undue delay, the rectification of inaccurate personal data or incomplete personal data.
  • Right to erasure. The data subject shall have the right to obtain from the Company the erasure of personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • Right to restrict processing. The data subject shall have the right to obtain from the Company restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Company override those of the data subject.
  • Right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company.
  • Right to object. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. The Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
  • Rights in relation to automated decision making and profiling. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and the Company; is authorised by Union or Member State law to which the Company is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent. In such cases, the Company shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Data Quality and Integrity

  • Croftech Ltd shall implement appropriate technical and organisational measures to ensure that personal data is accurate, kept up to date and deleted when no longer necessary for the purposes for which it was collected.
  • Croftech Ltd shall conduct periodic reviews of personal data stored to verify accuracy and identify data which is no longer needed for the specified purpose. Such reviews shall be conducted every 12 months.
  • Personal data that is no longer needed for the specified purpose shall be securely erased or anonymised in accordance with Croftech Ltd.’s Data Retention Policy.
  • Requests from data subjects to rectify inaccurate or incomplete personal data shall be responded to without undue delay and within one month of receipt of the request.
  • Staff shall be trained on their obligations regarding data quality and integrity to ensure compliance with the relevant provisions of this policy.
  • Audits shall be conducted on a regular basis to monitor on-going compliance with these procedures

5.Data Security

5.1. Croftech Ltd shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data. Such measures shall include:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2. Croftech Ltd shall restrict access to personal data to only those employees who require such access to meet the purposes for processing as set out in this policy.

5.3. Croftech Ltd shall implement appropriate physical security measures to restrict access to personal data and to protect personal data from unauthorised access.

5.4. Croftech Ltd shall implement appropriate technical security measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. Such measures shall include firewalls, anti-virus software, endpoint security, encryption of personal data in transit and at rest, and regular vulnerability scanning.

5.5. Croftech Ltd shall implement appropriate organisational security measures to protect personal data. Such measures shall include data protection and information security policies and training, vetting of third-party processors, and regular security audits and testing.

6. Data Breaches

6.1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

6.2. All employees and contractors must report all personal data breaches to the Data Protection Officer immediately upon becoming aware of the breach.

6.3. Upon receiving a report of a breach, the Data Protection Officer must assess:

  • The nature, sensitivity, and volume of personal data involved in the breach.
  • The likely consequences of the breach for data subjects.
  • Whether the breach is likely to result in a risk to the rights and freedoms of individuals.

6.4. If it is assessed that there is a risk to the rights and freedoms of individuals, the Data Protection Officer must ensure that the Information Commissioner's Office is notified within 72 hours of becoming aware of the breach.

6.5. The Data Protection Officer will document all breaches, their effects, and remedial action taken, and will maintain a record of all breaches and their outcomes.

6.6. In the event that a breach is likely to result in a high risk to the rights and freedoms of individuals, the Data Protection Officer will ensure that affected individuals are notified directly without undue delay.

6.7. The Data Protection Officer will evaluate and respond to any breaches, identify lessons to be learned, and make recommendations to evolve data protection practices, taking into account the risks of future breaches.

7.Data Protection by Design and Default

7.1. Data protection by design and default. The Company shall implement appropriate technical and organisational measures to ensure that by default, only personal data necessary for each specific purpose is processed.

7.2. Data minimisation. The Company shall ensure that personal data processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

7.3. Pseudonymisation. The Company shall pseudonymise personal data where possible to reduce risks to data subjects.

7.3. Pseudonymisation. The Company shall pseudonymise personal data where possible to reduce risks to data subjects.

7.4. Data protection impact assessments. The Company shall conduct data protection impact assessments for any type of processing likely to result in a high risk to the rights and freedoms of individuals, including but not limited to new technologies and large-scale processing of special categories of personal data.

7.5. Security measures. The Company shall implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data.
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

7.6. Third party processors. Where personal data is processed by a third-party processor on behalf of the Company, the Company shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject.

8.Data Protection Impact Assessments

  • When a DPIA will be required, Croftech Ltd will conduct a DPIA in respect of any processing operation that is likely to result in a high risk to the rights and freedoms of data subjects by virtue of its nature, scope or purpose.
  • The DPIA process will include:
    • Designating responsibility for conducting DPIAs and keeping records to the Data Protection Officer.
    • Considering the nature and purpose of the processing as well as compliance and risk assessment.
    • Consulting the Data Protection Officer throughout the process.
    • Recording outcomes of the DPIA and integrating findings into subsequent processing.
  • Where a DPIA identifies risks that cannot be mitigated, Croftech Ltd will consult the ICO prior to commencing the processing.
  • DPIAs will be reviewed periodically, especially where there is a change in how personal data is processed.

9. Data Protection by Design and Default

9.1. Internal data sharing

  • Personal data may be shared internally within Croftech Ltd for the following purposes of recruitment.
  • Personal data that has been shared internally shall not be shared externally or with any other third party without the prior authorisation of the Data Protection Officer.
  • All internal sharing of personal data shall be conducted securely through a “Read Only” and use of encryption or electronic document password protection

9.2. Sharing with third parties

  • Personal data may be shared with the following categories of third parties: Google Analytics, Stripe, PayPal, GoCardless.
  • Personal data shall only be shared with third parties for the following purposes: and provided that the processing is conducted under a relevant condition for processing as set out in Part 3 of the DPA 2018.
    • To register you as a new customer
    • To process and deliver your order including
    • To manage our relationship with you which will include
    • To enable you to partake in a prize draw, competition or complete a survey
    • To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • A data processing agreement shall be entered into with all third parties with whom personal data is shared, which shall include security, confidentiality, and audit obligations.
  • Third parties shall not be permitted to share the personal data further except as necessary for the purpose for which it was originally shared.
  • Croftech Ltd shall be entitled to conduct audits and inspections of third parties with access to personal data.

9.3. Sharing with data subjects

  • Personal data may be shared directly with the data subject themselves upon written request from the data subject.

9.4. Sharing in an emergency

  • Personal data may be shared without consent where necessary to respond to an emergency that threatens harm to someone’s health or welfare.

9.5. Sharing to comply with a legal obligation

  • Personal data will be shared to the extent that Croftech Ltd is required to do so by law or regulatory requirements, including responding to requests from law enforcement or national security agencies.

10. International Data Transfers

  • The Company will only transfer personal data outside the European Economic Area (EEA) where appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.
  • The Company will only transfer personal data where the transfer is necessary for the performance of a contract between the Company and the data subject, or the implementation of pre-contractual measures taken at the data subject’s request.
  • The Company will only transfer personal data where the transfer is necessary for important reasons of public interest.
  • The Company will only transfer personal data where the transfer is necessary for the establishment, exercise, or defence of legal claims.
  • The Company will only transfer personal data where the transfer is necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent.
  • The Company will put in place adequate safeguards for transfers of personal data outside the EEA. These may include:
    • Standard data protection clauses adopted by the European Commission.
    • Binding corporate rules, where applicable.
  • The Company will ensure that data subjects whose personal data is transferred outside the EEA can enforce their rights and have means of redress if their data is transferred without appropriate safeguards.
  • The Company will inform data subjects of any intended transfers to third countries outside the EEA and details of safeguards in place to protect their information.

11. Record Keeping

  • Croftech Ltd shall maintain records of all categories of processing activities carried out on its behalf.
  • The records shall contain the following information:
    • The name and contact details of Croftech Ltd
    • The purposes of the processing.
    • A description of the categories of data subjects and personal data.
    • The categories of recipients to whom personal data have been or will be disclosed.
    • Transfers of personal data to third countries or international organisations.
    • A general description of security measures.
  • The records shall be in a clear and easy to understand format and kept up to date.
  • The records shall be retained for a minimum period of three years unless a longer period is required by another relevant legislation.
  • Records relating to processing subject to security measures shall be retained until those measures are no longer in use.
  • Data Controller shall be responsible for maintaining the records and ensuring they are kept up to date.

12. Training and Audit

12.1. Training. The Company shall ensure that all Employees who have access to Personal Data receive appropriate data protection training.

  • New Employees shall complete data protection training as part of the induction process.
  • All Employees shall receive refresher data protection training annually.
  • The Company shall maintain records of its training including dates training completed.

12.2. Audits. The Company shall conduct regular audits of its data processing activities.

  • The first audit shall take place no later than 6 months after the date of this Policy.
  • Further audits shall be conducted annually thereafter.
  • Each audit shall review:
    • Compliance with this Policy and the Company’s data protection procedures.
    • The effectiveness of the Company’s privacy by design measures.
    • The reports of any data breaches or near misses.
    • The process for conducting data protection impact assessments.
    • Records of consent and complaints.
    • Processor and third-party contracts and shared personal data.
  • The Company shall implement any actions identified in the audits.
  • The Company shall provide the audit report to the Data Protection Officer annually.

13. Privacy by Design

  • Croftech Ltd shall implement technical and organisational measures to ensure that, by default, only personal data which is necessary for each specific processing purpose is processed.
  • Such measures shall ensure that by default personal data is not made accessible without intervention to an indefinite number of individuals.
  • Croftech Ltd shall implement technical and organisational measures for ensuring that, by default, personal data is processed solely for the specific purposes of the processing.
  • Croftech Ltd shall implement technical and organisational measures to ensure that personal data is not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
  • Croftech Ltd shall implement appropriate technical and organisational measures to ensure that personal data undergoes pseudonymisation where possible.
  • Croftech Ltd shall implement appropriate technical and organisational measures for ensuring that personal data processing is transparent to the data subjects.
  • Croftech Ltd shall designate a data protection officer with specific responsibility for overseeing data protection strategy and compliance.
  • Croftech Ltd shall conduct regular audits and impact assessments to evaluate and demonstrate compliance with privacy by design obligations.

14. Authorised Disclosures

  • The Company may disclose personal data it holds to third parties:
    • As required by law, such as to comply with a Court Order, subject access request under the UK GDPR, or a request from a government authority, tax authority or regulatory body.
    • In connection with any ongoing or prospective legal proceedings.
    • To establish, exercise or defend the Company’s legal rights where it is necessary to do so (including providing information to others for the purposes of fraud prevention and reducing credit risk).
    • To prevent harm. In certain circumstances, the Company may disclose personal data in order to protect an individual’s vital interests, or the vital interests of another person, for example in a medical emergency.
    • With the individual’s consent.
  • The Company will not disclose personal data to third parties for them to use for their own purposes without the individual’s consent, unless permitted to do so by law.
  • The Company will document all disclosures of personal data, including the recipient, date, purpose, and justification.
  • Where personal data is to be transferred to a third party, the Company will regard the transfer as a ‘processing operation’ for the purposes of the UK GDPR and ensure the third party has provided adequate safeguards as required by that legislation.

15. Data Retention

  • The Company shall only retain personal data for as long as necessary to fulfil the purposes for which it was collected or for which it is further processed, as set out in this policy, unless a longer retention period is required or permitted by law.
  • The Company has established the following retention periods for personal data:
    • Customer records shall be retained for a period of 6 years from the end of the customer relationship.
    • Employee records shall be retained for a period of 6 years after the end of employment.
  • Retention periods shall be extended if personal data may be relevant to an ongoing legal claim or complaint. In such circumstances the personal data will be retained until the claim or complaint has been settled or withdrawn.
  • Secure deletion procedures will be followed at the end of the retention period to permanently delete personal data to the standard required by applicable law.
  • Records of processing activities shall be retained for a period of 6 years from the end of the processing.
  • This policy shall be subject to periodic review to ensure retention periods remain compliant with legal and regulatory obligations.

16. Subject Access Requests

  • Croftech Ltd shall respond to a subject access request within one month of receipt of the request.
  • To validate a subject access request, Croftech Ltd will require the requester to provide information required to confirm their identity, including Name, address and email verification and any relevant details to enable access to verify your identity.
  • Croftech Ltd may refuse a manifestly unfounded or excessive request. Croftech Ltd may also refuse to act on any request for rectification or erasure of personal data to the extent that an exemption applies.
  • The information contained within a subject access request will be provided in a concise, transparent, and easily accessible form, using clear and plain language.
  • Subject access requests are usually provided free of charge. However, Croftech Ltd reserves the right to charge a reasonable fee for requests that are manifestly unfounded or excessive, particularly where further copies are requested.
  • Where Croftech Ltd refuses a subject access request, reasons will be provided to the requester without undue delay and in any event within one month of receipt of the request. Information will also be provided on the right to lodge a complaint with the Information Commissioner’s Office or to seek judicial remedy.
  • Subject access will be provided by provision of records or via online portal.
  • Where a request leads to a decision to rectify or erase personal data, such action will be taken without undue delay and in any event within one month of receipt of the request.

17. Changes to this Policy

  • The Croftech Ltd shall ensure that all staff are notified of any changes to this Data Protection Policy.
    • Notification shall be provided to all staff via email with the updated policy attached.
  • Relevant third parties processing Personal Data on behalf of the Croftech Ltd shall be notified without delay of any changes to this Data Protection Policy that are relevant to their processing activities.
  • The Data Protection Policy shall be reviewed annually by the Data Protection Officer to ensure it remains compliant with applicable Data Protection Laws.
  • The Data Protection Policy shall be reviewed annually by the Data Protection Officer to ensure it remains compliant with applicable Data Protection Laws.
    • The Data Protection Officer may also review and update the Data Protection Policy at any other time if deemed necessary to maintain compliance with Data Protection Laws following any relevant changes.
  • Staff are invited to provide feedback about this Data Protection Policy at any time and may request an earlier review if deemed necessary.

18. Third Party Processors

  • Appointment of Processors. The Company shall only appoint Processors who can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation and ensure the protection of the rights of the Data Subject.
  • The Company maintains legally binding written contracts with all third-party processors requiring them to only process personal data according to the Company’s documented instructions and to take appropriate security measures to protect the personal data processed.
  • All processor contracts include the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed and categories of data subjects, and the obligations and rights of the Company as controller
  • Processor contracts require assistance to the Company in allowing data subjects to exercise their rights and in dealing with personal data breaches, and mandate deletion or return of all personal data to the Company at the end of processing engagements.
  • Any sub-contracting of processing activities by a third-party processor requires the Company’s prior consent and a contract ensuring the same level of data protection between the processor and sub-processor.
  • The Company monitors all processors to ensure ongoing compliance and will audit processors on request. The Company shall have the right to terminate any processor contract in the event of a breach.
  • The Company only appoints processors within the UK or EEA who can provide adequate safeguards for international data transfers.

19. Transferring Personal Data Outside the EEA

  • The Company may transfer personal data outside the EEA in compliance with Chapter V of the UK GDPR and Part 3 of the Data Protection Act 2018.
  • Transfers to countries benefiting from an adequacy decision are permitted for the duration of that adequacy decision.
  • For transfers relying on appropriate safeguards, the Company will ensure that enforceable data subject rights and effective legal remedies for data subjects are available.
    • The Company has adopted standard contractual clauses for transfers as approved by the European Commission.
  • In the absence of an adequacy decision or appropriate safeguards, the Company may transfer personal data where:
    • The data subject has explicitly consented to the proposed transfer, after having been informed of any potential risks of such transfers due to the absence of an adequacy decision and appropriate safeguards
    • The transfer is necessary for the performance of a contract between the data subject and the Company or for pre-contractual steps taken at the data subject’s request
    • The transfer is necessary for important reasons of public interest
    • The transfer is necessary for the establishment, exercise, or defence of legal claims
    • The transfer is necessary to protect the vital interests of the data subject where consent cannot be obtained
  • The Company will maintain records of all international transfers of personal data.
  • The Company will cooperate with the supervisory authority regarding any international transfers of personal data.

20. Data Protection Officer

  • The Company shall appoint a Data Protection Officer either as an employee or external service provider.
  • The Data Protection Officer shall be appointed on the basis of professional qualities and expert knowledge of data protection laws which are necessary to fulfil the tasks
  • The responsibilities of the Data Protection Officer include:
    • Informing and advising the Company and its employees about their obligations to comply with the UK GDPR and other data protection laws.
    • Monitoring compliance with the UK GDPR and other data protection laws, this Policy, and related policies, procedures, and management of subject access requests.
    • Providing advice on data protection impact assessments were requested as well as monitoring the performance of data protection impact assessments.
    • Cooperating with the Information Commissioner’s Office and acting as the main point of contact for data subjects and the Information Commissioner’s Office on issues related to processing including prior consultations and notifications to the Information Commissioner’s Office, and prior consultations regarding data protection impact assessments.
  • The Data Protection Officer is the first point of contact regarding individuals’ questions or complaints relating to the processing of their personal data and how their data is used by the Company. The Data Protection Officer shall respond to all requests regarding data subject rights and data use from individuals or third parties.

21. Monitoring and Review of this Policy

  • Responsibility for ongoing monitoring and review of this policy shall lie with the Data Protection Officer of Croftech Ltd.
  • The Data Protection Officer will carry out periodic reviews of this policy at least once every 12 months.
  • The Data Protection Officer shall also carry out an interim review of this policy in the event that any of the following occur:
    • changes to Data Protection Laws or applicable codes of conduct or industry guidelines.
    • changes to Croftech Ltd.’s data processing operations or practices that affect personal data protection.
    • the highlighting of new information risks or failures to comply with this policy.
  • The effectiveness of this policy and Croftech Ltd.’s compliance with Data Protection Laws shall be assessed during the periodic reviews based on review of Croftech Ltd.’s incident logs, audit reports, feedback from data subjects and/or recommendations for improvement.
  • The Data Protection Officer shall be responsible for making any necessary updates or amendments to this policy following each review and seeking the approval of the relevant body for any significant changes.
  • Croftech Ltd shall communicate any changes to this policy to all employees and other relevant parties, ensuring the updated version is published on its intranet and provided to key contacts.

22. Protection of Corporate Information Assets

  • Information Classification. The Company shall establish and maintain classification levels for all corporate information and personal data, including but not limited to “Public”, “Internal”, “Confidential” and “Restricted”. All corporate information and personal data shall be clearly labelled with its classification level.
  • Access Controls. The Company shall implement role-based access controls to restrict access to corporate IT systems and personal data stored on them to authorised personnel only. Access shall be provided to personnel on a need-to-know basis and revoked promptly upon termination of employment or engagement.
  • Security Awareness Training. All personnel shall undergo regular security awareness training on the Company’s information security policies and procedures. Training shall cover personnel’s roles and responsibilities for protecting corporate information assets, including appropriate use of equipment and reporting security incidents.
  • Device Security. All corporate equipment used to store or process personal data, including laptops, smartphones, and tablets, shall be secured in accordance with the Company’s security policies. Encryption, passwords, and remote wiping capabilities shall be used where appropriate.
  • Information Transfers. Secure processes and technologies shall be used for transferring or sharing personal data externally, including encryption and password-protection of emails and files, and secure file-sharing services.
  • Data Loss Prevention. The Company shall implement technical measures to prevent and detect unauthorised export of personal data outside corporate IT systems. Use of removable media and cloud file-sharing services shall be monitored and controlled.
  • Incident Response. The Company shall maintain an incident response plan for responding to actual or suspected personal data breaches or cyber security incidents in accordance with Article 33 UK GDPR. Lessons learned from previous incidents shall be applied to continuously improve information security standards.