| What GDPR Requires: | |
| We need to have adequate Technical and Organisational security measures in place to ensure the Personal Data we hold on individuals is properly protected. This must be done in a manner proportionate to the risk faced by the individuals whose personal data we hold, in the event that this data is compromised. This protection is against unauthorised and unlawful processing and against accidental loss, destruction or damage to the Personal Data we hold. In the event of a security breach, subject to certain conditions, we have an obligation to report this security breach to the ICO (and any other applicable regulators) and the individuals whose personal data have been breached. Our obligations apply in the following situations: Our obligation to notify the regulator applies if the breach is likely to result in a risk to the rights and freedoms of any individual. We are required to notify without undue delay and in any event within 72 hours from when we first became aware of the breach. Our obligation to notify the individuals whose personal data have been breached applies if the breach is likely to result in a high risk to the rights and freedoms of any individuals. We are required to notify the affected individuals without undue delay. | |
| How We Comply: | |
| Physical Security | |
| Access | Access to our premises is restricted to only employees and authorised visitors with appointments. Reception staff are instructed to allow only authorised personnel access into the building. There are access barriers in place at the entrance of our business premises Electronic key cards panels are in use. |
| Meeting rooms for external visitors are located in the reception area so there is no requirement for general visitors to access any of the staff areas of the office. Where for example contractors may need to access staff areas to carry out maintenance activities staff are made aware in advance and are encouraged to question anyone found in staff areas that they have not had prior notice of. Visitors are accompanied from reception by the employee(s) they have appointments with (or by reception staff) and are under supervision throughout their time within our business premises. There is an access log book where all visitors are required to fill in information detailing identity, purpose for visit, and who they have come to see. Visitors are also required to sign in on arrival and sign out on exiting our premises. This ensures we keep track of visitors who are on the premises at all times and have a record of this. | |
| Storage | All paper files and documents containing personal information are kept in securely locked filing cabinets. Staff are responsible for ensuring that the keys for their storage are kept in secure location with only authorised personnel having access. There is a clear desk policy in place when leaving our offices. All papers are removed from desks and securely locked in drawers provided or in the applicable filing cabinets. All computers must be logged out at end of day or when employees leave their workspace for extended periods. We have a policy in place that governs how data processed within the organisation is to be stored securely and training on storing information is carried out at Onboarding. |
| Technical Security | |
| Access Controls | We have access controls in place that restrict who can access Personal Data within the organisation. These controls ensure that only those who need to have access to Personal Data are given access. The controls are restricted by function and role. Only managers have the authority to alter what employees can and cannot access. All our organisational systems are password protected so only authorised personnel have access. We have a requirement for passwords to be changed every 90 days to maintain security. |
| We have access logs in place which record who accesses Personal Data in the systems and actions performed on the Personal Data when accessed. We have good off boarding processes to ensure that once an employee leaves our business all access of that employee within the business is revoked. | |
| Encryption | Where we store personal data electronically, we use encryption to ensure this data is secure. We prohibit the use of portable storage devices in our business, however where there is an exception to this only encrypted portable devices are allowed. |
| Pseudonymisation | We use Pseudonymisation where possible, especially when Sensitive Personal Data is involved. This is the case where the purposes for keeping Sensitive Personal Data have elapsed but the data is of value to our business. We also conduct reviews of our databases per annum to ascertain what data can be Pseudonymised. |
| Anonymisation | We anonymise Personal Data where possible and especially in situations where we do not require the identity of the person who the data is about and where the purposes for keeping Personal Data have elapsed but the data is of value to our business for statistical and analytics purposes. We conduct reviews of our databases per annum to ascertain what data can be anonymised. |
| Data Security Incident Management | |
| We train our staff on the actions to take in the event of a Security Breach. This involves who to contact immediately, who is in charge of the investigations that follow and who escalates the incident to the ICO and affected individuals where necessary. We review this process annually and schedule a breach simulation exercise at least annually. | |