We have a clear written GDPR and Information Security policy which is shared with staff in the induction process and forms part of the Annual Appraisal process. We are strict with staff sharing Personal data with anyone else except on a need-to-know basis, and only when the owner has given informed consent for a specific reason. We make them aware during induction of the consequences they have to face if they break the policy.
We strictly don’t allow staff to use social media and their personal email to use in our office computer to avoid the chances of sharing data even by mistake. We ensure the passwords are safe and are changed frequently to ensure they not misused. We also make sure that staff do not bring and use any external devices to connect with our computers. All the information is kept in the Cloud on a UK based server, with users having cascading permissions to allow them only the level of access they need for their role.
We have a clear Working from Home policy that covers using sensitive information outside the office and protects our clients. In the office, similarly we have a clean desk policy, no passwords are written down, and when we are not using printed documents, they are secured in locked drawers. At the end of a document’s life cycle, it is securely destroyed with a cross pattern shredder. Password security: employees should create strong, unique passwords for each account and never share their credentials. We change the password every 3 months. Likewise, we share case studies of Phishing emails and social engineering scams: Employees should be able to recognize attempts that take place via email, over the phone, or even in person. So, we advise them against disclosing sensitive information or authorizing money transfers. Additionally, we ask employees to be vigilant of Malware: a basic overview of spyware, viruses, etc., that hide in links, files, and software programs. They use company computers exclusively for company work, and operate in the cloud, using our approved antivirus software. We are registered with the Information Commissioner’s Office and we are aware of our obligations in case of a breach.
We have a whistle blowing policy which our staff are aware of in case of a data breach. We also have a clear complaints process for our clients if they have any concerns about how their data has been handled. They have direct access to contact senior staff in case they need to make aware or complain about any situation they may cause the data breach of our client.
All employees understand that it is not only the IT department’s job to protect company data. It is everyone’s responsibility, too. Though the training level might vary from position to position but everyone must have a basic knowledge of common threats and defences. We build a culture of data safety from Day One in Onboarding and throughout the extended Induction process. At annual performance appraisal, GDPR and data security are part of the performance review. We have regular refresher data hygiene training in staff meetings, with updates on any developments from the news, case studies or the ICO bulletins. We build a positive culture of support where staff help each other to prevent a breach, without blame and shame, so that there is a culture of transparency and mutual alertness. If anyone spots a possible slip, they warn and support each other without fear of shaming.
Employees are part of the Annual Data Protection plan and policy review process.
Annual Data Protection Plan:
As a whole company, we update our plan annually with a data risk assessment, and an analysis of the threat landscape, and identify gaps in training. This also informs the updates of the GDPR, Homeworking, and related policies.