Data Protection Policy

Version 0.1 Code POL-DATA

1. Purpose

The purpose of this Data Protection Policy is to ensure that all data, particularly Personally Identifiable Information (PII) administered on behalf of clients, is handled, processed, stored, and disposed of in a manner that ensures its confidentiality, integrity, and availability. This policy aligns with industry best practices, ISO27001 requirements, and relevant data protection laws and regulations, such as GDPR.

2.SCOPE

This policy applies to all employees, contractors, and any other third parties who have access to the company’s information systems and data, including virtual servers, laptops, and cloud services.

3.Roles and Responsibilities

  • CEO and CIO: Responsible for overseeing the implementation of this policy and ensuring compliance with data protection laws and regulations.
  • Data Protection Officer (DPO): Appointed to manage the data protection program, monitor compliance, and serve as the primary point of contact for data protection issues.
  • IS Security Specialist: Responsible for implementing and maintaining technical security measures to protect data.
  • Employees and Contractors: Required to adhere to data protection policies and procedures and report any data protection issues or breaches.

4.      Data Protection Principles

  • Lawfulness, Fairness, and Transparency: Process PII lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Collect PII only for specified, explicit, and legitimate purposes.
  • Data Minimization: Ensure PII collected is adequate, relevant, and limited to what is necessary.
  • Accuracy: Keep PII accurate and up to date.
  • Storage Limitation: Retain PII only for as long as necessary for the purposes for which it was collected.
  • Integrity and Confidentiality: Ensure appropriate security measures to protect PII against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability: Be able to demonstrate compliance with these principles.

5. Data Collection and Processing

5.1.              Data Collection

  • Obtain explicit consent from individuals before collecting their PII unless another legal basis for processing exists.
Data Inventory:
  • Assign access rights based on user roles and responsibilities.
  • Regularly review and update access controls to ensure they reflect current job functions.

5.2.             Data Processing

Purpose:
  • Process PII only for the purposes for which it was collected.
Data Sharing:
  • Share PII with third parties only when necessary and ensure they have adequate data protection measures in place.

6.      Data Security Measures

6.1.              Access Control

User Authentication:
  • Use strong, unique passwords and multi-factor authentication (MFA) for accessing systems containing PII.

See Access Control Policy (document code: POL-ACP).

Role-Based Access Control (RBAC):
  • Restrict access to PII based on user roles and responsibilities.
Access Logging:
  • Log and monitor access to systems containing PII

See Logging and Monitoring Policy (document code: POL-LOG).

6.2.             Data Encryption

In Transit:
  • Encrypt PII during transmission using secure protocols such as SSL/TLS.
At Rest:
  • Encrypt PII stored on servers, laptops, and other storage devices.

6.3.             Data Anonymization and Pseudonymization

Techniques:
  • Use anonymization and pseudonymization techniques to reduce the risk of identifying individuals from stored data.

6.4.             Physical Security

Facilities:
  • Ensure physical security measures for facilities where PII is stored, such as access controls and surveillance.

7. Data Retention and DispOSAL

Retention Policy:
  • Retain PII only for as long as necessary to fulfill the purposes for which it was collected or as required by law.
Data Disposal:
  • Ensure secure disposal of PII that is no longer needed, using methods such as shredding, degaussing, or secure deletion.

8.      Data Breach Management

Incident Response:
  • Implement an incident response plan to address data breaches, including steps to contain, mitigate, and recover from the breach.
Notification:
  • Notify affected individuals and relevant authorities of data breaches in accordance with legal and regulatory requirements.
Post-Incident Review:
  • Conduct a post-incident review to identify the root cause and implement measures to prevent recurrence.

See Incident Response Policy (document code: POL-IR)

9.      Data Subject Rights

Access:
  • Allow individuals to access their PII upon request.
Rectification:
  • Allow individuals to correct inaccurate or incomplete PII.
Erasure:
  • Allow individuals to request the deletion of their PII under certain conditions.
Restriction:
  • Allow individuals to restrict the processing of their PII under certain conditions.
Data Portability:
  • Allow individuals to request the transfer of their PII to another organization.
Objection:
  • Allow individuals to object to the processing of their PII under certain conditions.
  •  

10.   Training and Awareness

Training Programs:
  • Provide regular training on data protection principles and practices to all employees and contractors.
Awareness Campaigns:
  • Conduct ongoing awareness campaigns to reinforce the importance of data protection.

11.    Policy Review

  • This Data Protection Policy will be reviewed annually by the CEO, CIO, and DPO.
  • Any changes to the policy will be communicated to all affected parties.

12.   Compliance

  • Compliance with this policy is mandatory for all users handling PII.
  • Non-compliance may result in disciplinary action, including termination of employment or contracts.

Approval

This Data Protection Policy is approved by:

CEO: Patrick Vanson

CIO: Lucian Florea

Date: 01 July 2024

Défiler vers le haut