Revised: 18 January 2022

Organizational Measures
-Comprehensive data protection assessments are conducted regularly to pinpoint risks in our data processing operations. These evaluations guide the implementation of effective organizational and technological safeguards, ensuring the integrity of personal data.

Staff Vetting and Training
-Rigorous pre-employment screening is conducted for all potential employees who will handle personal data, verifying identity and assessing character for trustworthiness in managing sensitive information.
-Confidentiality is a key component of our employment agreements.
-Continuous data protection education is mandatory, beginning at induction and refreshed periodically. This training encompasses GDPR compliance, staff responsibilities for data security, verification processes, internet usage policies, strong password practices, and avoiding phishing and spam.

Physical Data Security
-Paper records are stored securely and accessible only to authorized staff.
-Computer equipment processing personal data is situated in secure locations, with screen visibility controlled to prevent external observation.
-Access to our office spaces is restricted to authorized individuals, with special considerations when third parties, like cleaners, are present.

IT Security Protocols
-Firewalls and, where feasible, anti-malware and antivirus programs are in place to shield our network from external threats.
-Internet access is controlled to limit exposure to risky online environments.
-Regular updates and maintenance of our operating systems are performed to address security vulnerabilities.
-Unused software is promptly removed to minimize potential security risks.

Access Controls
-Sensitive data is safeguarded through encryption, password protection, or pseudonymization.
-Secure server use is considered for sensitive online transactions.
-Email content dictates the necessity for encryption or password protection.

Password Management
-Strong, regularly updated passwords are mandated for network and system access.
-Password sharing is strictly prohibited, and passwords are promptly revoked upon employee departure or extended leave.
-Visitor Wi-Fi is provided to separate guest access from internal networks.
-Login attempt limits are enforced to enhance security.

Third-party Data Processing
-Written agreements, including data protection clauses, are mandatory with third-party processors to ensure adequate data safety.

Data Disposal and Business Continuity
-Decommissioned devices are securely wiped of personal data.
-Regular backups of vital data are maintained in separate, secure locations, including offsite storage where feasible.
-Backup media like CDs and USBs are securely stored.