Cookies Policy | Blogs | Privacy Policy  |   01254 919589  |     WhatsApp Us | Member Login

Data Security  Policy

Organisational


The Firm carries out a data protection risk assessment to assess the risks posed by its processing activities and implements mitigation strategies to control the risk(s). The
Firm’s data protection risk assessment enables it to identify vulnerabilities and ensure that it implements adequate organisational and technical measures to ensure the
security of the personal data it processes.

People


The Firm carries out pre-recruitment vetting on all staff that will handle personal data as part of their role. The Firm’s pre-recruitment checks will confirm the identity of the
candidate and ascertain whether the prospective staff is of good character in order to entrust them with the processing activity.
The Firm’s staff are under a duty of confidentiality which forms part of their employment contract with the Firm.

The Firm provides relevant staff with data protection training to ensure adequate awareness of data protection. Data protection staff training is provided upon induction
and on a refresher basis. The data protection training covers:

  • The Firm’s obligations under GDPR;
  • The responsibilities of individual staff members for the protection of personal data;
  • The proper procedures to use to identify an individual before disclosing any personal information;
  • The restrictions on the use of the Firm’s devices to access unauthorised websites which carry a greater IT security risk;
  • The use of strong passwords; and
  • To not open spam (not even to unsubscribe or ask for more mailings).
    The Firm only gives its staff access to personal data that they require to carry out their job.

    Physical security


    Personal data that is kept in a physical form is securely stored away out of plain sight when not in use. Only authorised personnel have access to the personal
    data. Physical devices such as computers which are used to process personal data are located in secure parts of the Firm’s premises. Access to the physical devices
    are only permitted to authorised persons. The Firm endeavours to position computer devices that are used to process
    personal data with its screens facing away from any windows so that they cannot be viewed by passers-by.

    Premises


    The Firm’s premises is kept secure by only allowing authorised personnel to access the Firm’s office space(s) where personal data is stored. When any third
    parties such as cleaners access the Firm’s office space the Firm ensures that all physical records containing personal data are securely stored away from sight.
    The Firm’s office is locked out of hours and is secure.

    IT security


    Security software
    The Firm installs a firewall to protect its network and systems from unauthorised access. Where possible the Firm will install anti-malware software to protect its
    network from malware, ransomware and rootkit. Where possible, the Firm will operate an internet gateway that restricts the
    websites and online services that staff can access whilst at work. The Firm installs antivirus software to detect and destroy computer viruses.
    The Firm’s operating systems are set up to receive automatic updates which includes the latest patches and security updates to cover vulnerabilities.
    The Firm will remove any unused software and services from the devices it uses to process personal data. This is to reduce the number of potential
    vulnerabilities.

    Access protection
    The Firm secures any personal data which carries the risk of causing harm tothe data subject if they were compromised (e.g. financial data, health data).
    The Firm considers the following security measures:

    • Encryption;
    • Password protection; or
    • Pseudonymisation (i.e. replace fields in the data record with artificial
      information).


    The Firm will consider using a secure server which guarantees secure online transactions (i.e. access) to the Firm’s network.

    Emails

    The Firm will consider, based on the content of emails, whether certain emails containing sensitive personal data should be encrypted or password protected.

    Passwords


    Access into the Firm’s network and systems is password protected. The Firm encourages staff to use strong passwords which contain a combination of
    upper and lower case, numbers and special characters. Where possible, the Firm will enforce regular password changes.
    Passwords are cancelled immediately if staff members leave the Firm or are absent for long periods (e.g. maternity or paternity leave).
    Staff are prohibited from sharing passwords which control their personal access into the Firm’s network and/or systems.
    Where possible the Firm will make provision for a visitor/guest WiFi to prohibit visitors from using the Firm’s network.
    The Firm will limit the number of failed login attempts into its network and systems.

    Third party processors


    Where the Firm uses third party processors it will ensure adequate protection of personal data it is responsible for by entering into a written agreement with the
    processor which includes data protection clauses.

    Data disposal
    The Firm ensures that it deletes the personal data or destroys the hard drive on any ofits computer devices that is used to process personal data before disposing of the
    device. Physical records containing personal data are disposed of in the confidential waste bin or shredded.

    Business continuity


    The Firm regularly backs-up the personal data on its computer system(s) and keeps them in a separate place. Where possible, the Firm’s back-ups will be stored so that it is not
    visible to the rest of the network. Where possible, the Firm’s servers will be located in a separate room with controlled access. Where possible, at least one of the Firm’s back-up servers will be located offsite.
    Back-up devices such as CDs and USBs will be locked away when not in use.