The Firm carries out a data protection risk assessment to assess the risks posed by its processing activities and implements mitigation strategies to control the risk(s). The Firm’s data protection risk assessment enables it to identify vulnerabilities and ensure that it implements adequate organisational and technical measures to ensure the security of the personal data it processes.
The Firm carries out pre-recruitment vetting on all staff that will handle personal data as part of their role. The Firm’s pre-recruitment checks will confirm the identity of the candidate and ascertain whether the prospective staff is of good character in order to entrust them with the processing activity.
The Firm’s staff are under a duty of confidentiality which forms part of their employment contract with the Firm.
The Firm provides relevant staff with data protection training to ensure adequate awareness of data protection. Data protection staff training is provided upon induction and on a refresher basis. The data protection training covers:
- The Firm’s obligations under GDPR;
- The responsibilities of individual staff members for the protection of personal data;
- The proper procedures to use to identify an individual before disclosing any personal information;
- The restrictions on the use of the Firm’s devices to access unauthorised websites which carry a greater IT security risk;
- The use of strong passwords; and
- To not open spam (not even to unsubscribe or ask for more mailings).
The Firm only gives its staff access to personal data that they require to carry out their job.
Personal data that is kept in a physical form is securely stored away out of plain sight when not in use. Only authorised personnel have access to the personal data.
Physical devices such as computers which are used to process personal data are located in secure parts of the Firm’s premises. Access to the physical devices are only permitted to authorised persons.
The Firm endeavours to position computer devices that are used to process personal data with its screens facing away from any windows so that they cannot be viewed by passers-by.
The Firm’s premises is kept secure by only allowing authorised personnel to access the Firm’s office space(s) where personal data is stored. When any third parties such as cleaners access the Firm’s office space the Firm ensures that all physical records containing personal data are securely stored away from sight.
The Firm’s office is locked out of hours and is secure.
The Firm installs a firewall to protect its network and systems from unauthorised access.
Where possible the Firm will install anti-malware software to protect its network from malware, ransomware and rootkit.
Where possible, the Firm will operate an internet gateway that restricts the websites and online services that staff can access whilst at work.
The Firm installs antivirus software to detect and destroy computer viruses.
The Firm’s operating systems are set up to receive automatic updates which includes the latest patches and security updates to cover vulnerabilities.
The Firm will remove any unused software and services from the devices it uses to process personal data. This is to reduce the number of potential vulnerabilities.
The Firm secures any personal data which carries the risk of causing harm to the data subject if they were compromised (e.g. financial data, health data). The Firm considers the following security measures:
- Password protection; or
- Pseudonymisation (i.e. replace fields in the data record with artificial information).
The Firm will consider using a secure server which guarantees secure online transactions (i.e. access) to the Firm’s network.
The Firm will consider, based on the content of emails, whether certain emails containing sensitive personal data should be encrypted or password protected.
Access into the Firm’s network and systems is password protected. The Firm encourages staff to use strong passwords which contain a combination of upper and lower case, numbers and special characters. Where possible, the Firm will enforce regular password changes.
Passwords are cancelled immediately if staff members leave the Firm or are absent for long periods (e.g. maternity or paternity leave).
Staff are prohibited from sharing passwords which control their personal access into the Firm’s network and/or systems.
Where possible the Firm will make provision for a visitor/guest WiFi to prohibit visitors from using the Firm’s network.
The Firm will limit the number of failed login attempts into its network and systems.
Third party processors
Where the Firm uses third party processors it will ensure adequate protection of personal data it is responsible for by entering into a written agreement with the processor which includes data protection clauses.
The Firm ensures that it deletes the personal data or destroys the hard drive on any of its computer devices that is used to process personal data before disposing of the device.
Physical records containing personal data are disposed of in the confidential waste bin or shredded.
The Firm regularly backs-up the personal data on its computer system(s) and keeps them in a separate place. Where possible, the Firm’s back-ups will be stored so that it is not visible to the rest of the network.
Where possible, the Firm’s servers will be located in a separate room with controlled access. Where possible, at least one of the Firm’s back-up servers will be located offsite.
Back-up devices such as CDs and USBs will be locked away when not in use.