Home Data Protection Measures

    Organisational Data Protection Measures

    1. The Data Processor shall ensure that, in respect of all Personal Data it receives from
    or processes on behalf of the Data Controller, it maintains security measures to a
    standard appropriate to:
    1.1 the harm that might result from unlawful or unauthorised processing or
    accidental loss, damage, or destruction of the Personal Data; and
    1.2 the nature of the Personal Data.
    2. In particular, the Data Processor shall:
    2.1 have in place, and comply with, a security policy which:
    2.1.1 defines security needs based on a risk assessment;
    2.1.2 allocates responsibility for implementing the policy to a specific individual
    (such as the Data Processor’s Data Protection Officer) or personnel;
    2.1.3 is provided to the Data Controller on or before the commencement of
    this Agreement;
    2.1.4 is disseminated to all relevant staff; and
    2.1.5 provides a mechanism for feedback and review.
    2.2 ensure that appropriate security safeguards and virus protection are in place to
    protect the hardware and software which is used in processing the Personal
    Data in accordance with best industry practice;
    2.3 prevent unauthorised access to the Personal Data;
    2.4 protect the Personal Data using pseudonymisation, where it is practical to do
    2.5 ensure that its storage of Personal Data conforms with best industry practice
    such that the media on which Personal Data is recorded (including paper
    records and records stored electronically) are stored in secure locations and
    access by personnel to Personal Data is strictly monitored and controlled;
    2.6 have secure methods in place for the transfer of Personal Data whether in
    physical form (for example, by using couriers rather than post) or electronic form
    (for example, by using encryption);
    2.7 password protect all computers and other devices on which Personal Data is
    stored, ensuring that all passwords are secure, and that passwords are not
    shared under any circumstances;
    2.8 not allow the storage of the Personal Data on any mobile devices such as
    laptops or tablets unless such devices are kept on its premises at all times;
    2.9 take reasonable steps to ensure the reliability of personnel who have access to
    the Personal Data;
    2.10 have in place methods for detecting and dealing with breaches of security
    (including loss, damage, or destruction of Personal Data) including:
    2.10.1 the ability to identify which individuals have worked with specific
    Personal Data;
    2.10.2 having a proper procedure in place for investigating and remedying
    breaches of the GDPR; and
    2.10.3 notifying the Data Controller as soon as any such security breach
    2.11 have a secure procedure for backing up all electronic Personal Data and storing
    back-ups separately from originals;
    2.12 have a secure method of disposal of unwanted Personal Data including for
    back-ups, disks, print-outs, and redundant equipment; and
    2.13 adopt such organisational, operational, and technological processes and
    procedures as are required to comply with the requirements of ISO/IEC
    27001:2013, as appropriate to the Services provided to the Data Controller.