GDPR & INFORMATION SECURITY POLICY
Personal data and information is a key resource for Splimple Ltd, without which many of our activities would cease. Because of its importance it is recognised that we must do all we can to protect personal data and its information assets. We will do this in ways that are appropriate and cost effective.
This helps us to fulfil our responsibilities and to ensure that a high quality service can continue to be offered to our customers. Our ability to exploit and gain advantage from information will enable us to maintain and improve our reputation and ensure that we meet our strategic business and professional goals. In addition, it will ensure that we do not lose opportunities through a poor reputation for security.
The aim of our GDPR and Information Security Policy is to protect personal data and Splimple Limited from security problems that might have an adverse impact on our operations and our professional standing.
Security problems can include questions of confidentiality (the wrong people obtaining information), integrity (information being altered without permission, whether deliberate or accidental) and availability (information not being available when it is required). For the purpose of this policy statement the widest possible definition of security will be used to include all types of incident that might have an impact on the effective use of personal data and information, including performance, consistency, reliability, accuracy and timeliness.
The scope of this policy covers use of personal data and information both upon paper and via access to electronic records.
Splimple Limited will:
- Use all reasonable, appropriate, practical and effective security measures to protect its business processes, personal data and information assets from inappropriate use;
- Utilise the appropriate Regulation and Code of Practice for GDPR & Information Security Management as a framework for guiding its approach to managing security;
- Continually examine ways in which it can improve the use of security measures to protect and enhance its business interests;
- Protect and manage personal data and its information assets in such a way as to comply with its contractual, legislative, privacy and ethical responsibilities.
Splimple Information Users:
- Have an obligation to protect personal data, the company’s information assets, systems and infrastructure;
- They must, at all times, act in a responsible, professional and security-aware way, maintaining an awareness of and conformance to this Policy;
- Must protect personal data and information assets of third parties whether such protection is required contractually, legally, ethically or just out of respect for other individuals or organisations;
- If intending to access Information via electronic means, must give their informed agreement to comply with Splimple Information Security Policy;
- Are responsible for identifying security shortfalls in existing security practices and/or improvements that could be made.
- Will expect its Personal Data & Information Users to ensure that colleagues and the Company are not disadvantaged or penalised by inappropriate information security actions;
- Will report on information security issues, monitor progress and make appropriate actions;
- Will endeavour to ensure that sufficient resources are made available for the achievement of the objectives of the GDPR & Information Security Policy.
Good Practice Principles:
- Using risk analysis techniques Splimple will identify its security risks and their relative priorities, responding to them promptly and confidently, implementing safeguards that are appropriate, effective, culturally acceptable and practical;
- To promote better sharing and exploitation of information, all Information Users will have access to appropriate internal information, including overall guidelines to the security measures employed, wherever possible;
- All Information Users are accountable for their actions and all actions will be attributable to an identified individual;
- All personal data and information (including third party information) will be protected by safeguards and handling rules appropriate to its sensitivity and criticality;
- Information owners will generally be responsible for identifying to whom their information may be released. On occasions, current legislation or contractual obligations may require its disclosure to authorised external bodies;
- Splimple will seek to ensure that its activities can continue with minimal disruption, or other adverse impact, should it or any of its locations or services suffer any form of disruption or security incident;
- Actual or suspected security incidents must be reported promptly to the Directors who will manage the incident to closure, and arrange for an analysis of lessons to be learnt;
- Documented procedures and standards, along with education and training, will supplement this Policy;
- Compliance with the Policy will be monitored on a regular basis and the Directors will review this policy regularly for completeness, effectiveness and usability together with identification and approval of planned improvements during the following twelve months;
- Effectiveness will be measured by our ability to avoid security incidents and minimise resulting impacts;
- The Directors will approve all new versions of the GDPR & Information Security Policy.
A copy of this Policy will be made available to all staff at Splimple Limited – and all employees are expected to be familiar with, and to comply with, the GDPR & Information Security Policy at all times. Further information or clarification on any aspects of this Policy may be obtained from the Directors.
Applicability and Enforcement
This Policy applies to all Splimple Information Users and those who use its facilities and information. Compliance with the Policy will be part of the contract of employment and part of the process granting others access to the facilities.
Failure to comply with the GDPR & Information Security Policy could harm Splimple’s ability to achieve its strategic and security objectives and damage the professional reputation of the business. It will, in the ultimate sanction, be treated as a disciplinary matter. The Directors will have overall responsibility for all decisions regarding the enforcement of this policy, utilising the legal sanctions or existing staff disciplinary procedures as appropriate.