Data Security Policies

CRISCO CONSULTING takes data security extremely seriously, and we place the

rights of the individual and regulatory adherence at the heart of everything we do as a

company.

In light of our commitments, it is mandatory all staff members must observe and adhere

to the following data security policies:

Data storage policy

 All information or data that is collected and processed is subject to all of the

applicable requirements as outlined and documented within this policy. This

includes information collected electronically, by paper, telephone or data

collected through any other means.

 All data must be collected, stored and protected in a secure location appointed

by CRISCO CONSULTING, for a retention period as predefined by

corresponding legislature or company policy.

 Staff members are strictly forbidden to retain confidential information or

personal data not relating to themselves on their personal devices. Exceptions

to this policy include information that is needed for a purpose that is work-

related, temporary and specified and approved by a relevant manager.

 Staff members should avoid downloading sensitive files or confidential

information to local devices wherever possible. Information being necessarily

processed for work purposes may be exempt from this policy.

 Employees must install and use software and systems that have been licensed

and approved by the company on devices while carrying out the duties of their

role. Downloading or using any software, app or system that is not preapproved

by the company will require prior approval from the company’s IT Manager.

 All mobile and portable devices used by staff members should be approved by

the company’s IT Manager and secured to prevent unauthorised access or

breach. Personal devices could include a laptop, smartphone, tablet or any

other handheld computing devices. This policy also applies to any shared cloud

storage spaces.

 All internet access and online operations carried out by employees could be

subject to monitoring and filtering in accordance with relevant legislation and

company policy. This monitoring should be carried out only by the IT Manager

or an authorised member of staff.

 Employees must adhere to all applicable elements of this policy when using

personal devices to access company resources. Similarly, employees must

observe and adhere to all applicable elements of this data security policy when

using equipment provided by CRISCO CONSULTING to access information

externally.

 Employees are forbidden from using public access devices. This practice is

allowed in some circumstances; however, prior and explicit approval from a line

manager for regular public access must be obtained and recorded.

 Employees must use access tools provided to them by a client or partner of

CRISCO CONSULTING if access is granted to any third-party storage system

or data storage facility.

 It is forbidden to send, forward or submit any of the information or data referred

to within this data security policy to a third-party unless deemed essential to

complete approved processes.

 If an employee needs to carry out an approved submission of data to any

relevant third-party, that data must be made secure in accordance with

company policy and any relevant third-party data protection protocols.

Please note that CRISCO CONSULTING will carry out regular system audits to monitor

and ensure ongoing compliance with this data security policy and all regulatory

requirements as outlined under GDPR.

Data retention policy

While CRISCO CONSULTING must routinely collect and store data, we are committed

to the rights of individuals. That’s why we retain all information and personal data for no

longer than we need to.

The necessary length of retention will often be decided on a case-for-case basis,

bearing in mind the rationale and original purpose surrounding data collection and

retention. Decisions of this nature must be made in a way that is compatible with our

existing data retention guidelines under GDPR.

For additional guidance, consult the following corresponding documents:

 Data retention and erasure policy document

International data transfer policy

Employees must observe a series of restrictions that apply towards the international

transfer of data or personal information. Employees are not permitted to transfer

personal information or data outside of the United Kingdom without having obtained

explicit permission in the first instance from the company’s Data Protection Officer.

Data encryption and anonymisation policy

CRISCO CONSULTING deploys encryption to secure and protect data that is stored on

devices from unlawful processing or unauthorised access. Encryption is also used to

protect information that is in transit.

We also use the anonymisation of personal data wherever deemed prudent to ensure

the rights of the individual are fully protected and observed.

In line with these principles, we are committed to the use both encryption and

anonymisation as a risk management tool alongside existing systems, to protect the

company from accidental loss, as well as from the damage or destruction of data or

personal information.

Activities that are prohibited

Unless otherwise noted or informed, employees are strictly forbidden from using

company equipment, tools or systems for any purpose unrelated to their role

responsibilities, excluding any previously mentioned exceptions. This policy also

relates to any relevant systems, tools or equipment belonging to a company client or

partner.

Bearing that in mind, the following activities should be deemed forbidden with no

exceptions:

 Any unauthorised replication of copyrighted materials.

 The violation of individual rights by way of the unnecessary collection, storage

and processing of personal data or information.

 The violation of rights of an individual or organisation protected under

intellectual property law in any jurisdiction.

 The use of any programme, command or interface designed to interfere with a

user or corresponding user session.

 The accessing of any data, user account or server for any purpose unrelated

to the business function of an individual’s company role.

 Issuing fraudulent product or service offers from a company account.

 The allowed sharing or use of employee login credentials or company systems

by anyone apart from the named individual.

 The export of proprietary or confidential information as it relates to the

company.

 The export of any software or data that is in breach of regulation or the

company’s data security policy.

 Knowingly causing a network disruption or security breach.

 An employee is not allowed to access data that is not intended for them by

logging into a system or gaining access to a confidential or limited-access

account. The only exception to this rule is if the employee is granted access

as part of a specific company project.

Please note that any violation of this policy can lead to disciplinary action, alongside

legal action where deemed prudent or necessary.

Reporting security issues

If you encounter any incidents or issues relating to the security or protection of

information or data, you must report this immediately to company management.

Management will subsequently take and record any action deemed necessary to

prevent damage or loss in relation to a security threat.

If necessary, it is the responsibility of company management to report relevant

incidents relating to a data breach or information security threat to regulators or the

authorities. Under GDPR, it also falls upon management to contact the individuals

involved in any breach or security threat.