Purpose

The purpose of this data protection policy is to ensure the confidentiality, integrity, and privacy of company and customer data in accordance with the General Data Protection Regulation (GDPR).

Scope

This policy applies to all employees, contractors, and third-party individuals who have access to company and customer data.

Confidentiality

• Company and customer data must not be disclosed to unauthorized individuals.
• Company and customer data must be used only for legitimate business purposes.
• Company and customer data must be protected in transit, at rest, and in use.

Data Access

• Access to company and customer data must be granted only to individuals who have a legitimate business need.
• Access must be revoked promptly when an individual's need for access has ended.
• Access to company and customer data must be logged and audited regularly.

Data Backup and Recovery

• Regular backups of all critical data must be performed.
• Backups must be stored off-site in a secure location.
• A disaster recovery plan must be in place and tested regularly.

Data Security

• All company-owned computers and mobile devices must be secured with a password-protected screen lock.
• Sensitive information must not be stored on personal devices unless approved by the IT department.