Data Security Policy

1. Overview:

At Made by Bridge, we understand the critical importance of protecting sensitive data to maintain trust with our clients, employees, and stakeholders. This Data Security Policy outlines the measures we implement to ensure compliance with the General Data Protection Regulation (GDPR) and safeguard data against unauthorised access, disclosure, alteration, and destruction.

2. Scope:

This policy applies to all employees, contractors, and third-party service providers who have access to Made by Bridge data, regardless of the format or location.

3. Data Classification:

We categorise data based on sensitivity and criticality, aligning with GDPR requirements. Employees are responsible for understanding and adhering to the classification guidelines outlined in our Data Classification Policy.

4. Access Control:

Access to data is granted on a need-to-know basis, in accordance with GDPR principles. Employees are assigned access rights based on their roles, and access permissions are regularly reviewed and updated.

5. Data Encryption:

Sensitive data, both in transit and at rest, must be encrypted using GDPR-compliant encryption algorithms. This applies to data stored on servers, databases, and portable devices.

6. Password Security:

Employees are required to use strong, unique passwords for their accounts, and password policies adhere to GDPR standards. Passwords must be changed regularly, and multi-factor authentication is enforced for accessing sensitive systems and applications.

7. Data Transmission:

Secure channels, such as encrypted VPNs or secure file transfer protocols, must be used when transmitting sensitive data over networks, in compliance with GDPR requirements.

8. Data Storage:

Data storage solutions must comply with GDPR, and providers are chosen based on their adherence to data protection standards. Cloud storage and physical servers must align with GDPR guidelines.

9. Data Backup:

Regular data backups are performed to prevent data loss in the event of system failures, accidents, or security incidents. Backup procedures are documented, and the restoration process complies with GDPR standards.

10. Incident Response:

In the event of a data breach or security incident, an incident response plan, in accordance with GDPR requirements, will be activated promptly. Employees are trained on reporting security incidents, and a designated response team will investigate and mitigate the impact.

11. Employee Training:

All employees undergo regular training on data security best practices, including recognising phishing attempts, protecting passwords, and understanding the importance of data confidentiality, in alignment with GDPR principles.

12. Vendor Security:

Third-party vendors and service providers with access to our data are selected based on their GDPR compliance. Contracts with vendors include clauses outlining their data security responsibilities in accordance with GDPR regulations.

13. Compliance:

This policy aligns with GDPR and other relevant data protection laws. Regular audits are conducted to ensure compliance, and adjustments are made as necessary.

14. Policy Review:

This policy is subject to periodic reviews to ensure its relevance and effectiveness in addressing evolving security risks, GDPR compliance, and other regulatory requirements. Updates will be communicated to all relevant parties.