1) POLICY STATEMENT

D3 {hereinafter referred to as the “Company”) collects data to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. This data has value and must be protected in a manner commensurate with its value. Data security is necessary because that value is transferable to more than one party. We believe the party in possession has a fiduciary responsibility to protect the integrity of the data.

The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect information at the core of our business.

2) PURPOSE

The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements.

The data protection laws include provisions that promote accountability and governance and as such the Company has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimize the risk of breaches and uphold the protection data a. This policy also serves as a reference document for employees and third-parties on the responsibilities of handling and accessing data.

3) SCOPE

This policy applies to all staff within the Company (meaning permanent and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, co-ops and agents engaged with the Company in the US or overseas). Adherence to this policy is mandatory and non-­ compliance could lead to disciplinary action.

4) OBJECTIVES

We are committed to ensuring that all data processed by the Company is done so in accordance with the applicable data protection laws and its principles, along with any associated regulations and/or codes of conduct laid down by the Supervisory Authority and local law. We ensure the safe, secure, ethical and transparent processing of all data.

The Company has developed the below objectives to meet our data protection obligations and to ensure continued compliance with the legal and regulatory requirements.

The Company ensures that:

  • We protect the rights of individuals and businesses with regards to the processing of information
    • We develop, implement and maintain a data protection policy, procedure, audit plan and

training program for compliance with the data protection laws

  • Every business practice, function and process carried out by the Company, is monitored for compliance with the data protection laws and its principles
    • Data is only processed where we have verified and met the lawfulness of processing requirements
    • Entities and individuals feel secure when providing us with information
    • We maintain a continuous program of monitoring, review and improvement with regards to compliance with the data protection laws and to identify gaps and non-compliance before they become a risk, affecting mitigating actions where necessary
    • We have robust and documented Complaint Handling and Data Breach controls for identifying, investigating, reviewing and reporting any breaches or complaints with regards to data protection
    • We have appointed a Data Protection Lead who takes responsibility for the overall supervision, implementation and ongoing compliance
    • We have a dedicated Audit & Monitoring Program in place to perform regular checks and assessments on how the data we process is obtained, used, stored and shared. The audit program is reviewed against our data protection policies, procedures and the relevant regulations to ensure continued compliance
    • We provide clear reporting lines and supervision with regards to data protection
    • We store and destroy all information, in accordance with our retention policy and schedule which has been developed from the legal, regulatory and statutory requirements and suggested timeframes
    • We have developed and documented appropriate technical and organizational measures and controls for data security and have a robust Information Security program in place

5) GOVERNANCE PROCEDURES

  • ACCEPTABLE USE POLICY

Though there are a number of reasons to provide a user network access, by far the most common is granting access to employees for performance of their job functions. This access carries certain responsibilities and obligations as to what constitutes acceptable use of the corporate network. This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked additionally to use common sense when using company resources. Questions on what constitutes acceptable use should be directed to the user’s supervisor. Privacy by Design

We operate a ‘Privacy by Design’ approach and ethos, with the aim of mitigating the risks associated with processing data through prevention via our processes, systems and activities. We have developed controls and measures (detailed below), that help us enforce this ethos.

5.2) BACKUP POLICY

A backup policy is similar to an insurance policy – it provides the last line of defense against data loss and is sometimes the only way to recover from a hardware failure, data corruption, or a security incident. A backup policy is related closely to a disaster recovery policy, but since it protects against events that are relatively likely to occur, in practice it will be used more frequently than a contingency planning document. A company’s backup policy is among its most important policies. Data Protection Impact Assessments (DPIA)

Our customers, partners, and vendors have an expectation that their privacy and confidentiality will be upheld and respected while their data is being stored and processed by the Company. We therefore utilize several measures and tools to reduce risks and breaches for general processing.

However, where processing is likely to be high risk or cause significant impact to a data subject, we utilize proportionate methods to map out and assess the impact ahead of time.

Where the Company must or are considering carrying out processing that utilizes new technologies, and/or where there is a likelihood that such processing could result in a high risk to the rights and freedoms of data subjects, we always carry out a Data Protection Impact Assessment (DPIA) (sometimes referred to as a Privacy Impact Assessment ).

5.3) CONFIDENTIAL DATA POLICY

Confidential data is typically the data that holds the most value to a company. Often, confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data.

5.4) DATA CLASSIFICATION POLICY

Information assets are assets to the company just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to company operations and the confidentiality of its contents. Once this has been determined, the company can take steps to ensure that data is treated appropriately.

5.5) E-MAIL POLICY

Email is an essential component of business communication; however, it presents a particular set of challenges due to its potential to introduce a security threat to the network. Email can also have an effect on the company’s liability by providing a written record of communications, so having a well thought out policy is essential. This policy outlines expectations for appropriate, safe, and effective email use.

5.6) ENCRYPTION POLICY

Encryption, also known as cryptography, can be used to secure data while it is stored or being transmitted. It is a powerful tool when applied and managed correctly. As the amount of data, the company must store digitally increases, the use of encryption must be defined and consistently implemented in order ensure that the security potential of this technology is realize d.

5.7) GUEST ACCESS POLICY

Guest access to the company’s network is often necessary for customers, consultants, or vendors who are visiting the company’s offices. This can be simply in the form of outbound Internet access, or the guest may require access to specific resources on the company’s network. Guest access to the company’s network must be tightly controlled.

5.8) INCIDENT RESPONSE POLICY

A security incident can come in many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well-thought-out Incident Response Policy is critical to successful recovery from an incident. This policy covers all incidents that may affect the security and integrity of the company’s information assets, and outlines steps to take in the event of such an incident.

5.9) MOBILE DEVICE POLICY

Generally speaking, a more mobile workforce is a more flexible and productive work force. For this reason, business use of mobile devices is growing. However, as these devices become vital tools to the workforce, more and more sensitive data is stored on them, and thus the risk associated with their use is growing. Special consideration must be given to the security of mobile devices.

5.10) NETWORK ACCESS AND AUTHENTICATION POLICY

Consistent standards for network access and authentication are critical to the company’s information security and are often required by regulations or third-party agreements. Any user accessing the company’s computer systems has the ability to affect the security of all users of the network. An appropriate Network Access and Authentication Policy reduces risk of a security incident by requiring consistent application of authentication and access standards across the network.

5.11) NETWORK SECURITY POLICY

The company wishes to provide a secure network infrastructure in order to protect the integrity of corporate data and mitigate risk of a security incident. While security policies typically avoid providing overly technical guidelines, this policy is necessarily a more technical document than most.

5.12) OUTSOURCING POLICY

Outsourcing is a logical practice when specialized expertise is required, which happens frequently in the field of Information Technology (IT). Trust is necessary for a successful outsourcing relationship; however, the company must be protected by a policy that details and enforces the terms of the outsourcing relationship.

5.13) PASSWORD POLICY

A solid password policy is perhaps the most important security control an organization can employ. Since the responsibility for choosing good passwords falls on the users, a detailed and easy-to­ understand policy is essential.

5.14) PHYSICAL SECURITY POLICY

Information assets are necessarily associated with the physical devices on which they reside. Information is stored on workstations and servers and transmitted on the company’s physical network infrastructure. In order to secure the company data, thought must be given to the security of the company’s physical Information Technology (IT) resources to ensure that they are protected from standard risks.

5.15) REMOTE ACCESS POLICY

It is often necessary to provide access to corporate information resources to employees or others working outside the company’s network. While this can lead to productivity improvements, it can also create certain vulnerabilities if not implemented properly. The goal of this policy is to provide the framework for secure remote access implementation.

5.16) RETENTION POLICY

The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exist s. Since this can be somewhat subjective, a retention policy is important to ensure that the company’s guidelines on retention are consistently applied throughout the organization.

5.17) THIRD PARTY CONNECTION POLICY

Direct connections to external entities are sometimes required for business operations. These connections are typically to provide access to vendors or customers for service delivery. Since the company’s security policies and controls do not extend to the users of the third parties’ networks, these connections can present a significant risk to the network and thus require careful consideration.

5.18) VPN POLICY

A Virtual Private Network, or VPN, provides a method to communicate with remote sites securely over a public medium, such as the Internet. A site-to-site VPN is a dependable and inexpensive substitute for a point-to-point Wide Area Network (WAN). Site-to-site VPNs can be used to connect the LAN to a number of different types of networks: branch or home offices, vendors, partners, customers, etc. As with any external access, these connections need to be carefully controlled through a policy.

5.19) WIRELESS ACCESS POLICY

Wireless communication is playing an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in many companies. However, while wireless access can increase mobility and productivity of users, it can also introduce security risks to the network. These risks can be mitigated with a sound Wireless Access Policy.

6) AUDITS & MONITORING

This policy and procedure document detail the extensive controls, measures and methods used by the Company to protect data, uphold the rights of data subjects, mitigate risks, minimize breaches and comply with the data protection laws and associated laws and codes of conduct. In addition to these, we also carry out regular audits and compliance monitoring processes that are detailed in our Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls in place to protect data subjects and their information, are adequate, effective and compliant at all times.

The Data Protection Lead has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Senior Management Team where applicable. Data minimization methods are frequently reviewed and new technologies assessed to ensure that we are protecting data and individuals to the best of our ability.

All reviews, audits and ongoing monitoring processes are recorded by the Data Protection Lead and copies provided to Senior Management and are made readily available to the Supervisory Authority where requested.

The aim of internal data protection audits is to:

  • Ensure that the appropriate policies and procedures are in place
    • To verify that those policies and procedures are being followed
    • To test the adequacy and effectiveness of the measures and controls in place
    • To detect breaches or potential breaches of compliance
    • To identify risks and assess the mitigating actions in place to minimize such risks
    • To recommend solutions and actions plans to Senior Management for improvements in protecting data subjects and safeguarding their data
    • To monitor compliance with the data protection laws and demonstrate best practice

7) TRAINING

Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the data protection laws requirements and its principles and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role.

8) RESPONSIBILITIES

The Company has appointed a Data Protection Lead whose role it is to identify and mitigate any risks to the protection of data, to act in an advisory capacity to the business, its employees and upper management and to actively stay informed and up-to-date with all legislation and changes relating to data protection .

The DPO will work in conjunction with the Compliance Officer, IT Manager and Training Officer to ensure that all processes, systems and staff are operating compliantly and within the requirements of the data protection laws and its principles.

The DPO has overall responsibility for due diligence, privacy impact assessments, risk analysis and data transfers where data is involved and will also maintain adequate and effective records and management reports in accordance with the data protection laws and our own internal objectives and obligations.

Staff who manage and process information will be provided with data protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledgeable for the role they undertake.