Sanchetna Finance images
S a n c h e t n a

Data Protection Policy

APPROVED BY THE BOARD ON 30TH OCTOBER 2023

INTRODUCTION

Sanchetna Financial Services Private Limited needs to gather and use certain information about individuals.

These can include customers, suppliers, business contracts, employees and other people the organization has a relationship with or may need to contact.

This policy describes that how this personal data must be collected, handled and stored to meet the company’s data protection standards- and to comply with the set standards.

WHY THIS POLICY EXISTS

This data protection policy ensures that the company -

  1. Complies with data protection standards and follow good practices.
  2. Protects the rights of employees, customers, related parties and partners.
  3. Is open about how it stores and processes the individuals’ data.
  4. Protects itself from the risk of data breach.

DATA PROTECTION STANDARDS

As per the data protection standards, the company must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the standards, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The data protection standard is underpinned by eight important principles as mentioned below:

  1. Be processed fairly and lawfully.
  2. Be obtained only for specific and lawful purposes.
  3. Be adequate, relevant and not excessive.
  4. Be accurate and correct up to date.
  5. Not be held for any other than necessary.
  6. Processed in accordance with the rights of data subjects.
  7. Be protected in appropriate ways.
  8. Not to be transferred outside the company unless the other person also protects that level of protection.

PEOPLE, RISKS AND RESPONSIBILITIES

POLICY SCOPE

The policy applies to the head office, branch offices, all staffs and volunteers of the company. All contractors, suppliers, service providers, or any other person who is working on behalf of the company.

It applies to all the data that company holds relating to identifiable individuals, this can include -

  1. Names of individuals
  2. Postal addresses
  3. Email addresses
  4. Telephone numbers
  5. Any other information related to individuals, corporates or any other oncerned person

DATA PROTECTION RISKS

The policy helps to protect the company from some very real data security risks including:

  1. Breaches of confidentiality- For instance, information being given out inappropriately.
  2. Failing to offer choice- For instance, all individuals will free to choose how the company uses data relating to them.
  3. Reputational damage- For instance, the company could suffer if hackers successfully gained access to sensitive data.

RESPONSIBILITIES

Everyone who works for or with the company has some responsibility for ensured data is collected, handled and stored properly.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibilities:

  1. The Board of directors is ultimately responsibility for ensuring that the company meets it's legal obligations.
  2. The data protection office (name) is responsible for:
    1. Keeping the board updated about data protection responsibilities, risks and issues.
    2. Reviewing all data protection procedures and related policies.
    3. Arranging data protection training for the people covered under this policy.
    4. Handling data protection questions from the staffs and other concerned person covered in the policy.
    5. Dealing with requests from individuals to see the data the company holds about them (Also called’ subject access requests’)
    6. Checking and approving any contracts or agreements entered with the third parties that may handle the company’s sensitive data.

The IT manager is responsible for

  1. Ensuring all systems, services and equipment’s used for storing data and meet acceptable security standards.
  2. Performing regular checks and scans to ensure security hardware and software is functioning properly
  3. Evaluating any third party services the company is considering using to store or process data. For instance, cloud computing services.

The Marketing manager is responsible for

  1. Approving any data protection statements attached to communication such as emails and letters
  2. Addressing any data protection queries from journalists or media outlets like newspapers.
  3. Where necessary, working with the other staffs to ensure marketing initiative abide by data protection principles.

GENERAL STAFF GUIDELINES

  1. The only people able to access data covered by this policy should be those who need it for their work.
  2. Data should not be used informally. When access to confidential information is required, employees can request it from their line managers.
  3. The company will provide training to all employees to help them understand their responsibilities when handling data.
  4. Employees should keep all data secure, by taking sensible precautions and following the guidelines below:
    1. In particular, strong password should always be used and which should never be shared.
    2. Personal data should not be disclosed to any unauthorized person, either within the company or externally.
    3. Data should be regularly reviewed and updated if it is to be found out of date. If no longer required, it should be deleted and disposed of.
    4. Employees should request help from their line manager or data protection officer is they are unsure about the any aspect of data protection.

DATA STORAGE

These rules describe how and where data should be properly stored. Questions about storing data safely can be asked to the IT managers of the company or data controller.

When data is stored on a paper it should be stored in such a place that unauthorized person cannot see it. These guidelines also apply to those data which electronic in nature but are printed out due to some reason.

  1. When not required, data should be kept in closed drawer or in filing cabinet.
  2. Employees should make sure that papers and printouts are not left after work or printing so that it can be taken up by some unauthorized person.
  3. Data printout outs should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attacks.

  1. Data should be protected by strong passwords which changes at regular intervals and not shared with the employees.
  2. If data is stored in a removable media like CD or DVD or pen-drive or some other similar objects, these should be kept locked securely when not in use.
  3. Employees should not be allowed to use any of their personal removable media like CD or DVD or pen-drive or some other similar objects.
  4. Data should only be stored on designated drivers and servers, and should only be uploaded to an approved cloud computing services.
  5. Server containing personal data should be cited in secured locations, which can be away from general office space.
  6. The data should be backed up frequently and these backups should be properly checked in line with company’s standard backup procedures.
  7. Data should never be saved directly to laptops or other mobile devise like tablets or smart phones.
  8. All servers and computers data should be protected by approved security software and a firewall.

DATA USE

Personal data is of no value unless the business can make use of it. However, it is when personal data is accessed and used that it can be at a greater risks of loss, corruption or theft.

  1. While working with personal data, employees should ensure that the screens of their computers are always locked when left unattended.
  2. Personal data should not be shared informally. In particular, it should not be sent by an email as it is not the secure form of the communication.
  3. Data must be encrypted before transferring electronically.
  4. Employees should not save copy of the personal data of their clients on their computers or laptops.

DATA ACCURACY

The data should be accurate and up to date specifically the personal data. It is the duty of the employees who is taking care of the data of the employees that it should be kept accurate and up to date as possible. The staff should not create any additional data sets.

SAFEGUARD FROM BREACH

Further, the company ensures and abide that how data should be used and what would be the consequences if the data is mishandled or breached. The company has made sufficient security system to safeguard the data of the individuals and clients associated with the company.

CIVIL SUIT FOR BREACH

A civil suit may be filed against the culprit employees for breaching the terms of the employment contract like non-disclosure, confidentiality.

A civil suit can also be initiated against any individuals or any other concerned third parties for violating the data protection policy of the company.

REVIEW

The policy to be reviewed by the board once in every two to three years or as and when required by the board.

shapes