Skip to main content

Data Protection Measures

Source basis

Ported from reference/Data Protection Measures.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.

Guidelines when completing a Data Protection Assessment

Data Protection Measures

Data Processed

  • Customer Data

  • Project Documentation

  • IT Assets

  • HR Data

  • Client Documentation

  • Project Assets

  • Company Data

Digital Records

  • Access Control - Role-based access, MFA (Multi-Factor Authentication), least-privilege model

  • Encryption - Data is encrypted in transit and at rest

  • Audit Logging - Record access, changes, deletions; retain logs per policy

  • Endpoint Security - Jamf /Jamf Protect | Microsoft Defender

  • Backup & Recovery - Regular encrypted backups, offline or offsite copies, tested restoration

  • Secure Disposal - Data wiping tools hardware destruction for decommissioned devices

  • Monitoring & Alerts - Intrusion detection, SIEM tools, alert on unauthorized access

  • Patch Management - OS and app updates within defined patch windows (e.g., 30 days)

  • Data Minimization - Store only what's necessary; purge aged or unnecessary data regularly

  • Remote Access Security - VPN, device compliance checks, no BYOD unless policies enforced

  • Clean Desk Policy - No devices or storage left unattended; enforced via audits or spot checks

Paper Records

  • Clean Desk Policy - No documents left unattended; enforced via audits or spot checks

  • Physical Access Control - Keycard access, visitor escort policies, camera surveillance

  • Storage Security - Locked file cabinets, restricted areas

  • Minimization - Avoid printing unless necessary, enforce "print on demand" practices

  • Secure Disposal - Paper record shredding

  • Employee Awareness - Train staff on handling, transporting, and storing sensitive paper records

Data Protection Measures

  • Access Control

  • Data Encryption (Transfer and At Rest)

  • Data Minimization & Retention

  • Secure Development Practices

  • Physical Security

  • 3rd Party Vendor Management

  • Data Subject Rights Handling

  • Security Monitoring & Incident Response

  • Security Reviews / Assessments

  • Business Continuity & Disaster Recovery

  • Employee Training & Awareness

Purpose & Legal basis for processing

  • Employee administration - Payroll, benefits enrollment, training records

  • Recruitment - Processing job applications and conducting interviews

  • Client service delivery - Managing project communication, account details

  • Marketing communications - Email newsletters, promotional campaigns (with opt-in)

  • Security monitoring - System access logs, CCTV, endpoint protection

  • Legal compliance - Tax records, employment law, audit requirements

  • Supplier management - Vetting, onboarding, and paying third-party vendors

  • Incident response - Investigating security events or HR policy violations

  • Product/service improvement - User feedback, analytics for feature enhancement

  • Data Destruction - wiping, degaussing, shredding with certification of destruction