psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/01-policies/privacy-and-data-protection-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.5 KiB
Raw Blame History

Title: Privacy and Data Protection Policy Document ID: [POL-PRIVACY-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Privacy and Data Protection Policy

Purpose

This policy defines BlackDice's high-level approach to protecting personal data and supporting privacy obligations in the context of its ISMS.

Scope

This policy applies to personal data processed within the ISMS scope, including data handled in business operations, customer service delivery, supplier relationships, and internal administration.

Objectives

  • support lawful, fair, and appropriate handling of personal data
  • reduce the risk of privacy harm, data misuse, and regulatory issue
  • ensure privacy considerations are reflected in security and operational practice

Principles / Policy Statements

Personal data must be handled in accordance with applicable legal, regulatory, and contractual requirements.

Collection, access, use, sharing, retention, and disposal of personal data must be limited to legitimate and authorised purposes.

Privacy and security considerations must be considered when designing or changing services, processes, and supplier arrangements that may affect personal data.

Where BlackDice operates across multiple jurisdictions or customer environments, applicable privacy obligations and transfer considerations must be identified and managed.

Potential personal data breaches must be escalated promptly for assessment and response.

Roles and Responsibilities

  • [Role] must oversee privacy and data protection requirements relevant to the ISMS.
  • Process and system owners must identify where personal data is handled and apply appropriate controls.
  • Personnel must handle personal data only for authorised purposes and report concerns promptly.

Compliance / Exceptions

No exception may override applicable legal obligations. Any control deviation must be reviewed with appropriate stakeholders and approved where lawful and justified.

Monitoring and Review

This policy should be reviewed through breach handling, supplier review, risk assessment, legal change monitoring, and audit.

Related Documents

  • Information Security Policy
  • Data Classification and Handling Policy
  • Information Transfer Policy
  • Breach Notification Procedure

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink