Data Protection and Security Policy  

 1. Purpose 

This policy outlines how Nova Epos LTD complies with the UK GDPR and the Data Protection Act 2018, ensuring that personal data is processed securely, lawfully, and transparently. 

2. Scope 

This policy applies to: 
– All staff, contractors, and temporary workers. 
– All personal and confidential data processed by Nova Epos LTD. 
– All systems, devices, and third-party services used for data processing. 

3. Data Protection Principles 

Nova Epos LTD ensures that all personal data is: 
1. Lawful, fair and transparent. 
2. Collected for specific, explicit purposes. 
3. Adequate, relevant, and limited. 
4. Accurate and up to date. 
5. Retained no longer than necessary. 
6. Secure and confidential. 
7. Documented with accountability. 

4. Individual Rights 

Nova Epos LTD recognises individuals’ rights, including: 
– Access (Subject Access Requests). 
– Rectification and erasure. 
– Restriction of processing. 
– Data portability. 
– Objection. 
– Rights around automated decision-making. 

5. Data Security 

  1. Technical Measures:
    – Encryption of sensitive data.
    – Secure backups. 
    – Multi-factor authentication. 
    – Regular patching and updates. 
     
    2. Organisational Measures: 
    – Role-based access controls. 
    – Confidentiality agreements. 
    – Staff training on data handling. 
    – Clear desk and password policies. 

6. Data Retention and Disposal 

Data retained only for business/legal needs. 
Documented retention schedule. 
Secure disposal (digital wiping, shredding). 

7. Data Breach Management 

Staff must report breaches immediately. 
Brian Pellet investigates and logs incidents. 
ICO notified within 72 hours where required. 
Affected individuals informed if necessary. 

8. Third-Party Processing 

Contracts in place with processors. 
Due diligence and regular security checks. 

9. International Data Transfers 

Transfers outside the UK only with adequate safeguards (UK Addendum, SCCs, adequacy). 

10. Roles and Responsibilities 

Board / Senior Management: overall accountability. 
DPO / Responsible Person: compliance monitoring, training, handling requests and breaches. 
Employees: following this policy and security procedures. 

11. Training and Awareness 

Training provided at induction and refreshed regularly. 
Updates shared when regulations or processes change. 

12. Policy Review 

Reviewed annually or sooner if regulations/business practices change. 

13. Sign-off 

Signed: ______________________ 
Name: Brian Pellet  
Position: Director  
Date: 31/07/2025 

Scroll to Top