Lesoko Technologies Pvt Ltd (‘Lesoko’) needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organization has a relationship with or
may need to contact. Lesoko’s Data Privacy and Protection Policy refers to our commitment to treat information of employees, job candidates, customers, suppliers, vendors, businesses we work with and other interested parties with
the utmost care and confidentiality. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
APPLICABLE TO
Lesoko’s Data Privacy and Protection Policy is applicable to all employees, job applicants, customers, contractors, suppliers, and businesses we work or partner with. Generally, our policy refers to anyone we collaborate with or acts
on our behalf and may need occasional access to data.
DATA PROTECTION PRINCIPLES
The Company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR). Article 5 of the GDPR requires that personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals.
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order
to safeguard the rights and freedoms of individuals.
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
DATA PROTECTION RISKS
This policy helps to protect Lesoko from some data security risks, including:
Breaches of confidentiality: When information is shared inappropriately.
Failing to offer choice: All individuals should be free to choose how the company uses data relating to them.
Reputational damage: The company could suffer if hackers successfully gained access to sensitive data.
RESPONSIBILITIES
Everyone who works for or with Lesoko has some responsibility for ensuring data is collected, stored and handled appropriately.
Each personnel who handle personal data must ensure that it is handled and processed in line with this policy and data protection principles.
The IT contractor is responsible for:
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
The business development manager is responsible for:
Approving any data protection statements attached to communications such as emails and letters.
Addressing any data protection queries from journalists or media outlets like newspapers.
Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
All employees must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
All employees must keep their workplace clear of any sensitive or confidential information when they leave.
All employees must keep their passwords confidential and not share them.
DATA STORAGE
These guidelines apply to data stored on both paper and electronically:
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data should be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
All servers and computers containing data should be protected by approved security software and a firewall.
APPLICATION AND INFORMATION ACCESS
Personal data is of no value to Lesoko unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
All company employees and contractors shall be granted access to the data and applications required for their job roles.
When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.
Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by the Data Security Policy.
The responsibility to implement access restrictions lies with the IT Contractor after consultation with the Directors.
DATA ACCURACY
GDPR requires Lesoko to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as
possible.
Data will be held in as few places as necessary. Employees should not create any unnecessary additional data sets.
Employees should take every opportunity to ensure data is updated.
Lesoko will make it easy for data subjects to update the information that the company holds about them.
Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
DATA DISCLOSURE
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Lesoko will disclose requested data. However, the
employee disclosing the data will ensure the request is legitimate, seeking assistance from the Business Development Manager and from the company’s legal adviser where necessary.
VIOLATION
Any employee found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their network connection terminated.
DATA ARCHIVING & REMOVAL
To ensure that personal data is kept for no longer than necessary, the Company shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
The archiving policy shall consider what data should/must be retained, for how long, and why.