DATA SECURITY POLICY

Data Security Policy

Stephen Oke Creative
Effective Date: 25/07/2025
Review Date: 24/07/2026

1. Purpose

The purpose of this Data Security Policy is to outline how Stephen Oke Creative protects the confidentiality, integrity, and availability of data it holds or processes in the course of delivering website design and digital marketing services. This policy ensures compliance with the UK General Data Protection Regulation (UK GDPR) and related data protection laws.

2. Scope

This policy applies to all personal data held by Stephen Oke Creative, regardless of format (digital or paper-based), and to all systems used to process or store this data. As a sole trader business operating remotely, the scope includes all devices and services used by the owner.

3. Data Handled

Stephen Oke Creative processes limited personal data, primarily:

  • Client contact details (names, email addresses, phone numbers, business addresses).

No special category data is collected or stored. Data is not processed on behalf of other organisations as a processor.

4. Security Controls

4.1 Devices and Systems

  • All data is accessed via secured laptops and desktops.

  • Devices are protected with antivirus software, encrypted storage, and kept up to date with system patches.

  • Microsoft 365 is used as the primary cloud platform for document storage and email services.

4.2 Access Control

  • As a single-user business, access is limited to the owner only.

  • A password manager is used to maintain strong, unique credentials.

  • Where supported, multi-factor authentication (MFA) is enabled for cloud services.

4.3 Data Storage and Backup

  • Client data is stored on local devices and within Microsoft OneDrive.

  • Backups are performed regularly and stored both locally and in the cloud.

  • All backups are encrypted.

5. Third-Party Services

Where data is shared with third-party service providers (e.g. subcontractors, platforms), reasonable steps are taken to ensure their compliance with data protection laws.

  • Data is only shared where necessary for service delivery.

  • Where applicable, data processing agreements are in place.

  • Suppliers’ security practices are reviewed before engagement.

6. Data Breach Response

Stephen Oke Creative acknowledges the importance of promptly identifying and responding to data breaches.
Although no formal breach detection system is in place, the following steps will be taken in the event of a suspected or actual breach:

  1. Identify and contain the breach.

  2. Assess the scope and impact.

  3. Notify affected parties and the ICO, where required, within 72 hours.

  4. Document the incident and take corrective actions to prevent recurrence.

Responsibility for breach management lies with the business owner.

7. Training and Awareness

  • The business owner undertakes periodic training to stay updated on data protection and security obligations.

  • GDPR and cyber security awareness are maintained through self-directed learning and professional updates.

8. Remote Working Practices

As the business operates fully remotely:

  • Devices used for work purposes are secured and not shared.

  • Public Wi-Fi is avoided or used with a VPN where necessary.

  • Files containing client data are stored only in secure, encrypted locations.

9. Policy Review and Updates

This policy will be reviewed annually or when significant changes to business practices or legislation occur.