Our Capabilities    Sector Reports     Events & Webinars    Press Room     Who We Are     Careers

Policies

INFORMATION SECURITY AND DATA PROTECTION POLICY

Review Date: 30th December 2025

Review Intervals: 6 months or as required
Approved by: Luke McFarland

  1. Purpose

This Information Security and Data Protection Policy establishes a framework to ensure the confidentiality, integrity, and availability of organizational data in compliance with:

  • ISO/IEC 27001:2022 (Information Security Management)
  • General Data Protection Regulation (GDPR) (EU)
  • California Consumer Privacy Act (CCPA) (US)
  • Australian Privacy Principles (APPs) & Privacy Act 1988
  • Other applicable global data protection laws
  1. Scope

This policy applies to:

  • All employees, contractors, and third-party vendors handling company data.
  • All IT systems, networks, and physical storage containing sensitive data.
  • All data processing activities, including collection, storage, transfer, and disposal.
  1. Information Security Principles

3.1 Confidentiality

  • Access to sensitive data is restricted based on role-based access control (RBAC).
  • Encryption (AES-256, TLS 1.2+) is used for data at rest and in transit.

3.2 Integrity

  • Data modifications are logged and audited.
  • Checksums and digital signatures verify data authenticity.

3.3 Availability

  • Business continuity (BCP) and disaster recovery (DRP) plans are in place.
  • Systems are monitored for uptime and performance.
  1. Data Protection & Privacy Compliance

4.1 GDPR Compliance

  • Lawful Basis for Processing: Consent, contract, legal obligation, or legitimate interest.
  • Data Subject Rights: Right to access, rectify, erase, and portability.
  • Data Protection Officer (DPO): Appointed where required.
  • Breach Notification: Reported to authorities within 72 hours if high risk.

4.2 CCPA Compliance

  • Consumer Rights: Right to know, delete, and opt-out of data sales.
  • "Do Not Sell My Personal Information" link on the website.

4.3 Australian Privacy Act (APPs)

  • Data Minimization: Only collect necessary personal data.
  • Cross-border Data Transfers: Ensure equivalent protection.

4.4 Global Data Protection Laws

  • Data Localization: Comply with jurisdictional requirements (e.g., China’s PIPL, Brazil’s LGPD).
  • Third-Party Vendors: Must sign Data Processing Agreements (DPAs).
  1. Access Control & Authentication
  • Multi-Factor Authentication (MFA) for critical systems.
  • Principle of Least Privilege (PoLP) enforced.
  • Regular Access Reviews conducted quarterly.
  1. Incident Response & Breach Management
  • Incident Response Plan (IRP) aligned with ISO 27035.
  • Forensic Investigation for breaches.
  • Regulatory & Customer Notifications as required by law.
  1. Employee Training & Awareness
  • Annual security training covering phishing, social engineering, and data handling.
  • Secure coding practices for developers.
  1. Third-Party Risk Management
  • Vendor Security Assessments before engagement.
  • Contractual clauses for data protection compliance.
  1. Policy Enforcement & Review
  • Non-compliance may result in disciplinary action.
  • Annual review to align with evolving regulations.
  1. Contact

For questions, contact:

  • Data Protection Officer (DPO):

DPO@McFarland-Consulting.com

McFarland-Consulting-Advisory1.png

Follow Us On Social Media...

Rumble McFarlandConsulting
YouTube AdvisoryMc
TIKTOK AdvisoryMc
Spotify AdvisoryMc

Data & Privacy Statement

Terms of Service

Disabilities Access Statement

Cookies Policy Statement

© 2025Luke McFarland Consulting| All rights reserved.