Data Security Policy_2025
Policy Details
| Policy Name | Applicable Data | Data Controller | Key Legislation |
|---|---|---|---|
| Website Data Security Compliance Policy | All Personal Data collected via the website (e.g., names, email, phone, IP addresses, cookies, form submissions). | Global PCCS Pvt Ltd | EU General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDPA) (where applicable). |
1. Governance and Accountability (Article 5)
1.1 Data Mapping and Minimization
Data Audit: A comprehensive data audit shall be maintained, detailing exactly what personal data is collected (e.g., contact form details, training sign-ups, IP addresses), the lawful basis for its processing (e.g., consent, contract), its purpose (e.g., newsletter, quote request), and its retention period.
Data Minimization: The website must only request and collect the minimum personal data strictly necessary for the specified purpose (e.g., only email for a newsletter sign-up; name/company/email for a quote request).
Pre-ticked consent boxes are prohibited.
1.2 Data Protection Officer (DPO) / Designated Contact
A Privacy Contact or DPO shall be designated to oversee all data processing activities and handle Data Subject Requests (DSRs).
The contact details of this individual/office must be clearly published on the Privacy Policy page.
2. Technical Security Measures (Integrity and Confidentiality)
2.1 Encryption (Data in Transit)
The website must enforce HTTPS/SSL/TLS encryption across all pages and subdomains.
All communication between the user's browser and the Global PCCS server must be encrypted.
2.2 Server and Network Security (Data at Rest)
All data stored on the website server (e.g., database records from contact forms) must be protected by strong access controls and encryption at rest.
The hosting environment must be regularly patched, monitored for intrusions, and protected by firewalls and anti-DDoS measures.
Administrative access (to the backend, database, and hosting panel) must be secured using Multi-Factor Authentication (MFA) and strong, unique passwords.
2.3 System Hardening and Penetration Testing
Regular penetration testing (Pen-tests) or vulnerability assessments shall be conducted on the live website and associated application layer (e.g., the LMS for the PCCS Academy) to identify and remediate security weaknesses.
All third-party plugins, scripts, and software used on the website must be kept up-to-date to prevent exploitation of known vulnerabilities.
3. Lawful Processing and Transparency
3.1 Consent Management (Cookies and Tracking)
A Cookie Consent Banner must be implemented that provides users with a clear choice to Opt-In to non-essential data processing (e.g., analytics, marketing, performance cookies).
The banner must allow for granular consent (the ability to accept some cookie categories and reject others).
Non-essential cookies must not be loaded until the user gives explicit consent (no implied consent).
3.2 Website Forms
Every data collection form (Contact Us, get a Quote, Newsletter Signup, Training Registration) must include a clear, unticked checkbox requiring users to acknowledge and accept the Privacy Policy.
The Privacy Policy link must be included directly adjacent to the consent box.
3.3 Third-Party Processors
All third-party services that process website data (e.g., Google Analytics, email marketing platforms, CRM systems) must be identified.
Global PCCS must have a signed, GDPR-compliant Data Processing Agreement (DPA) in place with each processor.
4. Data Subject Rights and Incident Response
4.1 Facilitating Data Subject Requests (DSRs)
The website must provide an easy-to-find mechanism (e.g., a dedicated email address or a specific form) for users to exercise their GDPR rights:
- Right to Access: Request a copy of their personal data.
- Right to Rectification: Request correction of inaccurate data.
- Right to Erasure (Right to be Forgotten): Request deletion of their data.
- Right to Object/Restrict Processing: Object to processing not based on contract or legal obligation.
Procedure: All DSRs must be acknowledged and actioned within the GDPR's mandated 30-day response window.
4.2 Data Breach Notification (Article 33)
An Incident Response Plan shall be maintained and regularly tested.
In the event of a website data breach that affects personal data, Global PCCS must notify the relevant Supervisory Authority (and the affected Data Subjects, if the risk is high) without undue delay, and where feasible, no later than 72 hours after becoming aware of it.
