Headliners Insight & Strategy Ltd - IT Security Policy

1. Purpose

This policy outlines how Headliners protects its data, devices, and technology systems. As a market research agency handling sensitive client information and personal data, maintaining confidentiality, integrity, and availability of data is essential.

2. Policy Scope

This policy applies to:

-             All devices used for business (laptop, mobile phone, tablet)

-              All cloud services used to store or process Headliners data (e.g. email, productivity tools, storage platforms)

-              All client information, research data including personal data, and project files regardless of format

-              Any contractors that may work on behalf of Headliners

 

3. Responsibilities

The Owner of Headliners is responsible for:

-              Maintaining secure devices and software

-              Ensuring login credentials to accounts are secure at all times

-              Implementing and monitoring the security controls outlined below

-              Ensuring client data is handled confidentially and personal data is handled in accordance with data protection legislation

-              Reporting any breaches to affected clients and/or the Information Commission promptly

-              Keeping this policy up to date

 

4. Acceptable Use of Technology

All business-related devices must be used responsibly:

-              Devices should only be used for business or reasonable personal use that does not compromise security

-              Untrusted or pirated software must not be installed

-              Business data is not stored on personal social media, personal email, or consumer file-sharing apps unless encrypted and approved for use

 

5. Access Control

-              Strong passwords are used for all business accounts and never shared with anyone else

§  Minimum 10 characters

§  Include a combination of alphanumeric, numeric and special character

-              A password manager is used to store and generate secure passwords

-              A strong pin code of at least 6 numbers or characters (alphanumeric) must be used

-              Multi-factor authentication (MFA) is enabled on all key accounts, including email, cloud storage, productivity platforms, and password manager

-              Devices are set to auto-lock after 5 minutes of inactivity

6. Data Classification & Handling

Headliners’ data is classified as:

1.         Public – Content intended for public use (website content, marketing copy)

2.         Internal – non-sensitive business operations information

3.         Confidential – Client project files, interview transcripts, survey data, recordings, strategic documents, and personally identifiable information (PII).

7. Rules for handling confidential data:

-              Store only in approved cloud storage

-              Data not stored or synched to any personal cloud storage

-              Is not shared with third parties unless contractually approved and a confidentiality agreement is in place

-              Sensitive files must be encrypted when sending electronically, using secure transfer methods at all time

-              Client data is deleted once the retention period ends or upon request

8. Devices & System Security

-              All business devices use full disk encryption, antivirus protection, and automatic updates

-              Only trusted applications and browser extensions may be installed

-              Backups are taken using an external encrypted drive

9. Network Security

-              Home/business Wi-Fi networks must use WPA3 or WPA2-AES encryption.

-              The Wi-Fi password should be strong and changed every 1–2 years

-              Public Wi-Fi must be avoided. To work in public spaces, mobile tether must be used

10. Physical Security

-              Devices are never left unattended in public spaces

-              Sensitive paper documents must be stored securely and shredded when no longer needed

-              Devices must remain stored in a secure home office

11. Backup & Recovery

-              Backups are scheduled monthly, encrypted to AES256 bit and held offline

-              Recovery timescales 24 hours

12. Incident Response

If a security incident occurs the following steps are taken:

1.              Contain the issue – disconnect compromised devices/accounts and change passwords

2.              Assess impact – investigate extent of security incident, determine what data has been exposed, implement any mitigation measures to prevent further exposure, advice from relevant consultants such as IT/Data Protection

3.              Notify – any affected clients as soon as possible if there is a data breach and the Information Commission/Data Subjects if there is a personal data breach

4.              Recover – assess root cause of security issue, improve controls, restore data from backups if necessary

 

13. Third-Party Services & Tools

Third-party tools must:

-              Be security and compliance assessed before use

-              Have recognised security certifications or commit to being aligned to recognised security standards e.g. ISO27001/SOC 2

-              Not store data outside approved geographic regions without ensuring a lawful transfer mechanism is in place and with client approval (if approval is a contractual requirement)

14. Data Retention & Disposal

-              Client data is retained indefinitely unless contractually or otherwise stipulated

-              Digital data is securely deleted when no longer required

-              Any mobile devices no longer needed are destroyed using a secure WEEE disposal and recycling service

-              Physical documents are cross shredded before disposal

15. Legal & Regulatory Compliance

Headliners complies with the UK GDPR, Data Protection Act 2018 and Data (Use & Access) Act 2025 as well as client contractual requirements. Research is carried out in accordance with the Market Research Society Code of Conduct.

16. Policy Version & Review

Version 1.0_Jan 2026

This policy will be reviewed annually or after any key changes to IT security are implemented by the business.