Information Security & Data Protection Policy

Thinking4Media Limited

1. Purpose

Thinking4Media Limited is committed to protecting the confidentiality, integrity, and availability of all information we handle. This policy sets out how we safeguard company data, client information, and personal data in line with legal requirements and industry best practice.

2. Scope

This policy applies to:

All employees, contractors, and freelancers
All systems, devices, and platforms used for company work
All personal data and confidential information processed by Thinking4Media

It covers digital, paper‑based, and verbal information.

3. Key Principles

Thinking4Media follows these core principles:

Confidentiality

Information is accessible only to those who need it.

Integrity

Information is accurate, complete, and protected from unauthorised changes.

Availability

Information and systems are accessible when needed for business purposes.

Lawfulness

All personal data is processed in line with UK GDPR and the Data Protection Act 2018.

4. Types of Information We Protect

Client data (briefs, creative assets, contact details)
Employee data (HR records, payroll information)
Financial information
Project files and intellectual property
Supplier and partner information
Any personal data relating to identifiable individuals

5. Employee Responsibilities

Everyone at Thinking4Media must:

Use strong, unique passwords and keep them secure
Lock screens when away from devices
Store files only in approved systems (not personal drives or USB sticks)
Share information only with authorised people
Report security incidents immediately
Follow data retention and deletion rules
Keep client and company information confidential at all times

6. Data Protection Requirements (UK GDPR)

We commit to:

Collecting only the data we need
Using data only for legitimate business purposes
Keeping data accurate and up to date
Storing data securely
Retaining data only for as long as necessary
Allowing individuals to exercise their rights (access, correction, deletion, etc.)

Personal data must never be shared externally without a valid business reason and appropriate safeguards.

7. Information Handling Rules

Storing Information

Use company‑approved cloud storage and collaboration tools
Avoid local storage unless necessary
Keep paper documents in locked cabinets

Sending Information

Double‑check recipients before sending emails
Use secure transfer methods for sensitive files
Do not send personal data to personal email accounts

Access Control

Access is granted based on job role
Do not share login details
Remove access promptly when roles change

8. Working Remotely

When working outside the office:

Use secure Wi‑Fi or a hotspot (never public Wi‑Fi for sensitive work)
Keep devices with you at all times
Avoid discussing confidential matters in public spaces
Ensure screens are not visible to others

9. Data Breaches

A data breach includes:

Sending information to the wrong person
Losing a laptop, phone, or USB stick
Unauthorised access to systems
Accidental deletion of important data
Cyber‑attacks or phishing incidents

What to do

Report immediately to:

Your line manager
The Managing Director

Quick reporting helps us minimise harm and meet legal obligations.

10. Cybersecurity Expectations

Employees must:

Complete annual security training
Be alert to phishing emails and suspicious links
Install updates when prompted
Use company‑approved software only
Report unusual system behaviour

11. Third‑Party Suppliers

We ensure suppliers handling data:

Meet security and data protection standards
Sign appropriate contracts (e.g., data processing agreements)
Are monitored for compliance

12. Data Retention & Disposal

Keep data only for the period required by law or business need
Delete or archive data securely when no longer needed
Shred paper documents containing personal or confidential information