Trust Center
Dotdigital Information Security Policy
March 2024
Aim & purpose
We have defined our commitment to protecting information with our Integrated Management System (IMS); which ensures confidentiality, integrity, and availability of internal, customer and supplier information, and the appropriate handling of all Personally Identifiable Information (PII). The IMS has been designed to address the legal requirements identified and listed in our Legislation Register.
Our IMS effectiveness is achieved through understanding the risks and opportunities that may impact information within our business, and by using several controls including policies, processes, procedures, software, and hardware functions, and by managing these in ways that stakeholders would expect, and that continue to drive future benefit to our operations.
These controls are continually monitored, reviewed, and improved to ensure that specific security, privacy, and business objectives are met. This is operated in conjunction with other business management processes and incorporates the applicable statutory and contractual requirements.
Objectives have been defined primarily through the risk analysis, although some may come from other parts of the IMS, such as management review, SWOT & PESTLE, auditing, monitoring, testing, interested party feedback and Privacy Impact Assessments (PIAs). They are designed to drive the management system forward and bring about continual improvement. Objectives will be focused on improving Information Security and Data Protection controls.
Information security
Information Security is controlled through the preservation of:
- Confidentiality: ensuring that information is accessible only to those authorized to have access;
- Integrity: safeguarding the accuracy and completeness of information and processing methods;
- Availability: ensuring that authorized users have access to information and associated assets.
Additionally, the protection of PII is controlled through the adherence to Data Protection principles as defined in applicable legislation.
Awareness and compliance
We operate a program of Information Security and Data Protection awareness and compliance through company inductions, training, and internal audits.
All our employees are empowered to identify any potential weaknesses and/or events that could be information security or privacy incidents (including actual or suspected data breaches) and report through the appropriate management channels.
A robust system is in place to continually improve the security controls by:
- Taking account of changes to our business requirements and priorities;
- Considering new threats, risks, and vulnerabilities which may impact the business;
Reviewing the effectiveness of the IMS through internal audits and ongoing management review process.
The overall intent of our management system is to give customers and all other interested parties confidence in our ability to protect all information held and processed by our business.