Skip to content

TA-03: Data Protection & Cyber Security

Reference: TA-03 | Issue Date: 14/03/2026 | Review Date: Sep 2026 Applicable Standards: ISO 45001 Cl. 8.1 | ISO 9001 Cl. 7.5 | UK GDPR Related Documents: ISMS (isms.crgi.uk), HPOL08, HPROC10, HREG03 (Refs 3, 6, 11)

Who Should Read This

All CRGI Solutions staff. You handle client data, project files, and personal information daily. This article covers the essentials of keeping that data safe.

Why Data Protection Matters

CRGI Solutions works with sensitive client information: proprietary designs, manufacturing specifications, commercial data, and personal information. A data breach doesn't just create a legal problem — it damages client trust, our reputation, and potentially people's safety if design data is compromised. Our Hazard Register identifies data security risks at Refs 3, 6, and 11.

CRGI maintains a separate Information Security Management System (ISMS) at isms.crgi.uk aligned to ISO 27001:2022. This article covers the day-to-day essentials that every staff member needs to follow.

UK GDPR Essentials

The UK General Data Protection Regulation and Data Protection Act 2018 govern how we collect, use, store, and share personal data.

What Counts as Personal Data

Any information that can identify a living individual, directly or in combination: names, email addresses, phone numbers, photos, IP addresses, employee records, client contact details. If in doubt, treat it as personal data.

The Seven Principles

Everything we do with personal data must follow these principles:

  1. Lawfulness, fairness, and transparency — We have a legal basis for processing and are open about what we do with data
  2. Purpose limitation — We only use data for the purpose we collected it
  3. Data minimisation — We only collect what we actually need
  4. Accuracy — We keep data up to date and correct errors promptly
  5. Storage limitation — We don't keep data longer than necessary
  6. Integrity and confidentiality — We keep data secure
  7. Accountability — We can demonstrate compliance

Your Responsibilities

  • Only access personal data you need for your work
  • Don't share personal data with anyone who doesn't need it
  • Report any suspected data breach immediately — even if you're not sure
  • Don't store personal data on personal devices or unsecured locations
  • When personal data is no longer needed, ensure it is securely deleted

Working Securely from Home

Device Security

  • Lock your screen every time you step away — even briefly (Windows: Win+L, Mac: Cmd+Ctrl+Q)
  • Keep software updated — Operating system, applications, and antivirus. Don't postpone updates.
  • Use strong, unique passwords — Minimum 12 characters. Use a password manager. Never reuse passwords across services.
  • Enable multi-factor authentication (MFA) on all accounts that support it — especially email, cloud storage, and project management tools
  • Don't use public Wi-Fi for work without a VPN. Coffee shop Wi-Fi is not secure.

File Handling

  • Use approved platforms only — Store project files on CRGI-approved systems, not personal cloud storage, USB drives, or email attachments to yourself
  • Classify your files — Client confidential data requires more protection than general business information
  • Don't email sensitive files unencrypted — Use secure sharing links from approved platforms
  • Clean up regularly — Delete local copies of files you no longer need. Empty your recycle bin.
  • Print only when necessary — If you do print, shred when done. Don't leave printed documents visible.

Video Calls

  • Be aware of what's visible behind you — whiteboards, screens, and documents in the background can leak information
  • Use headphones for confidential calls — especially if others are in your home
  • Don't record calls without consent from all participants

Phishing and Social Engineering

Phishing remains the most common way organisations are breached. Attackers impersonate trusted contacts to trick you into clicking links, opening attachments, or revealing credentials.

Red Flags

  • Unexpected emails asking you to click a link or open an attachment
  • Urgency or pressure — "Your account will be locked in 24 hours"
  • Requests for passwords, payment details, or sensitive information
  • Email addresses that look close but aren't quite right (e.g. sean.ashton@crgi-solutions.com vs the real domain)
  • Poor grammar or formatting in emails supposedly from professional organisations

What to Do

  • Don't click — If something feels off, stop
  • Verify independently — Contact the supposed sender through a known channel (not by replying to the suspicious email)
  • Report it — Forward suspicious emails to your line manager and the ISMS team
  • Never provide credentials via email or phone, even if the request appears to come from management

Data Breach Response

A data breach is any incident where personal data is accessed, lost, destroyed, or shared without authorisation. This includes: losing a device, sending an email to the wrong person, discovering an unauthorised user accessed a system, or finding data stored somewhere it shouldn't be.

If You Suspect a Breach

  1. Report it immediately to Sean Ashton — time is critical (we have 72 hours to notify the ICO if required)
  2. Don't try to fix it yourself — Well-intentioned actions can make things worse
  3. Preserve evidence — Don't delete emails, logs, or files related to the incident
  4. Note the details — What happened, when, what data was involved, how many people affected

There is no penalty for reporting a suspected breach that turns out not to be one. There are serious consequences for failing to report a real one.

Client Data

We handle confidential client information on every project. Specific requirements:

  • Non-disclosure agreements — Respect the terms of any NDAs in place
  • Need-to-know basis — Only share client information with team members working on that project
  • Project completion — When a project ends, ensure client data is archived or deleted per the retention schedule
  • Client site access — Follow any data handling requirements specified by the client when working on their systems or at their sites

Key Takeaways

  • Lock your screen. Every time.
  • Think before you click. If an email feels wrong, it probably is.
  • Use approved platforms for file storage and sharing.
  • Report any suspected data breach immediately — no matter how small it seems.
  • Personal data is not yours to share. Only access what you need, only keep it as long as you need it.

For detailed ISMS policies and procedures, visit isms.crgi.uk.

CRGI Solutions HSQE Department | HSQEMS v2.0 | Classification: CRGI Information