Data Protection Policy
Last updated: 08/03/2026
1. Policy Overview
This Data Protection Policy outlines the technical and organizational measures Defence Legal Services Ltd implements to protect personal data processed through PoliceStationRepUK.
This policy supplements our Privacy Policy and GDPR Policy.
2. Data Governance Framework
2.1 Accountability
- •Senior management responsible for data protection compliance
- •Regular compliance audits and reviews
- •Documented policies and procedures
- •Staff training on data protection obligations
2.2 Documentation
We maintain comprehensive records including:
- •Records of Processing Activities (ROPA)
- •Data Protection Impact Assessments (DPIAs)
- •Data breach incident logs
- •Data sharing agreements with processors
- •Consent records and opt-out requests
2.3 Access Controls
- •Role-based access permissions
- •Admin access restricted to authorized personnel only
- •Multi-factor authentication for sensitive operations
- •Regular access rights reviews
- •Audit trail of all admin actions
3. Technical Security Controls
3.1 Encryption
- In Transit: TLS 1.2+ encryption for all data transmitted over the internet
- At Rest: Database encryption for stored personal data
- Backups: Encrypted backup files stored securely
3.2 Infrastructure Security
- Hosting on ISO 27001 certified platforms
- Regular security patches and updates
- Firewall and DDoS protection
- Intrusion detection and prevention systems
- Secure development practices
3.3 Authentication and Access
- Strong password requirements
- Session timeout and automatic logout
- Protection against brute-force attacks
- Secure password reset mechanisms
3.4 Monitoring and Logging
- Real-time security monitoring
- Audit logs for data access and modifications
- Anomaly detection for unusual activity
- Log retention for forensic analysis
4. Organizational Security Measures
4.1 Staff Training and Awareness
- •Mandatory data protection training for all staff
- •Regular refresher courses and updates
- •Confidentiality agreements for staff and contractors
- •Clear escalation procedures for security concerns
4.2 Policies and Procedures
- •Acceptable Use Policy for staff systems
- •Clear desk and screen policy
- •Secure disposal procedures for physical records
- •Remote working security guidelines
4.3 Vendor Management
- •Due diligence on all third-party processors
- •Data Processing Agreements (DPAs) in place
- •Regular processor compliance reviews
- •Clear contractual security requirements
5. Data Breach Management
5.1 Detection and Assessment
- 24/7 monitoring for security incidents
- Immediate assessment of breach severity and scope
- Classification: containment, eradication, recovery
5.2 Notification Procedures
- ICO notification within 72 hours (where required by law)
- Affected individuals notified without undue delay
- Clear communication of risks and mitigation steps
- Documented breach response for compliance
5.3 Post-Incident Review
- Root cause analysis
- Lessons learned documentation
- Implementation of preventative measures
- Policy and procedure updates where necessary
6. Data Retention Standards
6.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Active user profiles | Duration of account + 30 days post-deletion |
| Inactive profiles (2+ years) | Archived, then deleted after notification |
| Billing records | 7 years (tax/accounting requirement) |
| Support communications | 3 years |
| Security logs | 1 year |
| Backups | 90 days rolling retention |
6.2 Deletion Procedures
- •Secure deletion from production databases
- •Removal from backups within retention period
- •Anonymization where deletion not possible
- •Certification of deletion upon request
7. Third-Party Data Processors
We use the following categories of processors:
Database & Hosting
Supabase
EEA-based, ISO 27001 certified
Payment Processing
Stripe
PCI DSS compliant
Email Services
Transactional email provider
Analytics
Google Analytics
Anonymized IP, GDPR compliant settings
All processors operate under Data Processing Agreements, provide appropriate security guarantees, are prohibited from using data for their own purposes, and comply with UK GDPR requirements.
8. International Data Transfers
Where data is transferred outside the UK/EEA, we ensure:
- •Adequacy decisions exist, or
- •Standard Contractual Clauses (SCCs) are in place, or
- •Other appropriate safeguards as recognized by UK law
We conduct Transfer Impact Assessments (TIAs) for high-risk transfers.
9. Contact and Complaints
For data protection enquiries or concerns:
Email: robertcashman@defencelegalservices.co.uk
Subject: “Data Protection Enquiry”
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
Have a data protection concern? Contact us and we'll respond promptly.