1. Introduction

Makers Data Privacy & Protection Policy refers to our commitment to treat information of employees, clients, stakeholders and other interested parties with the utmost care and confidentiality. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

This policy is designed to protect Makers, (herein referred to as Makers), our employees, customers and other partners from harm caused by the misuse of our IT systems and our data. Misuse includes both deliberate and inadvertent actions. This Policy adopts the fundamental principles of the EU’s General Data Protection Regulation (“GDPR”) as the minimum standard to which Makers, its employees and suppliers must adhere. This policy will be reviewed and updated as needed. 

To conduct its business, Makers needs to collect and process certain types of information about the people with whom it deals. These include current, past and prospective employees, suppliers, clients and others with whom we might communicate. In addition, Makers may occasionally be required by law to process certain types of Personal Data to comply with the certain legal requirements.

Internet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Makers. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.

Effective security is a team effort involving the participation and support of every Makers employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. Everyone who works at Makers is responsible for the security of our IT systems and the data on them. 

Makers is committed to doing due diligence in background checks for all users, employees and contractors who will gain access to data.

1.1. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment and data at Makers. Inappropriate use exposes Makers and its clients to risks including virus attacks, compromise of network systems and services, and legal issues.

1.2. Purpose

This policy refers to all parties (employees, job candidates, clients, contractors, suppliers etc.) who provide any amount of information to Makers, including all personnel affiliated with third parties. 

Employees of Makers and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, this policy refers to anyone Makers collaborates with or acts on Makers behalf and may need occasional access to data.

This policy covers only internal use of Makers systems and does not cover use of our products or services by customers or other third parties.

Some aspects of this policy affect areas governed by local legislation in certain countries (e.g., employee privacy laws): in such cases the need for local legal compliance has clear precedence over this policy within the bounds of that jurisdiction. In such cases local teams should develop and issue users with a clarification of how the policy applies locally.

1.3. Application of Laws and Codes of Conduct

This Data Privacy and Protection Policy adopts the internationally accepted privacy principles as enhanced by the GDPR. It is subsidiary to and supplements any applicable national legislation. The relevant national laws will take precedence if there is a conflict with this Policy or it has stricter requirements than this Policy. Any registration, notification, or reporting requirement for data processing under national laws must be observed. The contents of this Policy must also be observed in the absence of corresponding national legislation.

In the event of conflict between national legislation and the Data Privacy and Protection Policy, Makers will work with the relevant company to find a practical solution that meets the requirements and satisfies the purposes of this Policy as well as applicable legislation.

2. Definitions

“Users” are everyone who has access to any of Makers IT systems (physical, network, documents stored in the cloud etc.). This includes permanent employees, temporary employees, contractors, agencies, consultants, suppliers, customers and business partners.

“Systems” means all IT equipment that connects to the corporate network or accesses corporate applications and data. This includes, but is not limited to, laptops, desktop computers, smartphones, tablets, printers, data and voice networks, networked devices, software, electronically-stored data, portable data storage devices, third party networking services, telephone handsets, video conferencing systems, cloud storage systems (namely Google Workspace) and all other similar items commonly understood to be covered by this term.

“Data Subjects” For the purpose of this Policy, this includes all living individuals about whom Makers holds Personal Data. All Data Subjects have legal rights in relation to their personal information.

“Personal Data” The GDPR’s definition of Personal Data (GDPR Article 4 (1)) makes it clearer what Personal Data are and shows that this must be widely interpreted:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

“PII or Personally Identifiable Information” This term derives from US privacy legislation. The expressions Personal Data and PII can be treated as synonymous.

3. Acceptable Use

3.1. General use & Ownership

3.1.1. Makers proprietary information stored on electronic and computing devices whether owned or leased by Makers, the employee or a third party, remains the sole property of Makers.

3.1.2. Users have a responsibility to promptly report the theft, loss or unauthorized disclosure of Makers proprietary information.

3.1.3. Users may access, use or share Makers proprietary information only to the extent it is authorized and necessary to fulfill assigned job duties.

3.1.4. Makers systems exist to support and enable the business. Makers trusts users to be fair and sensible when judging what constitutes an acceptable level of personal use of the company’s IT systems.

3.1.5. Any information that is particularly sensitive or vulnerable must be encrypted and/or securely stored so that unauthorized access is prevented (or at least made extremely difficult). Makers will undertake measures to ensure effective encryption on all Makers owned devices.

3.1.6. For security and network maintenance purposes, authorized individuals within Makers and/or its contracted security company, namely, Horn IT Solutions, may monitor equipment, systems and network traffic at any time. Makers can monitor the use of its IT systems and the data on it at any time. This may include (except where precluded by local privacy laws) examination of access history, as well as  the content stored within the email and data files of any Makers employee.

3.1.7. Makers reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

3.2 Data Security and Confidential Information

Users must take all necessary steps to prevent unauthorized access to confidential information. Confidential information includes but is not limited to: internal working documents, information provided by clients about their business, health information and identifying information of any person included in any market research activity etc. All corporate and client data should be considered confidential.

Users must not send, upload, provide access to, remove on portable media or otherwise transfer to a non-Makers system, party or individual, any information that is designated as confidential, or that they should reasonably regard as being confidential to Makers, except where explicitly authorized to do so in the performance of their regular duties.

Users who are supplied with computer equipment by Makers are responsible for the safety and care of that equipment, and the security of software and data stored on it and on other Makers systems that they can access remotely using it.

Because information on portable devices, such as laptops, tablets and smartphones, is especially vulnerable, special care should be exercised with these devices. Users will be held responsible for the consequences of theft of or disclosure of information on portable systems entrusted to their care if they have not taken reasonable precautions to secure it.

Users who have been charged with the management of Makers systems are responsible for ensuring that they are at all times properly protected against known threats and vulnerabilities as far as is reasonably practicable and compatible with the designated purpose of those systems.

Users must at all times guard against the risk of malware (e.g. viruses, spyware, Trojan horses, rootkits, worms, backdoors) being imported into Makers systems by whatever means and must report any actual or suspected malware infection immediately. 

Requirements & Behaviors for Data Security & Confidential Information

3.2.1. All mobile and computing devices that connect to the internal network must comply with this policy. Only authorized devices may be used to access Makers data and systems.

3.3. Remote Access & Working From Home

It is the responsibility of Makers employees, contractors, vendors and agents with remote access privileges to Makers cloud systems and tools to ensure that their remote access connection is given the same consideration as the user’s on-site connection to Makers.

General access to the systems Makers uses to conduct business is strictly limited to authorized Users. When accessing the system from a remote location, Users are responsible for preventing access to any Makers computer resources or data by non-Authorized Users. Performance of illegal activities through Makers systems by any User (Authorized or otherwise) is prohibited. The User bears responsibility for and consequences of misuse of the User’s access.

3.4. Principles for processing Personal Data

All Personal Data must be dealt with properly, irrespective of how it is collected, recorded and processed – whether on paper, in a computer file, database, or recorded on other material.

Makers regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals as a vital component of its business operations. Makers is committed to act ethically and responsibly in respect of this Personal Data and to always provide a high degree of confidentiality and security.

To demonstrate these commitments, Makers adheres to the principles relating to the processing of Personal Data found in the GDPR. Makers respects the following principles concerning Personal Data and that they are:

  • Processed fairly and lawfully.
  • Processed for limited purposes and in an appropriate way.
  • Adequate, relevant and not excessive for the purpose.
  • Accurate.
  • Processed in line with Data Subjects’ rights.
  • Secure & not transferred without adequate protection.

3.4.1. Personal Data Provided by Clients

Personal Data provided to Makers by its clients can occur. In respect of any Personal Data so received, Makers may only process this Personal Data in accordance with the instructions agreed with or received from the client. These instructions may include restrictions on transfers to other parties as well as specific security requirements. Any such restrictions must be complied with. To ensure that Makers is able to comply with any client specific restrictions or requirements, it is necessary that such instructions are documented in writing and agreed before any relevant contractual arrangements are accepted by Makers.

4. Unacceptable Use

Users are expected to use their own judgment regarding what is unacceptable use of Makers systems. The activities below are provided as examples of unacceptable use, however the list is not exhaustive:

  • All illegal activities. These include theft, computer hacking, malware distribution, contravening copyrights and patents, and using illegal or unlicensed software or services. These also include activities that contravene data protection regulations.
  • All activities detrimental to the success of Makers. These include sharing sensitive information outside the company, such as research and development information and customer lists, as well as defamation of the company.
  • Circumventing the IT security systems and protocols which Makers has put in place.

5. Access Controls

Access controls are necessary to ensure only authorized users can obtain access to specific information and systems. Access controls manage the admittance of users to system resources by granting users access only to the specific resources they require to complete their job-related duties.

5.1. Makers will provide access privileges to systems based on the following principles:

  • Need to know – Users or resources will be granted access to systems that are necessary to fulfill their roles and responsibilities.
  • Least privilege – Users or resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities.
  • Role based – access to data and resources will be granted in accordance to the role of the User

5.2. Requests for users’ accounts and access privileges must be documented and appropriately approved.

5.3. Requests for special accounts and privileges (such as vendor accounts, application and service accounts, system administration accounts, shared / generic accounts, test accounts and remote access) must be documented and approved.

5.4. Review of access privileges for administrator level accounts is reviewed at minimum every 180 days, as well as at the completion of any project or initiative in which access to data or resources was granted, by an Administrator, namely the Managing Partners.

5.5. Users access will be reviewed within 30 days of that User’s role changing (i.e. moved clients or departments) by an Administrator, namely the Managing Partners.

5.6. Access to systems will be revoked immediately upon a User’s termination, whether it is an employee, contractor or any other previously authorized User.

5.7. Emergency Access Changes: Access elevation for required circumstances is occasionally permitted in order to remediate issues or restore service. Makers limits elevated access required to only the duration of such an event. Access and activities are recorded, and access removed at the end of the event.

5.8. Makers shall ensure that changing of the access rights are part of the normal change control process, including authorization, notification and removal when elevated access is no longer necessary.

6. Data Breach & Response

Users who suspect that a theft, breach or exposure of data has occurred must immediately provide a description of what occurred via email to the Managing Partners, as well as notifying them by phone call and/or in person, to ensure the email does not get missed and action is taken immediately.

The Managing Partners, along with the IT team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, they will follow the appropriate procedure depending on the class of data involved.

7. Enforcement

Makers will not tolerate any misuse of its systems and will discipline anyone found to have contravened this policy, including not exercising reasonable judgment regarding acceptable use.

Use of any of Makers resources for any illegal activity will usually be grounds for summary dismissal, and Makers will cooperate with any criminal investigation and prosecution that may result from such activity.