Policies
Data Protection Policy
1. Purpose
Thread & Fable is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines how we collect, process, store, and dispose of data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
​
2. Scope
This policy applies to all personal data processed by Thread & Fable, including data collected for client projects, employee records, and marketing activities. It extends to all associates, contractors, and third-party providers working with Thread & Fable.
​​
3. Data Collection and Processing
-
Lawfulness and Transparency: Personal data will be collected only for specified, explicit, and legitimate purposes with the individual’s consent or as necessary for contractual obligations.
-
Data Minimisation: We collect only the minimum data necessary for each purpose.
-
Accuracy: We ensure data is accurate and kept up to date. Incorrect data will be rectified promptly.
​​​
4. Data Storage and Access
-
Data is securely stored using Google Workspace and Microsoft 365 cloud platforms, which are GDPR-compliant.
-
Access to personal data is restricted to authorised personnel and associates only, based on role-specific requirements.
-
Access controls are reviewed periodically to ensure compliance.
​
5. Data Retention and Disposal
-
Data is retained only as long as necessary for business or legal requirements. Retention schedules are defined for each data type.
-
When no longer needed, data is securely deleted or destroyed.
​
6. Data Subject Rights
Thread & Fable respects the rights of data subjects to access, rectify, erase, or restrict the processing of their data. Requests can be made by contacting our Data Protection Officer at info@threadandfable.com.
​
7. Data Breaches
In the event of a data breach, Thread & Fable will notify the ICO within 72 hours if the breach is likely to impact individuals’ rights and freedoms. Affected individuals will also be informed if their data is compromised.
​
8. Review and Updates
This policy will be reviewed annually or as necessary to reflect changes in legislation or our operations.
Security Policy
1. Purpose
The Security Policy aims to establish Thread & Fable’s approach to protecting client data, business information, and IT infrastructure from potential security threats. This policy supports our compliance with Cyber Essentials and our commitment to maintaining secure data handling and processing.
2. Scope
This policy applies to all Thread & Fable personnel, associates, and contractors, covering all systems, cloud-based platforms, and devices used to store or access data.
3. Security Principles
-
Confidentiality: Data access is limited strictly to authorised users, ensuring confidentiality for all personal and client data.
-
Integrity: Thread & Fable will protect data from being altered or tampered with, maintaining accuracy and reliability.
-
Availability: We ensure data availability to authorised personnel, using reliable cloud services to support data continuity and access.
​
4. Technology and Infrastructure
-
Cloud Security: Google Workspace and Microsoft 365 are used for data storage and collaboration, both of which are secured with multi-factor authentication (MFA) and encryption.
-
Website Security: Our website, hosted on Wix, is regularly monitored and updated to protect against vulnerabilities.
-
Malware Protection: We use Kaspersky Plus to provide comprehensive malware protection across all systems and devices.
​
5. Access Control
-
Access to systems is controlled through role-based permissions and regular password updates. MFA is enforced on all critical systems.
-
Associates and contractors are granted limited access only to the data they require for their tasks.
​
6. Security Incident Response
-
Identification and Containment: Any suspected security incident is promptly identified, contained, and reported.
-
Investigation: Incidents are investigated to determine cause and scope.
-
Recovery and Prevention: Recovery actions, such as restoring data and reinforcing security measures, are taken as needed.
-
Notification: The ICO and affected individuals are notified in line with legal requirements in the case of a breach.
​
7. Regular Audits and Updates
Security audits are conducted annually, with results informing any necessary policy updates.