This policy sets out how NB Diamonds protects, processes, stores, and disposes of all personal data in its custody, and the mandatory rules every employee, contractor, and temporary worker (“Employees”) must follow. It also establishes NB Diamonds’ requirement that work‑related data processing be carried out only on NB Diamonds‑owned or ‑approved property (devices, networks, cloud services, and physical media).

 Scope

• Applies to: all NB Diamonds business units worldwide, including group companies and third‑party processors acting on our behalf.

• Data covered: any information that can identify, or be linked to, a living individual (“Personal Data”), in any format (digital, paper, voice, video, biometric, etc.).

• Systems covered: on‑premises servers, SaaS platforms, mobile devices, removable media, and physical files—provided they are NB Diamonds property or expressly authorised.

  Key Definitions

• UK GDPR – the retained EU General Data Protection Regulation as it forms part of UK law.

• Controller – NB Diamonds determines purposes & means of processing.

• Processor – third party processing data on our behalf under contract.

• DPO – Data Protection Officer (see §14 for contact).

• Company Property – devices, accounts, software, cloud instances, or physical storage purchased, leased, or explicitly approved by NB Diamonds IT & Security.

  Data Protection Principles

We commit to the seven UK GDPR principles: lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality (security); and accountability.

 Lawful Bases for Processing

NB Diamonds processes Personal Data only where one of the lawful bases applies—typically contract performance, legitimate interests (balanced test on record), legal obligation, consent, or protection of vital interests.

Employee Obligations

1. Use Only Company Property

   • Employees must not access, download, copy, transmit, or store NB Diamonds data on personal laptops, phones, USB sticks, personal cloud accounts, or messaging apps.

   • Exceptions require written authorisation from IT & Security and the DPO, and must be risk‑assessed and logged.

2. Access Control & Authentication

   • Strong, unique passwords or approved SSO; MFA where available.

   • Accounts are individual; credential sharing is prohibited.

3. Data Handling & Transmission

   • Encrypt data in transit (TLS 1.2+) and at rest (AES‑256 or better).

   • Use approved VPN when off‑site.

   • Emailing Personal Data externally requires DLP checks and encryption.

4. Retention & Deletion

   • Follow retention schedule (see §10).

   • Securely erase or shred data at end of life; deletion certificates retained.

5. Reporting

   • Suspected data breach or policy violation → report immediately to security@nbdiamonds.com or internal hotline.

   • Failure to report may result in disciplinary action.

Data Security Measures

• Physical: CCTV, secure access cards, locked cabinets, visitor logs.

• Technical: firewalls, EDR, SIEM, vulnerability management, regular pen‑testing, backups with off‑site replication and disaster recovery.

• Organisational: least‑privilege access, segregation of duties, background checks for high‑risk roles, annual security & privacy training.

Third‑Party Processors

All processors must sign a UK GDPR‑compliant DPA including confidentiality, sub‑processor approval, security standards, audit rights, and data return/deletion clauses. The DPO maintains a processor register.

  Data Subject Rights

NB Diamonds provides mechanisms to exercise rights of access, rectification, erasure, restriction, portability, objection, and automated decision‑making review. Requests are logged and answered within 30 days.

Monitoring & Audits

• NB Diamonds reserves the right to monitor use of company property, in accordance with relevant employment and privacy laws.

• Internal audits are performed at least annually; significant findings reported to the Board.

  Enforcement & Disciplinary Action

Violation of this policy (including use of personal devices for company data without approval) may lead to disciplinary action up to and including dismissal, plus potential civil or criminal liability.

  Training & Awareness

All Employees must complete privacy & security training on induction and annually thereafter. Training records are stored for seven years.

Policy Review

This policy is reviewed at least once a year—or sooner if legislation, business processes, or risk assessments change—by the DPO and approved by the Board. Latest revision: [15 Jan 2025].