Information Security Policy

Kingston Trading (UK) Ltd t/a Kingston E-Liquids
Last updated: November 2025

1. Purpose

The purpose of this policy is to protect all information assets belonging to Kingston Trading (UK) Ltd and its trading divisions from internal, external, deliberate, or accidental threats.
It ensures that the confidentiality, integrity, and availability of company and customer information are maintained at all times.

2. Scope

This policy applies to:

  • All employees, contractors, and third parties handling Kingston Trading information.
  • All systems, devices, networks, cloud platforms, and data owned or managed by the company.
  • All information in any format (electronic, paper, or verbal).

3. Objectives

  • Protect business, customer, and supplier data against unauthorised access or disclosure.
  • Maintain secure and reliable IT systems that support operations.
  • Ensure compliance with UK GDPR, Data Protection Act 2018, and other applicable laws.
  • Promote staff awareness and accountability regarding information security.
  • Respond effectively to security incidents and reduce risk of recurrence.

4. Roles and Responsibilities

4.1 Directors

  • Approve and support the implementation of this policy.
  • Ensure sufficient resources are allocated for information security management.

4.2 IT & Data Protection Lead

  • Maintain and monitor security controls.
  • Manage backups, antivirus, and access permissions.
  • Report and investigate any data breaches or security incidents.

4.3 All Employees

  • Follow this policy and related procedures.
  • Protect passwords, devices, and confidential information.
  • Immediately report any suspected data breach, phishing attempt, or system compromise.

5. Data Classification

Information handled by Kingston Trading shall be classified as:

  • Public: Marketing materials, published website content.
  • Internal: Operational data, non-sensitive emails, procedures.
  • Confidential: Customer orders, supplier contracts, financial data.
  • Restricted: Personal data, passwords, security keys, or trade secrets.

Each classification requires appropriate handling, storage, and access control.

6. Access Control

  • Access to systems and data is granted on a need-to-know basis.
  • Unique user accounts and strong passwords are required for all systems.
  • Multi-factor authentication (MFA) is implemented where possible.
  • Accounts are reviewed and revoked when staff leave the company.

7. Physical Security

  • Offices, warehouses, and manufacturing areas are secured by key or access control systems.
  • Visitors must be authorised and accompanied at all times.
  • Confidential documents are stored in locked cabinets when not in use.
  • Paper records containing personal data are disposed of using secure shredding.

8. Network and System Security

  • Firewalls, antivirus, and anti-malware protection are maintained and updated regularly.
  • All operating systems and applications are patched promptly.
  • Wi-Fi networks are encrypted and password-protected.
  • Data backups are performed daily and stored securely, both onsite and offsite (cloud).
  • Remote access uses secure VPN or encrypted channels only.

9. Data Protection and Privacy

  • Personal data is processed in accordance with the UK GDPR and the company Privacy Policy.
  • Data collected from customers, employees, and suppliers is limited to what is necessary for business purposes.
  • Data subjects have the right to access, correct, or delete their information as per regulation.

10. Email and Internet Usage

  • Company email accounts are to be used for authorised business purposes only.
  • Staff must not click suspicious links or open unknown attachments.
  • Personal use of company devices or systems must not compromise security.
  • Downloads and installations require prior approval from management or IT.

11. Incident Management

  • All suspected security incidents, data breaches, or system compromises must be reported immediately to the IT & Data Protection Lead.
  • Incidents will be logged, investigated, and resolved in line with the Incident Response Procedure.
  • Where personal data is involved, notification to the Information Commissioner’s Office (ICO) will be made within 72 hours, where legally required.

12. Training and Awareness

  • All employees receive induction and periodic refresher training on data protection and cybersecurity.
  • Regular awareness campaigns will be held to reinforce good security practices (e.g., phishing awareness, password hygiene).

13. Supplier and Third-Party Security

  • Third parties with access to company data (e.g., couriers, hosting providers, payment processors) must comply with equivalent security standards.
  • Data processing agreements are maintained with all relevant suppliers.

14. Monitoring and Review

  • Security systems and controls are monitored for effectiveness.
  • This policy is reviewed annually or following major organisational, legal, or technological changes.
  • Improvements are implemented as part of a continuous security management process.

15. Policy Compliance

Failure to comply with this policy may result in disciplinary action, withdrawal of system access, or legal consequences where applicable.