Introduction

At Get Paid Payroll (GPP) Outsourcing, we recognise that information security is fundamental to the trust our clients place in us. Protecting client data, employee information, and operational systems is a core business priority. This Security Policy outlines the principles, procedures, and technical measures that ensure the confidentiality, integrity, and availability of all information handled by GPP.

The policy applies to all employees, contractors, consultants, clients, and partners who have access to GPP systems, data, or communication channels. It also extends to any third-party software, hardware, or services used in the delivery of payroll and outsourcing operations.

1. Security Objectives

Our key objectives are to:

Protect sensitive and confidential information from unauthorised access or disclosure.
Maintain the integrity and accuracy of information.
Always ensure the availability of systems and data.
Comply fully with applicable laws, including the UK GDPR, Data Protection Act 2018, and Computer Misuse Act 1990.
Foster a culture of information security awareness across the organisation.

2. Information Security Governance

Security governance is managed under the authority of the Directors of Outsource Professional Directors (OPD) Limited, who oversee compliance and policy enforcement.

GPP maintains:

A documented Information Security Management System (ISMS) aligned with ISO 27001 standards.
Regular risk assessments to identify and mitigate vulnerabilities.
Defined roles and responsibilities for data protection and cybersecurity.
Continuous review and improvement of controls and procedures.

All employees receive mandatory security training and must comply with GPP’s internal security policies.

3. Data Protection and Confidentiality

GPP safeguards personal, payroll, and financial information using robust controls designed to prevent loss, corruption, or misuse.
Key measures include:

Encryption of data in transit and at rest.
Restricted access to sensitive information based on job role and necessity.
Use of secure communication channels (SSL/TLS).
Regular monitoring and logging of access to systems.
Confidentiality agreements for all staff, contractors, and third-party service providers.

Employees are prohibited from sharing, copying, or transferring data without authorisation.

4. Access Control and Authentication

To prevent unauthorised access:

All users must authenticate using unique login credentials and multi-factor authentication (MFA).
Access rights are granted strictly on a need-to-know basis.
Passwords must meet complexity requirements and be changed regularly.
Dormant accounts are automatically disabled after a period of inactivity.
System access logs are maintained and reviewed periodically.

Temporary access permissions are subject to time-based expiry and approval.

5. Network and Infrastructure Security

Our infrastructure is secured through a layered approach, including:

Firewalls and intrusion detection/prevention systems (IDS/IPS).
Secure VPNs for remote work access.
Segregated networks for sensitive systems and data.
Regular penetration testing and vulnerability scanning.
Continuous monitoring for malicious activity or unauthorised traffic.

Only authorised IT personnel can modify network configurations or install new software.

6. Software, Systems, and Patch Management

GPP ensures all software and systems are maintained at current security patch levels.
Our controls include:

Centralised patch management and deployment.
Approved software lists to prevent unauthorised installations.
Routine system updates to address known vulnerabilities.
Vendor security reviews for all third-party applications, including payroll and HR platforms.

Outdated or unsupported software is promptly removed or replaced.

7. Physical Security

GPP’s offices and data centres are protected by multiple layers of physical security controls:

Controlled access entry points using key cards or biometric verification.
CCTV surveillance and alarm systems.
Visitor registration and escorted access.
Secure storage for backup drives and sensitive documents.
Environmental controls such as temperature regulation and fire suppression systems.

Only authorised personnel may enter secure data handling areas.

8. Data Backup and Recovery

To ensure business continuity and data integrity:

Automated backups are performed daily.
Encrypted backup copies are stored offsite or in secure cloud environments.
Regular restoration tests are conducted to confirm recoverability.
Backup retention periods comply with legal and operational requirements.

In case of data loss or corruption, recovery procedures are immediately initiated by IT security staff.

9. Incident Response and Reporting

GPP maintains a structured Incident Response Plan (IRP) for addressing security breaches and system failures.
Procedures include:

Immediate containment of the incident.
Investigation and root cause analysis.
Notification to affected clients and the Information Commissioner’s Office (ICO) if legally required.
Documentation of lessons learned and process improvements.

All staff are required to report suspected incidents or anomalies to the Security Officer immediately.

10. Remote and Mobile Security

With flexible working arrangements, GPP enforces strict remote security protocols:

Company-approved devices with encryption and anti-malware protection.
Secure VPN access with MFA.
Prohibition of public Wi-Fi use without encryption.
Remote wipe capability for lost or stolen devices.

Employees must not store sensitive data on personal devices or removable media.

11. Third-Party and Vendor Security

Third-party partners, contractors, and service providers are subject to due diligence and contractual data protection clauses.
We ensure:

Vendors adhere to equal or stronger security standards.
Annual reviews of vendor performance and compliance.
Immediate action in case of vendor-related data breaches.

No vendor or partner is allowed direct system access without written authorisation and security assessment.

12. Employee Awareness and Training

Security awareness is embedded in our organisational culture.
GPP provides:

Mandatory induction and refresher training on data protection and cybersecurity.
Phishing simulation exercises.
Security updates and alerts to staff.
Disciplinary measures for non-compliance with security policies.

13. Business Continuity and Disaster Recovery

GPP maintains tested business continuity plans (BCP) to ensure uninterrupted service delivery.
These include:

Contingency procedures for IT system failure or cyberattack.
Designated recovery sites and secure backup systems.
Crisis communication protocols for staff and clients.
Post-incident review and continuous improvement.

Our disaster recovery objectives ensure data recovery within 24 hours and full operational restoration within 48 hours of a critical event.

14. Policy Enforcement and Review

Compliance with this Security Policy is mandatory.
Violations may result in disciplinary action, including termination or legal proceedings.

This policy is reviewed periodically to ensure relevance, effectiveness, and compliance with evolving cybersecurity and data protection standards.

15. Contact Information

For questions, incident reporting, or concerns related to this Security Policy, please contact:

Email: info@getpaidpayroll.com
Telephone: +44 208 145 3355
Address: Ability House, 121 Brooker Road, Waltham Abbey, EN9 1JH, United Kingdom