Data Protection and Information Security Policy

Modern Age Limited Last updated: March 2026

Purpose

This policy sets out how Modern Age manages data protection and information security across all client engagements. It applies to everyone working under the Modern Age banner, including employees, contractors, subcontractors, and collaborators.

Governance and responsibility

The Creative Director is responsible for data protection compliance within Modern Age. This includes:

  • Ensuring the company meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
  • Carrying out a data protection assessment at the start of each new engagement to identify what personal data, if any, will be handled and how it will be protected
  • Reviewing and updating this policy annually
  • Acting as the primary point of contact for any data protection queries or concerns

Modern Age does not currently meet the threshold requiring the formal appointment of a Data Protection Officer under UK GDPR. If the nature of our work or the scale of our data processing changes, this will be reassessed.

How we work with client data

Modern Age is a digital consultancy. Our work is typically delivered within the client's own infrastructure, using their systems, tools, and security environment. This means that in most engagements:

  • Client data remains within the client's own platforms (e.g. their email, collaboration tools, content management systems)
  • Modern Age does not independently store, process, or transfer client personal data on its own systems
  • Access to client systems is managed through the client's own authentication and access controls

Where an engagement does require Modern Age to handle data outside the client's environment, specific data handling arrangements will be agreed with the client before work begins.

Information security

Modern Age takes reasonable and proportionate steps to protect information, including:

  • All Modern Age devices are encrypted and password-protected
  • Two-factor authentication is enabled on all business accounts
  • Cloud services used for internal work (design tools, project management, communication) are enterprise-grade platforms with their own security certifications
  • Access to client information is limited to those directly involved in delivering the engagement
  • When subcontractors or collaborators are brought onto an engagement, they are briefed on information security requirements and bound by equivalent obligations before being given access

Cross-border data transfers

Before each engagement, Modern Age assesses whether personal data will be transferred outside the United Kingdom. Where such transfers are necessary, appropriate safeguards will be implemented in line with UK GDPR, including the use of Standard Contractual Clauses or reliance on adequacy decisions where applicable.

At present, Modern Age delivers services within the client's own infrastructure, and cross-border transfers of personal data by Modern Age do not arise.

Data retention and deletion

Modern Age does not retain client personal data beyond the period necessary for the purpose it was collected. At the conclusion of an engagement, or at the client's request:

  • Client materials and data are returned to the client or securely deleted
  • Confirmation of deletion is provided on request

Where we are required to retain records for legal or regulatory purposes (for example, financial records or contractual documentation), we do so in line with applicable retention periods and ensure the data is held securely.

Incident response

If a personal data breach or suspected breach is identified, Modern Age will:

  1. Contain the breach and assess the risk to affected individuals
  2. Notify the affected client and any relevant marketplace or platform operators within 24 hours of becoming aware of the breach
  3. Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms, as required under UK GDPR
  4. Document the incident, including what happened, what data was affected, and what steps were taken in response
  5. Review the incident to identify any improvements to prevent recurrence

Information security awareness

All personnel working on Modern Age engagements are briefed on their data protection and information security obligations before starting work. This includes reviewing this policy and any client-specific data handling requirements.

Briefings cover common threats including phishing, social engineering, password security, and safe handling of client information. Personnel are expected to report any suspicious communications or potential security threats immediately.

Data protection and information security policies are reviewed annually. The outcome of each review is documented in an internal compliance review record.

Business continuity

Modern Age takes the following steps to ensure continuity of service in the event of a cyber security incident, hardware failure, or other disruption:

  • Client work is delivered within the client's own infrastructure, so client data and project progress are not dependent on Modern Age's own systems
  • Internal business files are backed up via cloud-based platforms with their own redundancy and disaster recovery
  • All Modern Age devices are encrypted, limiting exposure in the event of loss or theft
  • In the event of a significant disruption, affected clients will be notified promptly with an estimated timeline for resolution
  • Critical credentials and access details are stored securely and can be recovered independently of any single device

This approach is reviewed annually as part of the compliance review process.

Subcontractors and collaborators

Where subcontractors or collaborators are engaged on client work, Modern Age ensures that:

  • Data protection obligations are included in contractual terms before work begins
  • Subcontractors are briefed on relevant policies and client-specific requirements
  • Modern Age retains the ability to audit or evaluate subcontractor compliance on request

Review

This policy is reviewed annually and updated as needed to reflect changes in legislation, our business, or our client obligations.

Modern Age Limited, registered in Scotland Registered office: Antonine House, Callendar Business Park, Callendar Road, Falkirk FK1 1XE