The forthcoming GDPR is causing us all take a closer look at the way in which we manage and process the personal information about employees, customers, suppliers and so on.
But what does GDPR mean for your talent management software?
To help our clients, we've been on the case for months making sure that their contract with us and the functionality of their Talent system, is not one of the things they need to be worrying about.
About the GDPR
The General Data Protection Regulation (GDPR) aims to harmonise data protection legislation across EU member states, enhancing the privacy rights for individuals. It applies to organisations processing Personal Data based within the EU and also those organisations which operate outside the EU but oﬀer goods or services to, or monitor the behaviour of, individuals in the EU. The GDPR is applicable from 25 May 2018. The GDPR makes clear the responsibilities of the Data Controller and the Data Processor.
Head Light as a Data Processor
The GDPR places specific legal obligations on us as a Data Processor and on our customers as Data Controllers. The GDPR requires us to show how we comply with the principles – for example by documenting the decisions we take about a processing activity.
As with the Data Protection Act, the GDPR applies to ‘personal data’. But the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be classified as personal data and this more expansive definition provides for a wide range of personal identifiers to constitute personal data.
As a Processor, we are required to maintain records of personal data and processing activities and we have greater legal liability if we are responsible for a breach. As such, our customers (as Data Controllers) need to obtain explicit consent from its own software users that this information can be used, and as the Data Processor we need to tell our customers how we process that information.
As these are new requirements and obligations for us as Processors under the GDPR, we have:
- updated our Data Protection Policy;
- rewritten our standard contract with our customers which sets out clearly how we process data and our procedure should there be a breach;
- enhanced our Talent® software to enable our customers to fulfil requests from its users based on the eight rights of individuals as outlined in GDPR.
Head Light as a Data Controller
Head Light also assumes the role of Data Controller for our client and prospect personal information that we store securely through encryption within our Customer Relationship Management and Marketing Automation system (our Data Processor).
As a result we have:
- ensured our contract with our Data Processor details how the information is processed and what happens in the event of a breach.
The guidance from the Information Commissioner’s Office (ICO) regarding the changes to obtain explicit consent is being finalised and will be published by the end of 2017. At this time we will embrace and implement this guidance for those accessing our Website, those wanting to sign up to access marketing and promotional material and how we contact our clients. As we do now, we will continue to provide the opportunity to change or remove permission to use personal data.
Our Head Light team
We understand what constitutes a breach of data and our staff understands that this is more than a loss of personal data. We have in place an internal breach reporting procedure and this helps us to decide how we notify the relevant supervisory authority.
If you have any questions or queries about how we're gearing up for GDPR, then do, get in touch.