Eploy - Our Commitment to GDPR
The EU General Data Protection Regulation (GDPR) comes into effect in May 2018. The new legislation applies to all businesses processing the personal data of EU citizens, whether they are inside or outside of the EU.
What is personal data?
In recruitment, we collect lots of data about our candidates - but which of it is deemed ‘personal’ or ‘sensitive’?
The GDPR applies to that data which could identify or make identifiable, a living individual - whether directly or indirectly by ‘all means reasonably likely to be used’.
So, names, addresses, email addresses etc. would automatically fall into the remit of GDPR.
But the recitals of the GDPR also highlight that certain categories of online data may be personal including:
- online identifiers
- device identifiers
- cookie IDs and
- IP addresses
Helping you meet your obligations as a Data Controller
The legislation places new obligations on you as a Data Controller and on our relationship with you as your Data Processor.
Eploy are committed to complying with the GDPR as a data processor and helping you to comply with your obligations as a data controller. We have been, and are continuing to, work closely with our legal team to ensure we have an optimal understanding of the GDPR and the new responsibilities we share with you in protecting personal data. New GDPR features, particularly in the area of consent management and data anonymisation have also been introduced
How are we working toward best practice compliance?
Adopting the highest level of Information Security Standards
Our Information Security Management System has been assessed to the IASME standard https://www.iasme.co.uk/the-iasme-standard/ . Based on ISO27001 and international best practice, the certification is risk-based and includes aspects such as physical security, staff awareness, and data backup. The IASME standard was recently recognised as the best cyber security standard for SMEs by the UK Government.
During Eploy’s 2017 IASME recertification we opted to include IASME’s new ‘GDPR Ready’ checkmark as part of the assessment. This meant the assessor reviewed our policies and procedures for their compliance with GDPR – this was successful, and we are confident that we will be ready for GDPR when it comes into effect in May 2018.
Our IASME & GDPR Ready certificate is No.SA003163 - https://www.iasme.co.uk
Helping your candidates to exercise their rights under GDPR
Many of the rights of data subjects are already supported by Eploy’s Candidate Portal. For example:
Secure, online self-service
Providing secure, online self-service is considered to be Best Practice by the EU.
We are committed to assisting our customers in meeting their requirements under the GDPR and, where possible, making the process easy to manage – particularly enabling secure ‘self-service’ for candidates to access their GDPR rights.
The Right of Access
Candidates can see what personal data you hold on them
The Right of Rectification
Candidates can easily request that incorrect data is rectified.
Other GDPR compliant features of the Eploy System
Right to Erasure
A candidate should be able to request being deleted - System users with the appropriate access rights can delete candidates.
Right to Data Portability
A candidate should be able to request a copy of their data in a ‘machine readable’ format. This is possible via the Eploy System (Backend) by an Eploy system user running the Summary Information report against the candidate – this would allow them to put the data into a spreadsheet/CSV file.
Ongoing Compliance and new GDPR compliant features
We have introduced additional features to support and simplify the ways in which our customers can manage their GDPR responsibilities.
One area where we have introduced new tools is for management of consents. The GDPR greatly extends the responsibilities for gaining consent to use personal information beyond that which is required under existing data protection legislation.
Under GDPR consent needs to be freely given, specific, informed & granular, verifiable, easy to withdraw and time limited, Further details on the new functionalities for managing granular consents can be found here.
Eploy hold the IASME Certification & GDPR Ready Checkmark
GDPR also requires that data processing systems are secure. Eploy’s Information Security Policies and controls have received IASME certification - including the new ‘GDPR Ready’ checkmark – this was achieved in June 2017 and demonstrates that our security management system and policies have been verified to comply with GDPR requirements.
Encrypted Data in Transit
Eploy is accessed via https:// which means data is encrypted in transit between the browser and the server – this includes candidate portals as well as the Eploy System (back end)
Encrypted Data at Rest
Eploy offer data Encryption at Rest, where the database is encrypted, as an optional service – this is our preferred / recommended option for customers.
Encrypted Data Backups
Customer backups are encrypted as per our Customer Backup Policy.
Unencryptable User Passwords
User passwords are stored in an encrypted format in the Eploy database and are unencryptable (even by Eploy!). In the last Eploy update we introduced new security settings that enable customers to create and enforce a password policy, this includes:
- Preventing weak passwords
- Preventing password re-use
- Login via an approved third party (Facebook, Google, LinkedIn)
- Disabling auto-complete for login pages
- Secure forgotten password / reset
- Captcha tests
- Locking down to customer owned IP address or range.
Eploy uses SSL with locked down SSL protocols and ciphers and gets an A rating on SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=admin.eploy.net&hideResults=on )
Eploy has many permissions, so that you can restrict access to specific categories of data to only those users who require access.
Eploy supports Two-Factor Authentication (2FA), meaning you can control how your users login and implement a 2FA approach either completely (all logins) or, for example, when logging in to the system from outside your company IP range.
Eploy only use EU Datacentres
GDPR imposes restrictions on the transfer of data outside of the EU.
Eploy only use EU based datacentres and we have appropriate data processing agreements in place with our suppliers. Our Datacentre suppliers are ISO27001 certified.
What should Customers be doing now?
Customers need to take GDPR seriously and will need to look at where they should be updating their own policies and procedures to be compliant. A good place to start is the Information Commissioner’s Office: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
. There is no 'one size fits all' solution, your business’ obligations under the GDPR may well be different to your competitors.
With the additional rights Candidates will have under the GDPR, Customers will need to start updating their Privacy Policies to ensure that each time they collect personal data from Candidates that they provide information in a clear and understandable form about, amongst other things: what data is being held; how it is used (e.g. if there is automated decision making); who the data might be shared with (including Eploy); how long it is stored for; whether the data is transferred between systems; and, how Candidates can exercise their rights under the GDPR.
Our ICO Data Protection Registration
Eploy is registered for Data Protection with the Information Commissioners Office (ICO) our registration is ZA248720
Please bookmark this page and check regularly for updates.