The EU General Data Protection Regulation (GDPR) came into effect in May 2018. The new legislation applies to all businesses processing the personal data of EU citizens, whether they are inside or outside of the EU.
What is personal data?
In recruitment, we collect lots of data about our candidates – but which of it is deemed ‘personal’ or ‘sensitive’?
The GDPR applies to that data which could identify or make identifiable, a living individual – whether directly or indirectly by ‘all means reasonably likely to be used’.
So, names, addresses, email addresses etc. would automatically fall into the remit of GDPR.
But the recitals of the GDPR also highlight that certain categories of online data may be personal including:
Helping you meet your obligations as a Data Controller
The legislation places new obligations on you as a Data Controller and on our relationship with you as your Data Processor.
Visible Boost are committed to complying with the GDPR as a data processor and helping you to comply with your obligations as a data controller. We will continue to work closely with our legal team to ensure we have an optimal understanding of the GDPR and the new responsibilities we share with you in protecting personal data. New GDPR features, particularly in the area of consent management and data anonymisation have also been introduced
How are we working toward best practice compliance?
Adopting the highest level of Information Security Standards
Our Information Security Management System has been assessed to the IASME standard. Based on ISO27001 and international best practice, the certification is risk-based and includes aspects such as physical security, staff awareness, and data backup. The IASME standard was recently recognised as the best cyber security standard for SMEs by the UK Government.
Helping your candidates to exercise their rights under GDPR
Many of the rights of data subjects are already supported by the Visible Boost Candidate Portal. For example:
Secure, online self-service
Providing secure, online self-service is considered to be Best Practice by the EU.
We are committed to assisting our customers in meeting their requirements under the GDPR and, where possible, making the process easy to manage – particularly enabling secure ‘self-service’ for candidates to access their GDPR rights.
The Right of Access
Candidates can see what personal data you hold on them
The Right of Rectification
Candidates can easily request that incorrect data is rectified.
Other GDPR compliant features of the Visible Boost Software System
Right to be forgotten
A candidate should be able to request being deleted – System users with the appropriate access rights can delete candidates.
Ongoing Compliance and new GDPR compliant features
We have introduced additional features to support and simplify the ways in which our customers can manage their GDPR responsibilities.
Consent
One area where we have introduced new tools is for management of consents. The GDPR greatly extends the responsibilities for gaining consent to use personal information beyond that which is required under existing data protection legislation.
Under GDPR consent needs to be freely given, specific, informed & granular, verifiable, easy to withdraw and time limited,
Data Security
Encrypted Data in Transit
Visible Boost is accessed via https:// which means data is encrypted in transit between the browser and the server – this includes candidate portals as well as the Visible Boost Software System (back end)
Encrypted Data at Rest
Visible Boost's software offers data Encryption at Rest, where the database is encrypted, as an optional service – this is our preferred / recommended option for customers.
Undecryptable User Passwords
Option to have user passwords that are undecryptable.
User Permissions
Visible Boost’s software has permissions, so that you can restrict access to specific categories of data to only those users who require access.
Two-Factor Authentication
Visible Boost supports if requested Two-Factor Authentication (2FA), meaning you can control how your users login and implement a 2FA approach either completely (all logins) or, for example, when logging in to the system from outside your company IP range.
Visible Boost only use UK Datacentres
GDPR imposes restrictions on the transfer of data outside of the EU.
Visible Boost only use UK based datacentres and we have appropriate data processing agreements in place with our suppliers. Our Datacentre suppliers are ISO27001 certified.
What should Customers be doing now?
Customers need to take GDPR seriously and will need to look at where they should be updating their own policies and procedures to be compliant. A good place to start is the Information Commissioner’s Office: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/. There is no ‘one size fits all’ solution, your business’ obligations under the GDPR may well be different to your competitors.
With the additional rights Candidates will have under the GDPR, Customers will need to start updating their Privacy Policies to ensure that each time they collect personal data from Candidates that they provide information in a clear and understandable form about, amongst other things: what data is being held; how it is used (e.g. if there is automated decision making); who the data might be shared with (including Visible Boost); how long it is stored for; whether the data is transferred between systems; and, how Candidates can exercise their rights under the GDPR.
Our ICO Data Protection Registration
Visible Boost is registered for Data Protection with the Information Commissioners Office (ICO).