As previously discussed here on the blog, the EU General Data Protection Regulation (GDPR) is about to be enforced and companies around the world are (or should be) putting all their efforts into becoming compliant with the new regulation on data privacy and protection.
From the 25th May onwards, any company that processes an EU citizen’s data, whether the company itself is located in the EU or outside of it, has to obey to the new rules for controlling and processing data. This new data protection regulation affects companies (data controllers and data processors) across all industries, including HR and Recruitment. The EU is determined to ensure that its citizens' data is truly protected, it has established fines for noncompliance of up to €20M or four percent of the company’s annual revenue, in case of extreme violations.
How did skeeled prepare for GDPR?
Here at skeeled, we have always taken data protection in great consideration and we believe that the GDPR is an important milestone in data privacy. Hence, we’ve been busy these last few months reviewing and updating our internal processes, procedures and documentation, incorporating the GDPR principles in our product development planning to make sure that we fulfil all obligations and requirements.
Here are some of the measures we took in order to be GDPR-ready:
1. Data Processing Agreement Update
We updated our data processing agreement to meet the requirements of the GDPR and to give our customers sufficient guarantees that we’ve implemented appropriate technical and organisational measures to ensure EU citizen’s data protection.
2. Third-Party Vendors Contract Review
We choose our vendors very carefully and in order to ensure that they too are GDPR-ready and can lawfully receive, process and transfer EU personal data, we've reviewd and updated all contracts.
3. International Data Transfer Certification
As an additional measure to comply with the EU data protection rules related to international data transfers, we only work with vendors outside the EU that are certified under the E.U.-U.S. Privacy Shield, which is a framework negotiated and agreed by the European Commission and the U.S. Department of Commerce as a lawful way of transferring personal data.
4. Extended Rights of Individuals
After an extensive analysis of our software’s features, we identified the improvements and additions that could be made to satisfy any data protection requests made by users related to their expanded individual rights under the GDPR: data access, data rectification and data deletion.
5. Data Processing Records
As one of the most important data protection requirements, we built processing records and personal data flows and implemented processes and procedures to ensure we know where the personal data is located and which applications have access to it.
6. Data Breach Notifications
The importance of this requirement is obvious, even though skeeled has a robust security system, we also put in place new procedures to guarantee that in the event of a data breach, both EU authorities and the citizens affected are notified within 72 hours.
As to how these measures impact the way skeeled works, it’s very simple:
• Candidates must give consent before starting to fill and submit a job application, and to do so they must read and accept our Terms and Conditions that clearly state what data is being processed and how it is being processed;
• After submitting a job application, skeeled keeps candidate’s personal data for a period of 12 months. Before the expiry of this 12 months we contact the candidates and ask for their explicit consent to keep their data for a further 12 month period, to which request they can freely answer yes or no. This way, they can find another job position within the company they initially applied for. Despite that, candidates have at all times the right to access, rectify or delete their data. Requests must be sent to our customer support (email@example.com);
• We have a high level of security that includes both technical and organisational security controls. All data transfers are encrypted and anonymised to prevent data loss, information leaks or other unauthorised data processing operations;
• All data controllers/processors we work with are either subjected to the GDPR or encompassed in the E.U.-U.S. Privacy Shield.
Overall, ensuring skeeled user’s data privacy and protection is part of our core responsibilities and values. Thus, we’ll keep reviewing and updating our security system and continuously look for ways to improve our data protection practices.
Thanks for reading and see you next time!
Your team here at skeeled