HRMTS & GDPR
Foreword
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
This document describes HRTMS' attention and efforts to implement the GDPR compliance in the System on behalf of our Customers.
External Resources
Please see the following resources for more information:
The Most Important
The following are the most important obligations GDPR features:
Consent to Processing Data
A data controller must be able to demonstrate that consent to process personal data has been given by the data subject before processing of their data is started.
Existing consents, such as End User Agreements already in place, will probably work if they meet new conditions. It is important to remember, however, that requirements of the GDPR are more.
Where to find the rules?
- Article 4: Definitions; (11) the data subject’s consent
- Article 7: Conditions for consent
- Article 8: Conditions applicable to child’s consent in relation to information society services
- Article 9: Processing of special categories of personal data
- Article 14: Information to be provided where the data are collected from the data subject
Access to Data
Data subjects have a right to know what personal data of theirs is being stored and how it is being processed. They can also ask for their data to be corrected if it is wrong. There is now also a requirement for data portability, meaning individuals can request their data to be delivered in a structured and commonly used file format, so that it can be transferred to some other organization.
Where to find the rules?
- Article 15: Right of access for the data subject
- Article 16: Right to rectification
- Article 19: Notification regarding rectification, erasure or restriction
- Article 20: Right to data portability
Data Minimization & Restriction of Processing
Personal data shall only be stored and processed to the extent where it is necessary to the explicit purpose for which the data was originally collected. Data shall also not be stored longer than necessary. Data subjects can also restrict processing of their data to certain purposes, e.g. direct marketing.
Where to find the rules?
- Article 6: Lawfulness of processing
- Article 18: Right to restriction of processing
- Article 19: Notification regarding rectification, erasure or restriction
Right to be Forgotten
Data subjects may withdraw their consent to process their data at any time, and ask the data controller to erase their personal data. This must be done without undue delay. Reasonable steps must also be taken to inform third parties to remove any copies of that data.
Where to find the rules?
- Article 17: Right to erasure (“right to be forgotten”)
- Article 19: Notification regarding rectification, erasure or restriction
Obligation to Inform in Case of a Data Breach
In case of critical data breaches, the data controller/processor must inform the Supervising Authorities. The data subjects also must be notified if the data breach results in a significant risk to the impacted data subjects. These notifications must to be issued without undue delay, not later than 72 hours.
Where to find the rules?
- Article 4: Definitions; (12) personal data breach
- Article 33: Notification of a personal data breach to the supervisory authority
- Article 34: Communication of a personal data breach to the data subject
Naming a Data Protection Officer
The data controller/processor must appoint a Data Protection Officer (DPO). The DPO can be either contracted or directly employed. Although mandatory for public authorities, the private organizations must also appoint a DPO, if the data processing includes regular, systematic and large scale monitoring of data subjects.
Where to find the rules?
- Article 37: Designation of the data protection officer
- Article 38: Position of the data protection officer
- Article 39: Tasks of the data protection officer
What Does It Mean for the Customers of HRMTS?
HRMTS' goal is to provide the Customers with a default configuration, so that their use of the System is 100% compatible with GDPR right out of the box (Privacy by Design and Privacy by Default). This way, the Customers do not have to worry about anything. However, those Customers who have heavily modified email templates and various custom text will need to update the contents on few of them. HRMTS Support will assist them fully in this process for a smooth and transparent transition.
What is HRMTS Doing?
HRMTS has full focus on GDPR, and is undergoing modifications and optimizations to implement the GDPR compliance in the System on behalf of our Customers. Following is a brief overview of some of the most visible efforts. (Not in a particular order.)
Scope
HRMTS offers three main applications:
- Talent Recruiter
- Talent Manager
- Talent Onboarding
The work around GDPR compliance focuses on following areas:
| Focus Area | |
|---|---|
| Applications |
|
| Organization |
|
| Vendors & Suppliers |
|
Categorization of Data
The foremost important task in the GDPR compliance is to identify and categorize the types of data, stored and processed in the applications, upon which all the controls will be built on. The data will be divided into three categories:
| Category | Definition Under the GDPR |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Sensitive Data | Personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. |
Non-Personal Data | Any information that by itself cannot be used to identify a person. (Non-Identifiable, de-personalized, anonymous) |
The applications are already designed according to the Principle of Least Privilege, where all access is closed, except when necessary for authorized users and legitimate purposes. More efforts are being put in to gain the full level of Privacy by Design and Privacy by Default. Each application uses different sets of data. The categorization of data will make it possible to implement processes and controls to provide maximum protection. The applications will implement special rights based on which users can access and use the various categories of data. On the organization level, similar controls will be implemented based on the role of the staff members. Similar controls and processes will be implemented for vendors and suppliers.
New Options to Data Subjects
The data subjects will be given access to following new features:
Access to Data
The data subjects will be provided option to request an overview of their personal data stored and processed in the applications.
Right to Rectification
The data subjects will be provided option to rectify their data, in accordance with the regulations, even after application form is locked after due date. (Applies to Talent Recruiter.)
Right to be Forgotten
The data subjects will be provided option to request (demand) to be forgotten by the applications. In this case, the applications will delete all their personal data from the System, only keeping non-identifiable metadata for statistics and references. The deletion will also propagate to backups of the databases.
Extended User Rights
The applications will offer extended roles and rights for the users for accommodate their usage according to GDPR. The following is a brief overview of the new rights:
| Right | Description |
|---|---|
| GDPR Officer | Assigned to an administrative user that will receive various notifications regarding GDPR, and also trigger deletion of data requested by data subjects. |
| View Personal Data | Assigned to a user that is permitted to view personal data of data subjects. |
| Edit Personal Data | Assigned to a user that is permitted to edit personal data of data subjects. |
| Print/Email Personal Data | Assigned to a user that is permitted to print/email personal data of data subjects. |
| Delete Personal Data | Assigned to a user that is permitted to delete personal data of data subjects. |
| View Sensitive Data | Assigned to a user that is permitted to view sensitive data of data subjects. |
| Edit Sensitive Data | Assigned to a user that is permitted to edit sensitive data of data subjects. |
| Print/Email Sensitive Data | Assigned to a user that is permitted to print/email sensitive data of data subjects. |
| Delete Sensitive Data | Assigned to a user that is permitted to delete sensitive data of data subjects. |
Extension of User Roles
The user roles will also be extended to fine-tune which roles can view what type of documents. E.g. it will be possible to configure that some users can only see the CV of the candidates, while others can also see the diplomas, and so forth. In case of Talent Manager, the extension will also include configuring job types.
Minimize Document Download & Sending
The documents uploaded by data subjects may contain various types of data that is not possible to categorize. As all the applications offer functions to download and email the documents, it also poses a challenge to keep track of them once they have left the System. Although, it is technically the users' (Customers') responsibility to use these functions with care, HRMTS plans to offer mechanisms to make it easier for the users to continue work as they are used to while minimizing the risks.
View Documents in the Browser
The first function to be offered will be the option to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.
Send Links to Documents Instead of Attachments
The second function to be offered will be the option to send the documents in the emails as links, instead of attachments. The recipients of the emails can click on the links to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.
In addition, there will be an option to configure a time limit for validity on these links, so that they get expired after X number of days.
Stop/Limit Access from Outside EU
All access to data will by default be limited to inside EU, except for following:
- The Customers configure their accounts to allow their users to access data outside EU.
- HRMTS' DBA outside EU who will be performing database administration, and creating custom reports.
Exhaustive Logging
All applications will offer exhaustive logging (in terms of activity logs) for the administrators where they can keep track of which users have accessed, edited, or deleted what type of data. The logs will also explicitly keep track of all access from outside EU.
Updated DPA with Customers
All Data Processing Agreements (DPAs) will be updated with Customers to include the terms and conditions of GDPR.
Updated Consents from Data Subjects
All data subjects will receive option to give/renew their consent to updated terms for data storage and its use.
Appendix A - Infrastructure for data handling
Encryption and security
More information on how HR Manager treats data when it comes to encryption can be found here: Encryption and security of data in HRMTS.
Logging
Read about different levels of logging supported by HR Manager here: Logging in HRMTS
Database backups
Read about our backup routines and find information about how we do backups of databases.
Authentication and Authorization
Authentication is done our identity server, HRID, and users are authorized through department memberships and roles. Read more about it here : Authentication and Authorization
Appendix B - Additional GDPR Checklists
The following are the guiding checklists used by HRMTS to focus on various details of the compliance.
Application Checklist
| Main Area | Sub Area | Checkpoint | |
|---|---|---|---|
| Privacy by Design & Privacy by Default | Personal & Sensitive Data Protection | Sensitive data protection principles are part of the core application design. | |
| The application has data classification or data taxonomy features for personal and sensitive data. | |||
| Prevent unencrypted personal and sensitive data from leaving the perimeter during data transfer. | |||
| Log and monitor network traffic to identify and investigate inappropriate personal and sensitive data transfers. | |||
Ensure data exchange through secure means during data collection and exchange with third parties. | |||
Ensure mechanisms for anonymization of personal and sensitive data based on stripping, so that data is no longer personal or sensitive. | |||
Ensure mechanisms for anonymization of personal and sensitive data based on encryption / pseudonymization, so that data is still personal or sensitive when used with certain criteria/keys. | |||
| Ensure mechanisms for anonymization of personal and sensitive data while porting data from production systems to test/development systems. | |||
Ensure mechanisms for anonymization of personal and sensitive data from reports, and other interfaces. | |||
Ensure mechanisms for restriction of copying of personal and sensitive data to unapproved containers (e.g. email, web browsers), including controlling the ability to copy, paste and print sections of document. | |||
Ensure mechanisms for hardening mobile device configurations and features such as password protection and remote wipe facilities. | |||
| Deployment Controls | Ensure change management controls to detect any addition / deletion of personal data or sensitive fields in the application. | ||
| Ensure that the application tracks all the changes made to an individual's personal data. | |||
| Operationalization | Ensure application scalability and future-proofing for GDPR compliance for all future possible changes in the application. | ||
| Documentation | Ensure Privacy by Design & Privacy by Default in the application. | ||
Certify the application to comply with requirements for Privacy by Design & Privacy by Default. | |||
| Rights & Consent Management | Capture Rights | Ensure mechanisms to capture data subjects' rights to consent, to be forgotten, and so forth. | |
Ensure that intentional updates of personal data are synchronized to all relevant places where the information is stored in the application. | |||
Ensure that application systematically removes any personal data of a subject upon request. (Right to be forgotten.) | |||
Ensure that application supports controllers obligation to inform the data subject of the collection of personal data. (E.g. built-in notice to the user when signing up in a website.) | |||
| Consents | Ensure that the application have features to track or alert consent decisions to authorities in the organization. (E.g. DPO) | ||
| Ensure that the application has features to collect and store consents. | |||
Ensure that the application provides functions to document digital consent (not signed) from data subject or other authorization for processing of personal data (lawfulness of processing). (E.g. log files documenting user acceptance, or technical documentation that it is not possible to create a user profiles without giving consent.) | |||
| Automation | Ensure that the application has automated ways to comply with the rights of the data subject. | ||
Ensure to describe automated compliance of rights in the system documentation. | |||
| Governance | Data | Ensure that the application tracks and logs all the changes made to an data subjects' personal data. | |
Consider to introduce feature for de-duplication of sensitive data. | |||
Consider handling multi-lingual sensitive data. | |||
| Technology | Consider an automated governance process for securing the data in motion, in use and in rest. | ||
| Process | Ensure set up of processes and policies for personal data usage/consumption. | ||
Consider processes by which following gets updated regularly:
| |||
Ensure maintenance of rights traceability. Document the process in data sharing at application level. | |||
| Document the method of customer data archival. | |||
| People | Document role based access for different datasets. | ||
Document the security levels existing today. (E.g. Row based, object based, Report based etc.) | |||
Ensure flexible configuration supporting easy changes in access rights. (E.g. when changes in organization or reassignments) | |||
| Breach Assistance | Monitoring | Ensure that the application has a breach notification capability. | |
| Ensure that it is possible to generate fully comprehensive and reliable compliance reports. | |||
| Breach Prevention | Ensure that the application has a methodology for breach prevention. (E.g. predictive analytics solutions) | ||
| Assurance | Quality Framework | Document assurance practices or controls. |
Organization Checklist
| Main Area | Sub Area | Checkpoint | |
|---|---|---|---|
| Organization & Setup | Warranty, Certificates & Authorizations | Provide a warranty to implement applicable physical, technical and organizational security requirements to comply with GDPR and the rights of data subjects. | |
Prepare a Code of Conduct that describes guidelines for processing of personal data. | |||
Include the clause the DPA regarding transfer of personal data to outside EEA in regards to DBA. | |||
| Roles & Responsibilities | Appoint Data Protection Officer (DPO). | ||
| Document who will be responsible for fulfilling the obligation to inform Customers in case of security breaches. | |||
| Data Processor Agreement | Standard Data Processor Agreement | Ensure that the DPAs comply with the regulations both before and after 25.05.2018. | |
| Create/update a standard DPA including GDPR requirements. | |||
| Supervisory Authority | Document/clarify any individual requirements of supervisory authorities in Norway, Sweden and Denmark. | ||
| Level of Confidence / Security Level | Document how to assist the Customers to assess/define the applicable security level. | ||
Document how the Customers ca control the HRMTS' compliance with the security requirements. (Including frequency of audits, expenses (time and material) related to audits, etc.) | |||
| Sub-Vendors | Clarify HRMTS' policies around sub-vendors:
| ||
| Procedures | Breach Assistance | Document the contingency plan in case of a security breach. | |
| Document the procedures to notify the Customers', without undue delay, after becoming aware of a personal data breach. | |||
Document the procedures to supply adequate documentation to Customers related to personal data breach, and assist the Customers in ensuring compliance with the obligations to report data breaches to authorities and/or data subjects. | |||
| Procedures | Document how HRMTS will handle inquiries from data subjects with objections or request for access to the processing of their personal data. | ||
Document how HRMTS can access data, during the term of the contract and after its termination. | |||
| Document the termination plan. | |||
Physical Security Document the physical security regarding physical access to personal data and equipment containing personal data. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures. (E.g. lock facilities/rooms, access control, alarm, video surveillance, fire and water damage protection, siting of screens, destruction of data medias, etc.) | |||
Technical Security Document the technical security regarding protection of data from unauthorized access and ensure availability in case of incidents. Include backup routines. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures. (E.g. firewalls, anti-virus, anti-malware, backup, restore, etc.) | |||
Organizational Security Document the organizational security regarding access to personal data only by authorized personnel. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures. (E.g. policies, instructions, internal authorizations, governance of access rights, review of logs, governance of deletion of data, audits, etc.) | |||
| Document contingency plans including worst case scenarios. Also document how they will remain available in worst case scenarios. | |||
| Other Documentation | Document all the personal data processing done in the applications. | ||
| Risk Assessment | Contribution | Document risk assessment. | |
| Document to what extent HRMTS can contribute to Customers' own risk assessments. |
On this page
Terminology
| Term | Description |
|---|---|
| HRMTS | HR Manager Talent Solutions |
| System | Solutions offered by HRMTS, e.g. Talent Recruiter, Talent Manager, Talent Onboarding |
| Customer | Company or organization subscribing the System |
| GDPR | General Data Protection Regulation |
| Personal Data | Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. |
| Data Controller | The entity that determines the purposes, conditions and means of the processing of 'Personal Data'. (In this context, a Customer of HRMTS is represented as 'Data Controller'.) |
| Data Processor | The entity that processes data on behalf of the 'Data Controller'. (In this context, HRMTS is represented as 'Data Processor'.) |
| Data Subject | A natural person whose 'Personal Data' is processed by a 'Data Controller' or 'Data Processor'. (In this context, end-users of the System are represented as 'Data Subjects'.) |
| DPO | Data Protection Officer An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR. |
| DPA | Data Processing Agreement An agreement between 'Data Controller' and 'Data Processor' to reflect the parties' agreement with regard to the processing 'Personal Data' on behalf of 'Data Controller', in accordance with the requirements of Data Protection Laws. |