The GDPR is an EU regulation but will continue to be applicable to UK based businesses after Brexit due to the UK’s incoming Data Protection Act 2018. The GDPR will restrict how businesses can handle personal data; that is data that can be used to identify individuals. It does not restrict business-to-business data handling.
The GDPR uses some specific terminology. Data processing refers to almost any handling of personal data. A data processor carries out the processing. A data controller determines how personal data will be processed. A data subject is a person identifiable by personal data.
Personal data will be required to be processed in accordance with 6 principles. Summarising these principles, data must:
Data subjects will also be given a number of rights. These include rights to information, access, rectification, erasure and portability.
PurelyHR™ takes data privacy and security of our customers very seriously. We're committed to ensuring highest standards of data security and our team is working to ensure all our services are ready for GDPR. We are reviewing our data processing activities, and assessing and prioritizing any changes that need to be made in advance of the GDPR.
You are the data controller when you decide the "purposes" and "means" of any processing of personal data. With PurelyHR™, the Account Administrators are the individuals responsible for the employee data being entered and stored in the system.
Similar to what's already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.
Individual employees of our clients who seek access to their data or who seek to correct, amend or delete, inaccurate data should direct their requests to their Account Administrators also known as a PurelyHR™ customer. Account Administrators are able to remove and update all personal information and data without the involvement of PurelyHR™.
While PurelyHR™ operates the majority of its services as a data processor, there are some instances in which we operate as a data controller when working with Account Administrators and other third-party businesses. When PurelyHR™ is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us.
New and Existing Tools Available in PurelyHR for GDPR
Our mission is to make the data processing and control compliance process as painless as possible for PurelyHR™ customers. Below you will find an outline of the features PurelyHR is equipped with to help you be compliant and new updates were implementing by the GDPR effective date, which is May 25th, 2018.
In the rare event of a data breach, our system is setup to detect and notify our customers of any incidents. Once a breach has been detected, we will notify affected users without undue delay so that they can take appropriate protective steps.
All PurelyHR™ users have access to view their personal data used in the system except when Account Administrators manually set the “Profile Information View” setting to MINIMAL in the Staff™ Account Settings. At this point, users can view only basic profile information (their name, email address, job title, hired date, department, and office). In order to avoid issues and allow users to access all their personal information, Account Administrators should verify that the default setting for information viewable in profile is set to ALL.
Data Subjects personal information stored in PurelyHR™ is self-editable when a setting is enabled for employees. Account Administrators can control this parameter in the Account Settings in the Staff™ module. In the case where Data Controllers choose to restrict profile information editing, Data Subjects will need to request changes to their Account Administrators, who have access to edit information on their behalf.
The Data Controller have control over the fate of the user’s information. PurelyHRTM has granted Account Administrators access to permanently delete disabled users from their account at their own convenience upon request from the Data Subject.
The PurelyHR™ Marketing team understands the importance of privacy, therefore we’ve implemented an email preferences setting inside the PurelyHRTM Account Preferences page to accept or refuse the processing of information for direct marketing or other types of communications. These email subscription types can also be access from the emails themselves.
Data controllers now have the ability to download employee data stored in PurelyHR™ directly from their User Profile in Staff™. The data will be easily exported/imported in a standardized format.
We have introduced new account policy consent measures compliant with GDPR to receive and store explicit consent from data controllers upon account creation.