GDPR

PurelyHR™ commitment to data protection

What is GDPR?

The GDPR is an EU regulation but will continue to be applicable to UK based businesses after Brexit due to the UK’s incoming Data Protection Act 2018. The GDPR will restrict how businesses can handle personal data; that is data that can be used to identify individuals. It does not restrict business-to-business data handling.

The GDPR uses some specific terminology. Data processing refers to almost any handling of personal data. A data processor carries out the processing. A data controller determines how personal data will be processed. A data subject is a person identifiable by personal data.

Personal data will be required to be processed in accordance with 6 principles. Summarising these principles, data must:

  • Be processed lawfully, fairly and transparently
  • Be collected for specified, explicit and legitimate purposes
  • Be adequate, relevant and limited to what is necessary
  • Be accurate and up to date
  • Permit the identification of data subjects for no longer than necessary
  • Be processed with appropriate security measures

Data subjects will also be given a number of rights. These include rights to information, access, rectification, erasure and portability.

How is PurelyHR™ preparing for GDPR?

PurelyHR™ takes data privacy and security of our customers very seriously. We're committed to ensuring highest standards of data security and our team is working to ensure all our services are ready for GDPR. We are reviewing our data processing activities, and assessing and prioritizing any changes that need to be made in advance of the GDPR.

Account administrators responsibilities

You are the data controller when you decide the "purposes" and "means" of any processing of personal data. With PurelyHR™, the Account Administrators are the individuals responsible for the employee data being entered and stored in the system.

Similar to what's already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.

PurelyHR™ users

Individual employees of our clients who seek access to their data or who seek to correct, amend or delete, inaccurate data should direct their requests to their Account Administrators also known as a PurelyHR™ customer. Account Administrators are able to remove and update all personal information and data without the involvement of PurelyHR™.

PurelyHR™ role in GDPR

While PurelyHR™ operates the majority of its services as a data processor, there are some instances in which we operate as a data controller when working with Account Administrators and other third-party businesses. When PurelyHR™ is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us.

New and Existing Tools Available in PurelyHR for GDPR

Our mission is to make the data processing and control compliance process as painless as possible for PurelyHR™ customers. Below you will find an outline of the features PurelyHR is equipped with to help you be compliant and new updates were implementing by the GDPR effective date, which is May 25th, 2018.

Breach notification

In the rare event of a data breach, our system is setup to detect and notify our customers of any incidents. Once a breach has been detected, we will notify affected users without undue delay so that they can take appropriate protective steps.

Right of access

All PurelyHR™ users have access to view their personal data used in the system except when Account Administrators manually set the “Profile Information View” setting to MINIMAL in the Staff™ Account Settings. At this point, users can view only basic profile information (their name, email address, job title, hired date, department, and office). In order to avoid issues and allow users to access all their personal information, Account Administrators should verify that the default setting for information viewable in profile is set to ALL.

Right to rectification

Data Subjects personal information stored in PurelyHR™ is self-editable when a setting is enabled for employees. Account Administrators can control this parameter in the Account Settings in the Staff™ module. In the case where Data Controllers choose to restrict profile information editing, Data Subjects will need to request changes to their Account Administrators, who have access to edit information on their behalf.

Right to erasure

The Data Controller have control over the fate of the user’s information. PurelyHRTM has granted Account Administrators access to permanently delete disabled users from their account at their own convenience upon request from the Data Subject.

Right to object

The PurelyHR™ Marketing team understands the importance of privacy, therefore we’ve implemented an email preferences setting inside the PurelyHRTM Account Preferences page to accept or refuse the processing of information for direct marketing or other types of communications. These email subscription types can also be access from the emails themselves.

Right to data portability

Data controllers now have the ability to download employee data stored in PurelyHR™ directly from their User Profile in Staff™. The data will be easily exported/imported in a standardized format.

Consent

We have introduced new account policy consent measures compliant with GDPR to receive and store explicit consent from data controllers upon account creation.

Privacy policy review

We have implemented changes to our Privacy Policy and Cookie Pages in order to reflect some of the changes mentioned above and align ourselves with all of the GDPR principles of fairness and transparency. The new Privacy Policy goes into effect on May 25, 2018. Please take the time to review the full Privacy Policy here.