WHAT IS GDPR?
Who does it apply to?
The GDPR applies to all organisations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
What implications does GDPR have for organisations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organisations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.
How has Bizimply been preparing for the GDPR?
Bizimply will be compliant with the GDPR when it becomes enforceable in May 2018. Our privacy team is working with customers around the world to answer their questions and to help them prepare for using Bizimply’s Services after the GDPR becomes effective. Additionally, our privacy team is reviewing Bizimply’s current product features and practices to ensure we support our customers with their GDPR compliance requirements.
Under GDPR, Bizimply is a Data Processor and we process personal information on behalf of our customers, who are Data Controllers.It is the Data Controller’s responsibility to obtain consent from their employees for any personal data that they collect. The customer will then grant Bizimply permission to process this information, under a Data Processing Agreement (DPA) or End User License Agreement.
CUSTOMER OBLIGATIONS AS CONTROLLERS
- Data Subject Consent
As a controller you must have consent for storing data about your employees or any other subject whose data is entered into your Bizimply account. We would recommend that this consent be outlined on all employment contracts with employees or third parties.
- Only Required Data
As a customer of Bizimply you are responsible for ensuring that the data you hold about your employees is limited to what is needed, adequate and relevant for the specific purpose.
- Data Access
You must ensure that you have set correct system access roles for users to limit and protect the data that they can access.
- Data Removal
It is your responsibility to ensure that personal data is removed from all systems when it is no longer needed. Our systems are designed to maintain a high level of integrity, meaning that your data will remain as entered and unchanged. It is up to you to comply with any legal obligation you have to store data in each system you use and to determine the length of time it is stored for.
OUR OBLIGATIONS AS PROCESSORS
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors (like Bizimply) who guarantee their ability to implement the technical and organisational requirements of the GDPR. While the existing product today can comply with GDPR, doing so may not be as simple as it could be. Our goal is to make this as easy as possible. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee the following:
- Data Access Requests
Our customers can respond to requests from data subjects (Employees) to correct, amend or delete personal data. Currently deleting of employee data from Bizimply must be requested by contacting firstname.lastname@example.org but we will be releasing feature updates to allow customers to have complete control.
- Reporting Data Breaches
Under the GDPR, Bizimply is required to report data breaches to the DPA within 72 hours. As part of our information security incident management procedure, appropriate communications will be made, including notifications to all affected parties.
- Conduct Privacy Impact Assesments (PIA)
A PIA is essentially a risk assessment of proposed processing of personal data. If we are making any changes to how we process personal data that is likely to result in a high risk to the data subject’s rights, a PIA must be carried out prior to commencing any processing.
- Demonstrate Compliance
Customers using Bizimply will be able to demonstrate GDPR compliance pertaining to Bizimply’s services.
WHAT WE ARE DOING TO ENSURE COMPLIANCE
- GDPR Programme
We have actively engaged in an programme of work to comply with the GDPR regulation which we are on track to complete by 25th May 2018.
- Updated Terms
We plan on specifically updating our terms to reflect the GDPR, and will make these updates available in advance of the GDPR coming into force to facilitate our customers’ compliance assessment and GDPR readiness.
- EU Data StorageWe ensure that all customer data is stored in the EU and never leaves the EU. All data is stored securely in the Amazon cloud. Read more about AWS Security.
- Data Privacy Officer (DPO)
At Bizimply we have implemented an internal GDPR team to ensure our complinace with GDPR by May 25th 2018. As part of this compliance we have also appointed a Bizimply DPO who eats, sleeps and breathes data protection.
- Data Flow Documentation
At Bizimply we are documenting all data flows within our product and company to ensure personal data of our customers remains secure at all times.
- ISO 27001:2013 Compliance
We have also decided to pursure ISO 27001:2013 accreditation which will further cement our commitment to our customers data security and ensure that how data is handled across the organisation is top notch.
HOW WE ALREADY PROTECT DATA
All data stored in Bizimply is encryped. We are also implementing an Information Security Management System (ISMS) aligned to the ISO 27001:2013 standard. This includes staff training, identifying and mitigating risks, and following industry best practices for securing data.
QUESTIONS AND ANSWERS
This section will continue to be updated as more questions are asked by our customers:
How will we handle Subject Access Requests? (SAR)
Bizimply act as a Data Processor on behalf of its customers so we are not able to process SARs on your behalf. If we receive a SAR from one of your employees we will forward the request to you.
Do employees now need to give consent?
The processing of HR data is in the legitimate interest of the employer and required to fulfill a contractual obligation. In order to ensure that the rights of employees are not unfairly compromised, there must be full and transparent disclosure of what data processing is taking place and for what purposes. We would recommend to our customers to make it clear to their employee what data is captured, where it is being stored (you may used something other than Bizimply to store employee data) and ensure that data captured is for a legitimate business reason.
By law we are required to keep employee data for 7 years, will Bizimply automatically delete the data after the 7 years?
No. Bizimply as the processor will not auto delete data but at the data controller’s (Customers) request employee data can be removed from Bizimply. It is up to the controller to determine the length of time to keep data in Bizimply.
Is the current data we gather on employees all valid in terms of the new GDPR guidelines? It is up to the controller (Customer) to determine what data is required. GDPR legislation states that: “Personal data shall be limited to what is necessary in relation to the purposes for which they are processed.” In other words, the information you keep on Bizimply should only be relevant to what is required for legitimate business purposes.