HR and GDPR
- What is GDPR?
- What is the purpose of GDPR?
- When does the regulation come into effect?
- Will Staff Squared be compliant with GDPR when it comes in to effect? How will this affect me and my use of Staff Squared?
- How is Staff Squared independently audited?
- What personal data do you process?
- What you do with the data Staff Squared collects?
- Where is the data you collect processed?
- How long does Staff Squared retain data for?
- If the data subject asked to be supplied with the information about them that you hold, could you do this?
- Could you change the personal data you hold if it was incorrect or incomplete?
- My business uses Staff Squared; do I need to put any new measures into place with my customers in advance of GDPR coming into effect?
- Does Staff Squared have an appointed GDPR representative I can contact regarding any additional queries I have?
1. What is GDPR?The General Data Protection Regulation (GDPR) is a new pan-European regulation, which comes into effect on 25 May, 2018, replacing the 1995 EU Data Protection Directive. On the same day, the UK’s Data Protection Bill will also pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law. GDPR, and the Data Protection Act 2018, expand the privacy rights granted to data subjects (EU/EEA individuals) and place greater obligations on organisations who handle personal data of those individuals (data controllers and processors), wherever those organisations are based.
2. What is the purpose of GDPR?The purpose of the GDPR and the UK’s Data Protection Bill is to provide a set of standardised data protection laws across EU member countries (and post-Brexit UK) which give EU and UK citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it. The regulation comes at a time when more and more personal data is being generated by every individual as they use more services and technologies.
3. When does the regulation come into effect?25 May, 2018.
4. Will Staff Squared be compliant with GDPR when it comes in to effect? How will this affect me and my use of Staff Squared?Staff Squared is continuing to work to ensure we are compliant with GDPR by May 2018. This work includes updating all our customer-facing materials and agreements. As we finalise these, we will proactively contact our customers to provide relevant updates. We will also be providing further updates via our blog, and would invite you to keep an eye out for that information once it is available.
5. How is Staff Squared independently audited?Staff Squared, and its parent company Atlas Computer Systems Ltd., is Cyber Essentials Plus accredited as of May 2018. We are simultaneously pursuing an ISO27001 standard, and will be externally assessed for this in 2019. Across the business we have a culture of data awareness, and continually review and improve our security processes. Our security programme is managed by a dedicated committee of managers and specialists from across the business, and headed by our Managing Director.
8. Where is the data you collect processed?Staff Squared relies on a number of component services and providers in order to deliver software services to our customers. All of our main processing is carried out on servers that are located in the European Economic Area (EEA).
9. How long does Staff Squared retain data for?We only keep your personal data for as long as we actually need it to provide our services. In practice this means that we will keep closed account information for up to three months following its closure. Please note that we may anonymise your personal data or use it for statistical purposes. We keep anonymised and statistical data indefinitely but we take care to ensure that such data can no longer identify or be connected to any individual.
10. If the data subject asked to be supplied with the information about them that you hold, could you do this?Any such query should be shared with the ‘data controller’ of your personal data. This may be your Staff Squared account owner or administrator. If you send through your query, we can direct you to the appropriate party.
11. Could you change the personal data you hold if it was incorrect or incomplete?Where appropriate, Staff Squared will be in a position to action such requests.
12. My business uses Staff Squared; do I need to put any new measures into place with my customers in advance of GDPR coming into effect?As a data controller, you are responsible for ensuring that you have proper grounds for processing your employee’s personal data in compliance with the GDPR generally. Some points for you to consider include:
- Firstly, familiarise yourself with the provisions of the GDPR, especially the differences from your current data protection obligations.
- Consider creating an updated inventory of personal data that you handle. You can use Staff Squared to help identify and classify data.
- Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending.
- Monitor updated regulatory guidance as it becomes available.