General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a comprehensive update to existing European Union laws that goes into effect on May 25, 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU resident's data privacy and to reshape the way organizations across the region approach data privacy.
GDPR Principles Related to Processing of Personal Data
Within the GDPR framework, in most cases IHRDC is considered a Processor as we relate to our customers employee data. Although we will be compliant on all of the GDPR requirements, we are paying special emphasis on the six principles of processing personal data as reference in Article 5 of the GDPR.
|GDPR Principle||GDPR Principle Verbiage||IHRDC Compliance Efforts|
|1. Lawfulness, fairness and transparency||a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency')||IHRDC will offer customers a robust data processing addendum containing strong privacy commitments that are aligned with the spirit of "lawfulness, fairness, and transparency" as expressed in Article 5(a). This addendum also contains specific provisions to assist customers in their compliance with the GDPR.
In addition, we are in the process of reviewing all of the ways in which we process customer and user data. For each process we will provide methods for users to consent in advance of processing as well as withdrawing consent at a later time.
|2. Purpose limitation||b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation')||IHRDC will ensure that the purposes of the processing are precisely and fully identified prior to, or at the moment of the collection. The objective is to make explicit and communicate the reasons why their data are collected and processed.|
|3. Data minimisation||c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')||IHRDC is committed to capture only the personally identifiable information necessary to provide the highest value to our customers. As part of our GDPR readiness effort, we will inventory and review all data captured by our products and eliminate personally identifiable information that is does not in alignment with the value we offer to our customers through our various product offerings.|
|4. Accuracy||d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy')||IHRDC is working to provide policies, procedures, and features for users to review the data stored within our products and easily request corrections and even export for portability.|
|5. Storage limitation||e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation')||IHRDC will be reviewing all policies related to data storage. We will unify our policies across all lines of business to retain user data only as long as necessary and to provide users with the ability to export their data for portability purposes.|
|6. Integrity and confidentiality||f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')||IHRDC is working to enhance our systems to have security built into every layer of our product platforms. The infrastructure layers will include replication, backup, and disaster recovery planning. Network services already have encryption in transit and advanced threat detection. Our application services have impemented identity, authentication, and user permissions.|