Copyright 2018 SilkRoad © Copyright 2018 SilkRoad
GDPR
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
Disclaimer This session about GDPR relates to the operational steps SilkRoad is taking to address our obligations as a SAAS vendor and “processor” under the GDPR.
It is not intended to be a legal opinion or legal advice on how the GDPR should be interpreted. You should seek independent legal advice from you own advisors regarding the requirements for your company to comply with its obligations under the GDPR. © Copyright 2018 SilkRoad
What is GDPR? The EU General Data Protection Regulation (GDPR) replaces the previous Data Protection Directive It is designed to harmonize data privacy laws across Europe It empowers EU citizens to manage their personal data It will reshape the way organizations approach data privacy
© Copyright 2018 SilkRoad
It’s pretty straight-forward
Source: Winfried Veil
© Copyright 2018 SilkRoad
Primary GDPR Entities Controller SilkRoad Customer
Processor
SilkRoad
© Copyright 2018 SilkRoad
Some Important GDPR Constructs
Following slides provide an overview of the main changes from the previous European directive
The verbiage is a condensed extract from the GDPR Website www.eugdpr.org
© Copyright 2018 SilkRoad
What is a “Person” as defined in GDPR? Prospects, customers, business partners and vendors of Client (who are natural persons); Employees or contact persons of Client’s prospects, customers, business partners and vendors; Employees, agents, advisors, freelancers of Client (who are natural persons); and/or
Client’s end-users authorized by Client to use the SilkRoad Applications
© Copyright 2018 SilkRoad
“Personal” PI Data as viewed by GDPR Identification and contact data (name, address, title, contact details) Financial information (credit card details, account details, payment information)
Employment details (employer, job title, geographic location, area of responsibility); and/or IT information (IP addresses, usage data, cookies data, location data).
© Copyright 2018 SilkRoad
“Sensitive” PI data as viewed by GDPR Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person Health Data concerning a natural person's sex life or sexual orientation © Copyright 2018 SilkRoad
Increased Territorial Scope
Extended jurisdiction. Applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
© Copyright 2018 SilkRoad
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
© Copyright 2018 SilkRoad
Consent
Clear and plain language for the Data Subject to provide Consent on how their data is used. It must be as easy to withdraw consent as it is to give it. It is the Controller’s responsibility to get the required consents from its employees and candidates.
© Copyright 2018 SilkRoad
Data Protection Officer Appointment Data Protection Officer must be established. Monitor compliance, training data processing staff, conducting internal audits. Responsibilities are broad.
© Copyright 2018 SilkRoad
Breach Notification Breach notification mandatory within 72 hours of first having become aware of the breach. Data processors also required to notify their customers, the “controllers”.
© Copyright 2018 SilkRoad
Right to Access Controllers must provide data subjects confirmation on how personal data is being processed, where, and for what purpose. The controller shall provide a copy of the personal data, free of charge, in an electronic format.
© Copyright 2018 SilkRoad
Right to be Forgotten Controller must erase data subject’s personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Among other things, the Controller must compare the subjects’ rights to what’s “in the public interest in the availability of the data”.
© Copyright 2018 SilkRoad
Data Portability Data subjects have the right to receive the personal data concerning them. Data subjects also have the right to transmit that data to another Controller.
© Copyright 2018 SilkRoad
Privacy by Design Calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. The Controller shall implement appropriate measures in order to protect the rights of data subjects. Controllers shall hold and process only the data absolutely necessary for the completion of its duties (data minimisation)
© Copyright 2018 SilkRoad
Onboarding Onboarding
Controller
Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Copy
X
X
X
X
X
X
Processor • Consent: •
An eForm can be used to gather consent
• Purge: • • •
Controller is able to initiate the purge of employee records in the user interface or API. User interface can initiate the purge of 500 users at a time. Purged data is permanently purged and is NOT recoverable
• Copy: • •
Onboarding APIs are designed to collect a copy of all the data stored. There are user interface options to collect all the data that is stored about a user.
© Copyright 2018 SilkRoad
Recruiting Recruiting Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Controller
X
X
X
X
X
Processor
X
Copy
X
X
• Consent will come from: • Candidate during pre-submission prior to applying • All SilkRoad ATS users to create or upload resumes manually (one-time)
© Copyright 2018 SilkRoad
Performance Performance
Controller Processor
Consent
Withdraw Consent
Request to Purge
X
X
X
Purge
Request to Copy
Copy
X X
X
• Performance (Agile) individual data purge handled via Onboarding database • Performance (Wingspan) individual data purge handled via Manage Team Members navigation • Copy user data using reporting functionality • Purged data is permanently purged and is NOT recoverable
© Copyright 2018 SilkRoad
Learning Learning
Controller
Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Copy
X
X
X
X
X
X
Processor
• Learning tools enable Controller (customers) to: • Initiate and purge individual user PI data using purge data function • Initiate and copy user record data using reporting function
• Purged data is permanently purged and is NOT recoverable
© Copyright 2018 SilkRoad
HRMS/Heartbeat/Connect HRMS/Heartbeat/Connect
Controller Processor
Consent
Withdraw Consent
Request to Purge
X
X
X
Purge
Request to Copy
Copy
X X
X
• Purge function will be accomplished through back-end tools that SilkRoad operates • Copy function is the same, back-end tools
© Copyright 2018 SilkRoad
Discussion
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
SHRM: 18-714D1
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
Disclaimer This session about GDPR relates to the operational steps SilkRoad is taking to address our obligations as a SAAS vendor and “processor” under the GDPR.
It is not intended to be a legal opinion or legal advice on how the GDPR should be interpreted. You should seek independent legal advice from you own advisors regarding the requirements for your company to comply with its obligations under the GDPR. © Copyright 2018 SilkRoad
What is GDPR? The EU General Data Protection Regulation (GDPR) replaces the previous Data Protection Directive It is designed to harmonize data privacy laws across Europe It empowers EU citizens to manage their personal data It will reshape the way organizations approach data privacy
© Copyright 2018 SilkRoad
It’s pretty straight-forward
Source: Winfried Veil
© Copyright 2018 SilkRoad
Primary GDPR Entities Controller SilkRoad Customer
Processor
SilkRoad
© Copyright 2018 SilkRoad
Some Important GDPR Constructs
Following slides provide an overview of the main changes from the previous European directive
The verbiage is a condensed extract from the GDPR Website www.eugdpr.org
© Copyright 2018 SilkRoad
What is a “Person” as defined in GDPR? Prospects, customers, business partners and vendors of Client (who are natural persons); Employees or contact persons of Client’s prospects, customers, business partners and vendors; Employees, agents, advisors, freelancers of Client (who are natural persons); and/or
Client’s end-users authorized by Client to use the SilkRoad Applications
© Copyright 2018 SilkRoad
“Personal” PI Data as viewed by GDPR Identification and contact data (name, address, title, contact details) Financial information (credit card details, account details, payment information)
Employment details (employer, job title, geographic location, area of responsibility); and/or IT information (IP addresses, usage data, cookies data, location data).
© Copyright 2018 SilkRoad
“Sensitive” PI data as viewed by GDPR Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person Health Data concerning a natural person's sex life or sexual orientation © Copyright 2018 SilkRoad
Increased Territorial Scope
Extended jurisdiction. Applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
© Copyright 2018 SilkRoad
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
© Copyright 2018 SilkRoad
Consent
Clear and plain language for the Data Subject to provide Consent on how their data is used. It must be as easy to withdraw consent as it is to give it. It is the Controller’s responsibility to get the required consents from its employees and candidates.
© Copyright 2018 SilkRoad
Data Protection Officer Appointment Data Protection Officer must be established. Monitor compliance, training data processing staff, conducting internal audits. Responsibilities are broad.
© Copyright 2018 SilkRoad
Breach Notification Breach notification mandatory within 72 hours of first having become aware of the breach. Data processors also required to notify their customers, the “controllers”.
© Copyright 2018 SilkRoad
Right to Access Controllers must provide data subjects confirmation on how personal data is being processed, where, and for what purpose. The controller shall provide a copy of the personal data, free of charge, in an electronic format.
© Copyright 2018 SilkRoad
Right to be Forgotten Controller must erase data subject’s personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Among other things, the Controller must compare the subjects’ rights to what’s “in the public interest in the availability of the data”.
© Copyright 2018 SilkRoad
Data Portability Data subjects have the right to receive the personal data concerning them. Data subjects also have the right to transmit that data to another Controller.
© Copyright 2018 SilkRoad
Privacy by Design Calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. The Controller shall implement appropriate measures in order to protect the rights of data subjects. Controllers shall hold and process only the data absolutely necessary for the completion of its duties (data minimisation)
© Copyright 2018 SilkRoad
Onboarding Onboarding
Controller
Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Copy
X
X
X
X
X
X
Processor • Consent: •
An eForm can be used to gather consent
• Purge: • • •
Controller is able to initiate the purge of employee records in the user interface or API. User interface can initiate the purge of 500 users at a time. Purged data is permanently purged and is NOT recoverable
• Copy: • •
Onboarding APIs are designed to collect a copy of all the data stored. There are user interface options to collect all the data that is stored about a user.
© Copyright 2018 SilkRoad
Recruiting Recruiting Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Controller
X
X
X
X
X
Processor
X
Copy
X
X
• Consent will come from: • Candidate during pre-submission prior to applying • All SilkRoad ATS users to create or upload resumes manually (one-time)
© Copyright 2018 SilkRoad
Performance Performance
Controller Processor
Consent
Withdraw Consent
Request to Purge
X
X
X
Purge
Request to Copy
Copy
X X
X
• Performance (Agile) individual data purge handled via Onboarding database • Performance (Wingspan) individual data purge handled via Manage Team Members navigation • Copy user data using reporting functionality • Purged data is permanently purged and is NOT recoverable
© Copyright 2018 SilkRoad
Learning Learning
Controller
Consent
Withdraw Consent
Request to Purge
Purge
Request to Copy
Copy
X
X
X
X
X
X
Processor
• Learning tools enable Controller (customers) to: • Initiate and purge individual user PI data using purge data function • Initiate and copy user record data using reporting function
• Purged data is permanently purged and is NOT recoverable
© Copyright 2018 SilkRoad
HRMS/Heartbeat/Connect HRMS/Heartbeat/Connect
Controller Processor
Consent
Withdraw Consent
Request to Purge
X
X
X
Purge
Request to Copy
Copy
X X
X
• Purge function will be accomplished through back-end tools that SilkRoad operates • Copy function is the same, back-end tools
© Copyright 2018 SilkRoad
Discussion
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
SHRM: 18-714D1
© Copyright 2018 SilkRoad | All Rights Reserved © Copyright 2018 SilkRoad
