GDPR COMPLIANCE COMMITMENT
Like nearly every other technology company, we have been closely following developments related to GDPR. Working in conjunction with our customers and outside advisors, Leoforce has implemented and continues to implement policies, procedures and security enhancements to ensure that Leoforce will comply applicable GDPR regulations as a data processor when they take effect on May 25, 2018. We have a dedicated team of internal and external resources who continue to monitor GDPR as it moves to become more clearly defined over the coming months and years, and who will continue to inform our strategy for GDPR.
We’re also committed to helping our customers meet their GDPR obligations, and we will continue to make additional required service and/or organizational changes as and when indicated by new legislation. We believe that our current company practices are very respectful of all applicable privacy laws, but we are nonetheless using our GDPR readiness preparations as another opportunity to ensure that we do even better. We will keep our clients, partners and regulatory authorities informed throughout this process.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years, replacing the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU residents have over their data, and creating a uniform data protection law for EU residents. Simply put, GRPR gives EU residents greater say over what, how, why, where, and when their personal data is used, processed, or disposed. Further, any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
Who and what does GDPR apply to?
GDPR affects any company, organization, or government agency that collects or processes the information relating to an identified or identifiable individual residents of the EU (“personal data”). This includes organizations operating within the EU, or organizations outside the EU that offer goods and services to EU residents, or organizations that monitor EU residents. This includes personal data such as: name, identification number, location data, or online identifier, as well as special categories of personal data such as: religious affiliation, medical and genetic data, and biometric data that when processed to uniquely identify an individual. GDPR does not apply to certain activities covered under law enforcement, national security, and processing carried out by individuals purely for personal or household activities.
It is important to understand that Leoforce’s Ayra service does not collect or process any information relating to an identified or identifiable individual resident of the EU until a Leoforce customer requests such information. Leoforce utilizes third party data providers to obtain such personal data, and we have agreements in place with all of our third party data providers that require those providers to obtain a proper legal basis for processing of this personal data before we receive it.
What is required under GDPR, and how does that differ from existing privacy laws?
GDPR builds upon existing EU privacy and data protection law, but also includes several new requirements. Article 5 of the GDPR sets out the six principles of data protection. The controller of the personal data is responsible for complying with these principles and will be required to demonstrate compliance. These principles require that personal data is:
1. processed lawfully, fairly and in a transparent manner;
2. used for the purpose for which it was collected (and that such purpose is expressly specified and legitimate);
3. relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. stored for no longer than is necessary for the purpose for which the personal data is processed; and
6. processed in a manner than protects the security and confidentiality of the personal data.
When compared to the European Directive 95/46/EC, new requirements under GDPR include the following:
* Increased territorial scope
Previous privacy directives were considered ambiguous, but GDPR clearly states that it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location.
* Individual rights for data subjects
GDPR includes a number of individual rights in order to empower data subjects, such as a right to access, a right to be forgotten, a right to data portability, and a right to correct or rectify personal data.
* Data breach notification
GDPR provides for strict data breach notification timelines requiring that Supervising Authorities be notified within 72 hours. GDPR also requires that customers and controllers be notified of a data breach “without undue delay.”
* Privacy by design
GDPR calls for the inclusion of appropriate technical and organizational data protection measures at the beginning and throughout the system design process.
* Strict penalties for non-compliance
GDPR provides a tiered approach to fines for breach of data protection requirements, with the maximum being up to 4% of annual global turnover or €20 Million (whichever is greater).
What is Leoforce doing to prepare for GDPR?
Leoforce has thoroughly analyzed GDPR requirements and we are implementing our company-wide GDPR compliance strategy with a dedicated internal team and external experts to assist our internal team to drive our organization to meet them. Like many other software companies, we appreciate that our customers have requirements under GDPR that are directly impacted by their use of Leoforce, and we are committed to helping our customers fulfill their requirements under GDPR. We will continue to review our internal processes, regulatory guidance and industry practices to ensure we’re doing what we can to protect data and improve our processes and procedures wherever we identify the opportunity.
We have six main areas of focus in preparing for GDPR:
1. Enhancing data integrity and security – We’re enhancing our existing security and business continuity management policies, processes and controls, including privacy by design, to ensure GDPR compliance, including the use of industry-leading and security-certified cloud infrastructure providers and data centers with a high level of security, data confidentiality, integrity, and availability. We’ve implemented an organizational privacy by design to help ensure the protection of the rights of data subjects and customers as well as holding sub-processors that handle data to the applicable data management, security and privacy standards required under GDPR. Our processing of data and security architecture have been thoroughly analyzed to account for a variety of factors, including the sensitivity of our data, the risks to individuals associated with any security breach, state of the art technologies, and the nature of Leoforce’s processing activities. This included a assessment of how we process personal information identify and minimize our data protection risks. Testing of the effectiveness of our security measures and processes is a continuous process, and we have established internal protocols and engaged external security consultants to keep our data and products secure. In the unlikely event that a breach does occur, Leoforce can promptly report any detected breach as required under GDPR.
2. EU data processing –Arya is hosted in multiple data centers across the globe. By policy, EU-based Arya users and EU sourced data is hosted in an EU-based data center.
3. Product improvements – We’re implemented technology modifications to align with GDPR requirements for our business and for our products, plus adding new technologies to better support these GDPR obligations. We’ve also created procedures enabling data subjects and customers to submit requests to exercise their rights under the GDPR, including consent management and opt-in/opt-out tools, and access controls that address personal data access, transparency, rectification, erasure, restriction of processing and automated decision making, portability and objection. We’ve made these changes without compromising on product performance so that we can provide better transparency to data subjects and our customers.
4. Data processing and transfer minimization – We’ve always limited data collection to the minimum amount of data required to perform our service and we’ve documented the legal basis for each data processing and transfer activity. The Arya index does not include information to guarantee the unique identification of a data subject profile. The Arya index accesses reputable data sources that have demonstrated their commitment to comply with various regional privacy regulations. We’ve implemented a variety of technical and organization measures to ensure that our processing and transfer activities meet GDPR requirements. We have implemented data pseudonymization in product development, as well as revision of our data retention policies to ensure the deletion and/or anonymization of data where we no longer have a business need for processing. We utilize an EU data center to minimize onward transfers of EU personal data outside the EEA. We do not use any personal data for any purpose other than providing our contracted for services. We do not use any personal data for any non-permitted purpose.
5. Providing visibility, awareness and transparency – We have implemented a new process for data subjects to easily request, review, remove, and/or consent to the potential indexed information in Arya in accordance with the GDPR standards. We are also investing in resources for the training our staff, partners and customers on GDPR regulations and compliance obligations to ensure that our recruiting tools remain GDPR compliant.
6. Requesting consent – We are instructing Leoforce clients in the event that the client is interested in contacting a prospective candidate regarding employment to obtain consent from the data subject in advance of engaging the data subject.
It is important to stress that compliance is a shared responsibility and that our customers may also need to adapt their business processes, data management practices, and integrations. Leoforce strives to enable the customers of Arya to take advantage of the features inherent in the service to meet their GDPR obligations related to deletion, rectification, transfer of, access to, and objection to processing of personal data. Further, Leoforce protects data from inappropriate access or use and provides customers with the ability to specify who has access to what data within each domain or branch.
Why is this so important to Leoforce?
With the rapid change in the global socio-economic environment and increasingly more people joining the ever-growing workforce and job search pursuits around the world, it has started to become progressively more difficult for companies to find the qualified candidates and for a candidate to find a suitable job match. As an early technology adopter and avid leader in the recruiting space for 20+ years, Leoforce founder and CEO Madhu Modugu realized there was something desperately missing from talent acquisition – a critical focus on making unbiased decisions when sourcing and recruiting candidates to find the best people for each job. This gave birth to Madhu’s brainchild “Leoforce”, the pioneer AI technology company specializing in artificial intelligence platforms for recruiting.
Leoforce’s flagship product “Arya” transforms average recruiters into star performers with tools to identify the right candidate for the right organization at the right time and place. Our combined decades of recruiting expertise and our drive for innovation has pushed us onward to bring innovative artificial intelligence-based solution to market to the candidate sourcing and matching process for recruiting and talent acquisition professionals, hereby assisting recruiting professions to match qualified candidates with the right job, and the right employer, at the right place on a timely and efficient basis.
What should you do to be GDPR-ready?
If you are just getting started with GDPR compliance in your organization, here’s a quick to-do list to keep in mind.
1. Create a data privacy team to oversee GDPR activities and raise awareness
2. Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
3. Identify the personal data and personally identifiable information that is being collected by your organization
4. Analyze and document how this information is being collected, processed, stored, retained and deleted
5. Assess the third parties with whom you disclose this information
6. Establish procedures to respond to data subjects when they exercise their rights
7. Establish & conduct a Data Privacy Impact Assessment (DPIA)
8. Create processes for data breach notification activities
9. Employ continuous employee awareness to ensure continual compliance to the GDPR
Additional information about the GDPR is available on the official GDPR website of the EU. For legal advice, you’ll want to consult with your own organization’s legal team.
Copyright Leoforce, Inc. 2018. This document is provided as of May 7, 2018, for informational purposes only and not to be relied on for any reason. It is subject to change or removal without notice.
Copyright © 2018 Leoforce, Inc. All rights reserved.