GDPR FAQs.

general

We have reviewed all our business processes and procedures. Updating them to reflect the changes in legislation from DPA to GDPR.This includes the following:

  • Full risk assessment on all data collection and processing.
  • Our staff have been trained and we have also updated our induction process to train new staff.
  • Reviewed and created new processes in the business in line with data security protocols.
  • We have appointed a Data Protection Officer.
  • We have created a data breach log
  • We have updated our privacy policy
  • We have created a company deletion policy
  • We have reviewed all supplier relationships
  • New features have been developed in our Applicant Tracking System to ensure customers can be compliant
  • Contracts have been updated with employees and suppliers

Yes. We have appointed a Data Protection Officer, Stephen Grainger. He is a company Director and a full-time employee based at our Head Office in Strixton, Northants.

You can contact him via steve@hireful.co.uk

Processing takes place at our Head office in Strixton, Northants and at Data centres across the EU.

All data is stored within the EU we utilise Amazon Web Services Data Centre in Dublin. All paper copies are kept to a minimum. We have a clear desk policy, all paperwork only leaves site by our secure shredding partner.

All data is held, encrypted & backed-up in an AWS datacentre in Ireland.

A full list of our sub-processors can be seen here: our sub-processors – hireful. There are some technology providers we use (e.g. Google) that may process data outside of the EEA & as a result we have Standard Contractual Clauses in place. We also have a software development partner based in India where SCCs are also used as the mechanism for any international data transfers. In this case we have also had an independent 3rd party conduct a Transfer Impact Assessment.

We have conducted a full analysis of our data management processes and policies by an external 3rd party consultant. This has provided us the reassurance that we have taken all the necessary steps to ensure we are compliant. However, we plan to closely monitor the implementation of this new legislation to ensure we have correctly interpreted how it will be exercised and we will adapt our processes and policies when we identify an issue.

erasure of data & Subject Access Requests

Yes. Where we are acting as the data controller we will follow the data retention policies listed in our privacy policy. Where we are acting as a data processor we configure our Applicant Tracking Software to automatically delete any data subject’s data once the customer’s retention period is about to be exceeded. This is all managed automatically and statistical reports are available to show the number of records that have been cleanse/deleted from the system.

Erasure of personal data will be completed by us, when requested by either the customer or the data protection subject.

Specific individual requests will be completed manually. We will delete all personally identifiable information (PII) from all of our systems within 48 hours of the request.

However, our applicant tracking system will automatically erase all PII data once the permission to hold date has been exceeded. The date that this action is triggered on is aligned to the length of time the customer has informed the data subject they will hold their data for within their customer’s privacy policy.

All subject access requests where we are acting as the data controller should be sent to our data protection officer (Stephen Grainger). He will conduct a review to see if the data subject’s data is held outside of the client’s applicant tracking system. Our data management processes are such that it would be highly unlikely that any of the data subject’s data would be held outside of the client’s applicant tracking system. The client (Data Controller) has access to all of the data subject’s data on the applicant tracking system and our technical team can show the client how to download/extract this data to respond to a SAR.

data security

We have reviewed our processes to ensure we are only collecting the minimum amount of data that is necessary. Furthermore, this data will only be held for the minimum amount of time. Enhancements have been made to systems to ensure maximum security from a data perspective.

We also plan to regularly review these processes to continually improve them.

Customers using our Applicant Tracking System have access to a set of GDPR specific features that we have made available to help customers to secure their data in a manner.

Yes, all employees have a set of commitments that are detailed in a signed agreement that is separate to their employment contract and these are also covered in our employee training.

All staff have undergone GDPR training that was delivered by an external consultant. All staff are trained on induction and every two years (or sooner if there is a major change in legislation).

Physical data does not leave our Head Office building in Strixton, Northants. With the exception of the collection of data that is to be shredded by our secure 3rd party provider. Digital data is protected by two factor authentication and the disabling of flash drives on all pcs/laptops. All laptops/pcs are subject to comprehensive password management policies and state of the art firewall technology.

Within our ATS all digital data at rest is encrypted using AES-256 encryption and is managed by AWS. Database volumes are encrypted by AWS and managed by AWS KMS. All data is encrypted in transit. The data is directly transferred between hireful’s infrastructure (AWS) and our client machines (browser) using AES-256 (256-bit encryption TLS 1.2). The data encryption including SSL key management is provided by AWS ELB and AWS KMS.

All laptops are secure by two factor authentication. We use Active Directory to ensure users only have access to data that they are authorised to see.

The following technical and security measures have been implemented by the single sub-processor we use:

  • Separation of Production / Development / Staging environments using different AWS (Amazon Web Services) accounts.
  • Use AWS CloudTrail service to audit and monitor AWS usage.
  • Data encryption when transmitting.
  • Directory / Auth service to validate a user’s access to backend servers.
  • Hardening of the Bastion / VPN servers to make sure they are never compromised.
  • Obfuscation of sensitive data while being written to logs.
  • Two-way encryption of all sensitive information at the point of contact.

A full list of our sub-processors can be seen here: our sub-processors – hireful. There are some technology providers we use (e.g. Google) that may process data outside of the EEA & as a result we have Standard Contractual Clauses in place. We also have a software development partner based in India where SCCs are also used as the mechanism for any international data transfers. In this case we have also had an independent 3rd party conduct a Transfer Impact Assessment.

Yes. This is managed by our network manager. Access to internal systems is only available to employees. Access to each client’s applicant tracking system is controlled by our technical team where there is a formal process for each customer to provide written authorisation for each user they which to provide or remove access to the system.

We operate two WiFi solutions, A Guest Network and an Internal Network

The Guest Network Operates with a WPA/WPA2 (PSK) on a TKIP or AES Encryption, This wireless network is completely segregated from our core infrastructure network via the use of VLAN traffic isolation.
The Internal Corporate WiFi Network also operates with a WPA/WPA2 (PSK) on a TKIP or AES Encryption, The network credentials are not publicly available and are only issued to staff that have a legitimate need for corporate WiFi access.

Our email is hosted by Microsoft via its Office365 Platform. The platform/the solution provider confirms to many government and regulatory requirements on security and data protection including and conforms to ISO27001 standard.

In addition to the built in Microsoft security standards we have also implemented Multi-factor Authentication controls to secure access to any of these hosted products.

Our Office365 platform has undergone a hardening process to ensure audit controls and security standards are in place to meet our business requirements.

In addition to external security our internal security on Password policies & procedures also outlines current government best practice standard on password controls (complexity, password lengths, change standards etc).

All policies and procedures not just exclusive to IT matters are made available to all staff and appropriate training is conducted to ensure they are maintained and relevant.

General threats
We hide our servers from the general public using load balancers which makes us almost immune from snooping. The load balancers will only expose two separate ports which will mean an attacker would need in depth knowledge of the application to craft an attack. Also as we check the company ID in the payload and match this to the domain name, if one company does fall victim to an attack then they will not be able to access data belonging to another ATS.

Backups
All of our databases are periodically backed up by cron or AWS RDS to AWS S3 buckets. We do not host any systems onsite. All backups are stored offsite at AWS’s data centres in London and Ireland.

Pen Testing
We conduct an extensive one-week full system pen testing once a year using a professional penetration testing company. Our developers also are very security minded and will patch fixes for any of the latest threats which will affect us. Due to the nature of our architecture our threat vector is very low and does not change much from release to release.

We use a “multi tenant database” design pattern on our databases. This means the data for multiple Applicant Tracking Systems is stored in the same Database(s). We use the ATS id field to segregate the data and every request is validated. Any request for data not belonging to the ATS is actively denied and logged.

data breaches

All employees have been trained to understand what constitutes a breach and how to report a breach.

Regular audits will take place to ensure data is being handled in a compliant manner.

We maintain an incident log which records all incidents which could affect the delivery of our software service to our customers. All incidents are fully investigated with resolutions communicated to customers. If a data breach occurs our policy is that we ensure our data points are secure, report the breech internally as process to the Data Protection Officer and data subject(s) without undue delay. We will then notify the ICO within 72 hours.

Once we have established the parties involved, through thorough investigation of the data breach, we will seek statements of truths and signed affidavits that the information/data has been deleted irretrievably and will not be accessed or utilized. Closing the breach.

We will review our internal processes and policies regularly and if there is any level of breach we will make the necessary changes to the associated technology & processes. We will then communicate with all relevant parties our new operating practice and the measures taken to secure the data and how this will protect it from any subsequent risks of breach.

data management

Our Data Protection Officer conducts regular reviews of Data Protection processes. Quarterly assessments of all data assets are scheduled and carried out by our DPO.

If you have a question that isn’t answered here we’d be happy to hear from you. Get in touch here.