The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
This document describes HRTMS' attention and efforts to implement the GDPR compliance in the System on behalf of our Customers.
Please see the following resources for more information:
Article 8: Conditions applicable to child’s consent in relation to information society services
Article 9: Processing of special categories of personal data
Article 14: Information to be provided where the data are collected from the data subject
Access to Data
Data subjects have a right to know what personal data of theirs is being stored and how it is being processed. They can also ask for their data to be corrected if it is wrong. There is now also a requirement for data portability, meaning individuals can request their data to be delivered in a structured and commonly used file format, so that it can be transferred to some other organization.
Personal data shall only be stored and processed to the extent where it is necessary to the explicit purpose for which the data was originally collected. Data shall also not be stored longer than necessary. Data subjects can also restrict processing of their data to certain purposes, e.g. direct marketing.
Article 19: Notification regarding rectification, erasure or restriction
Right to be Forgotten
Data subjects may withdraw their consent to process their data at any time, and ask the data controller to erase their personal data. This must be done without undue delay. Reasonable steps must also be taken to inform third parties to remove any copies of that data.
Where to find the rules?
Article 17: Right to erasure (“right to be forgotten”)
Article 19: Notification regarding rectification, erasure or restriction
Obligation to Inform in Case of a Data Breach
In case of critical data breaches, the data controller/processor must inform the Supervising Authorities. The data subjects also must be notified if the data breach results in a significant risk to the impacted data subjects. These notifications must to be issued without undue delay, not later than 72 hours.
Article 33: Notification of a personal data breach to the supervisory authority
Article 34: Communication of a personal data breach to the data subject
Naming a Data Protection Officer
The data controller/processor must appoint a Data Protection Officer (DPO). The DPO can be either contracted or directly employed. Although mandatory for public authorities, the private organizations must also appoint a DPO, if the data processing includes regular, systematic and large scale monitoring of data subjects.
Where to find the rules?
Article 37: Designation of the data protection officer
Article 38: Position of the data protection officer
HRMTS' goal is to provide the Customers with a default configuration, so that their use of the System is 100% compatible with GDPR right out of the box (Privacy by Design and Privacy by Default). This way, the Customers do not have to worry about anything. However, those Customers who have heavily modified email templates and various custom text will need to update the contents on few of them. HRMTS Support will assist them fully in this process for a smooth and transparent transition.
What is HRMTS Doing?
HRMTS has full focus on GDPR, and is undergoing modifications and optimizations to implement the GDPR compliance in the System on behalf of our Customers. Following is a brief overview of some of the most visible efforts. (Not in a particular order.)
HRMTS offers three main applications:
The work around GDPR compliance focuses on following areas:
How data controller and data subjects access, use and process the data?
What options are available for data subjects?
How HRMTS staff access, use and process the data?
What processes and limitations are implemented for Support, Implementation, Development and DBA, and so forth?
Vendors & Suppliers
How data is stored, accessed and processed at the data centers, and at other suppliers?
How is backup and restore managed?
Categorization of Data
The foremost important task in the GDPR compliance is to identify and categorize the types of data, stored and processed in the applications, upon which all the controls will be built on. The data will be divided into three categories:
Definition Under the GDPR
Any information relating to an identified or identifiable natural person.
Personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Any information that by itself cannot be used to identify a person.
(Non-Identifiable, de-personalized, anonymous)
The applications are already designed according to the Principle of Least Privilege, where all access is closed, except when necessary for authorized users and legitimate purposes. More efforts are being put in to gain the full level of Privacy by Design and Privacy by Default. Each application uses different sets of data. The categorization of data will make it possible to implement processes and controls to provide maximum protection. The applications will implement special rights based on which users can access and use the various categories of data. On the organization level, similar controls will be implemented based on the role of the staff members. Similar controls and processes will be implemented for vendors and suppliers.
New Options to Data Subjects
The data subjects will be given access to following new features:
Access to Data
The data subjects will be provided option to request an overview of their personal data stored and processed in the applications.
Right to Rectification
The data subjects will be provided option to rectify their data, in accordance with the regulations, even after application form is locked after due date. (Applies to Talent Recruiter.)
Right to be Forgotten
The data subjects will be provided option to request (demand) to be forgotten by the applications. In this case, the applications will delete all their personal data from the System, only keeping non-identifiable metadata for statistics and references. The deletion will also propagate to backups of the databases.
Extended User Rights
The applications will offer extended roles and rights for the users for accommodate their usage according to GDPR. The following is a brief overview of the new rights:
Assigned to an administrative user that will receive various notifications regarding GDPR, and also trigger deletion of data requested by data subjects.
View Personal Data
Assigned to a user that is permitted to view personal data of data subjects.
Edit Personal Data
Assigned to a user that is permitted to edit personal data of data subjects.
Print/Email Personal Data
Assigned to a user that is permitted to print/email personal data of data subjects.
Delete Personal Data
Assigned to a user that is permitted to delete personal data of data subjects.
View Sensitive Data
Assigned to a user that is permitted to view sensitive data of data subjects.
Edit Sensitive Data
Assigned to a user that is permitted to edit sensitive data of data subjects.
Print/Email Sensitive Data
Assigned to a user that is permitted to print/email sensitive data of data subjects.
Delete Sensitive Data
Assigned to a user that is permitted to delete sensitive data of data subjects.
Extension of User Roles
The user roles will also be extended to fine-tune which roles can view what type of documents. E.g. it will be possible to configure that some users can only see the CV of the candidates, while others can also see the diplomas, and so forth. In case of Talent Manager, the extension will also include configuring job types.
Minimize Document Download & Sending
The documents uploaded by data subjects may contain various types of data that is not possible to categorize. As all the applications offer functions to download and email the documents, it also poses a challenge to keep track of them once they have left the System. Although, it is technically the users' (Customers') responsibility to use these functions with care, HRMTS plans to offer mechanisms to make it easier for the users to continue work as they are used to while minimizing the risks.
View Documents in the Browser
The first function to be offered will be the option to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.
Send Links to Documents Instead of Attachments
The second function to be offered will be the option to send the documents in the emails as links, instead of attachments. The recipients of the emails can click on the links to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.
In addition, there will be an option to configure a time limit for validity on these links, so that they get expired after X number of days.
Stop/Limit Access from Outside EU
All access to data will by default be limited to inside EU, except for following:
The Customers configure their accounts to allow their users to access data outside EU.
HRMTS' DBA outside EU who will be performing database administration, and creating custom reports.
All applications will offer exhaustive logging (in terms of activity logs) for the administrators where they can keep track of which users have accessed, edited, or deleted what type of data. The logs will also explicitly keep track of all access from outside EU.
Updated DPA with Customers
All Data Processing Agreements (DPAs) will be updated with Customers to include the terms and conditions of GDPR.
Updated Consents from Data Subjects
All data subjects will receive option to give/renew their consent to updated terms for data storage and its use.
Authentication is done our identity server, HRID, and users are authorized through department memberships and roles. Read more about it here : Authentication and Authorization
Appendix B - Additional GDPR Checklists
The following are the guiding checklists used by HRMTS to focus on various details of the compliance.
Privacy by Design & Privacy by Default
Personal & Sensitive Data Protection
Sensitive data protection principles are part of the core application design.
The application has data classification or data taxonomy features for personal and sensitive data.
Prevent unencrypted personal and sensitive data from leaving the perimeter during data transfer.
Log and monitor network traffic to identify and investigate inappropriate personal and sensitive data transfers.
Ensure data exchange through secure means during data collection and exchange with third parties.
Ensure mechanisms for anonymization of personal and sensitive data based on stripping, so that data is no longer personal or sensitive.
Ensure mechanisms for anonymization of personal and sensitive data based on encryption / pseudonymization, so that data is still personal or sensitive when used with certain criteria/keys.
Ensure mechanisms for anonymization of personal and sensitive data while porting data from production systems to test/development systems.
Ensure mechanisms for anonymization of personal and sensitive data from reports, and other interfaces.
Ensure mechanisms for restriction of copying of personal and sensitive data to unapproved containers (e.g. email, web browsers), including controlling the ability to copy, paste and print sections of document.
Ensure mechanisms for hardening mobile device configurations and features such as password protection and remote wipe facilities.
Ensure change management controls to detect any addition / deletion of personal data or sensitive fields in the application.
Ensure that the application tracks all the changes made to an individual's personal data.
Ensure application scalability and future-proofing for GDPR compliance for all future possible changes in the application.
Ensure Privacy by Design & Privacy by Default in the application.
Certify the application to comply with requirements for Privacy by Design & Privacy by Default.
Rights & Consent Management
Ensure mechanisms to capture data subjects' rights to consent, to be forgotten, and so forth.
Ensure that intentional updates of personal data are synchronized to all relevant places where the information is stored in the application.
Ensure that application systematically removes any personal data of a subject upon request.
(Right to be forgotten.)
Ensure that application supports controllers obligation to inform the data subject of the collection of personal data.
(E.g. built-in notice to the user when signing up in a website.)
Ensure that the application have features to track or alert consent decisions to authorities in the organization.
Ensure that the application has features to collect and store consents.
Ensure that the application provides functions to document digital consent (not signed) from data subject or other authorization for processing of personal data (lawfulness of processing).
(E.g. log files documenting user acceptance, or technical documentation that it is not possible to create a user profiles without giving consent.)
Ensure that the application has automated ways to comply with the rights of the data subject.
Ensure to describe automated compliance of rights in the system documentation.
Ensure that the application tracks and logs all the changes made to an data subjects' personal data.
Consider to introduce feature for de-duplication of sensitive data.
Consider handling multi-lingual sensitive data.
Consider an automated governance process for securing the data in motion, in use and in rest.
Ensure set up of processes and policies for personal data usage/consumption.
Consider processes by which following gets updated regularly:
PII (Personally Identifiable Information)
PHI (Protected Health Information)
PCI (Payment Card Information)
Ensure maintenance of rights traceability. Document the process in data sharing at application level.
Document the method of customer data archival.
Document role based access for different datasets.
Document the security levels existing today.
(E.g. Row based, object based, Report based etc.)
Ensure flexible configuration supporting easy changes in access rights.
(E.g. when changes in organization or reassignments)
Ensure that the application has a breach notification capability.
Ensure that it is possible to generate fully comprehensive and reliable compliance reports.
Ensure that the application has a methodology for breach prevention.
(E.g. predictive analytics solutions)
Document assurance practices or controls.
Organization & Setup
Warranty, Certificates & Authorizations
Provide a warranty to implement applicable physical, technical and organizational security requirements to comply with GDPR and the rights of data subjects.
Prepare a Code of Conduct that describes guidelines for processing of personal data.
Include the clause the DPA regarding transfer of personal data to outside EEA in regards to DBA.
Roles & Responsibilities
Appoint Data Protection Officer (DPO).
Document who will be responsible for fulfilling the obligation to inform Customers in case of security breaches.
Data Processor Agreement
Standard Data Processor Agreement
Ensure that the DPAs comply with the regulations both before and after 25.05.2018.
Create/update a standard DPA including GDPR requirements.
Document/clarify any individual requirements of supervisory authorities in Norway, Sweden and Denmark.
Level of Confidence / Security Level
Document how to assist the Customers to assess/define the applicable security level.
Document how the Customers ca control the HRMTS' compliance with the security requirements.
(Including frequency of audits, expenses (time and material) related to audits, etc.)
Clarify HRMTS' policies around sub-vendors:
DPA is signed with all sub-vendors. (Current and future.)
DPA with sub-vendors cover the requirements of DPA with Customers.
Customers' approval/consent is not obtained during selection/change of sub-vendors, as long as it does not affect the DPA.
Document the contingency plan in case of a security breach.
Document the procedures to notify the Customers', without undue delay, after becoming aware of a personal data breach.
Document the procedures to supply adequate documentation to Customers related to personal data breach, and assist the Customers in ensuring compliance with the obligations to report data breaches to authorities and/or data subjects.
Document how HRMTS will handle inquiries from data subjects with objections or request for access to the processing of their personal data.
Document how HRMTS can access data, during the term of the contract and after its termination.
Document the termination plan.
Document the physical security regarding physical access to personal data and equipment containing personal data. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.
(E.g. lock facilities/rooms, access control, alarm, video surveillance, fire and water damage protection, siting of screens, destruction of data medias, etc.)
Document the technical security regarding protection of data from unauthorized access and ensure availability in case of incidents. Include backup routines. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.
Document the organizational security regarding access to personal data only by authorized personnel. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.
(E.g. policies, instructions, internal authorizations, governance of access rights, review of logs, governance of deletion of data, audits, etc.)
Document contingency plans including worst case scenarios. Also document how they will remain available in worst case scenarios.
Document all the personal data processing done in the applications.
Document risk assessment.
Document to what extent HRMTS can contribute to Customers' own risk assessments.
On this page
HR Manager Talent Solutions
Solutions offered by HRMTS, e.g. Talent Recruiter, Talent Manager, Talent Onboarding
Company or organization subscribing the System
General Data Protection Regulation
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
The entity that determines the purposes, conditions and means of the processing of 'Personal Data'.
(In this context, a Customer of HRMTS is represented as 'Data Controller'.)
The entity that processes data on behalf of the 'Data Controller'.
(In this context, HRMTS is represented as 'Data Processor'.)
A natural person whose 'Personal Data' is processed by a 'Data Controller' or 'Data Processor'.
(In this context, end-users of the System are represented as 'Data Subjects'.)
Data Protection Officer
An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data Processing Agreement
An agreement between 'Data Controller' and 'Data Processor' to reflect the parties' agreement with regard to the processing 'Personal Data' on behalf of 'Data Controller', in accordance with the requirements of Data Protection Laws.