HRMTS & GDPR

Foreword

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).


This document describes HRTMS' attention and efforts to implement the GDPR compliance in the System on behalf of our Customers.


External Resources

Please see the following resources for more information:


The Most Important

The following are the most important obligations GDPR features:


Consent to Processing Data

A data controller must be able to demonstrate that consent to process personal data has been given by the data subject before processing of their data is started.

Existing consents, such as End User Agreements already in place, will probably work if they meet new conditions. It is important to remember, however, that requirements of the GDPR are more.


Where to find the rules?

  • Article 4: Definitions; (11) the data subject’s consent
  • Article 7: Conditions for consent
  • Article 8: Conditions applicable to child’s consent in relation to information society services
  • Article 9: Processing of special categories of personal data
  • Article 14: Information to be provided where the data are collected from the data subject


Access to Data

Data subjects have a right to know what personal data of theirs is being stored and how it is being processed. They can also ask for their data to be corrected if it is wrong. There is now also a requirement for data portability, meaning individuals can request their data to be delivered in a structured and commonly used file format, so that it can be transferred to some other organization.


Where to find the rules?


Data Minimization & Restriction of Processing

Personal data shall only be stored and processed to the extent where it is necessary to the explicit purpose for which the data was originally collected. Data shall also not be stored longer than necessary. Data subjects can also restrict processing of their data to certain purposes, e.g. direct marketing.


Where to find the rules?

  • Article 6: Lawfulness of processing
  • Article 18: Right to restriction of processing
  • Article 19: Notification regarding rectification, erasure or restriction


Right to be Forgotten

Data subjects may withdraw their consent to process their data at any time, and ask the data controller to erase their personal data. This must be done without undue delay. Reasonable steps must also be taken to inform third parties to remove any copies of that data.


Where to find the rules?

  • Article 17: Right to erasure (“right to be forgotten”)
  • Article 19: Notification regarding rectification, erasure or restriction


Obligation to Inform in Case of a Data Breach

In case of critical data breaches, the data controller/processor must inform the Supervising Authorities. The data subjects also must be notified if the data breach results in a significant risk to the impacted data subjects. These notifications must to be issued without undue delay, not later than 72 hours.


Where to find the rules?

  • Article 4: Definitions; (12) personal data breach
  • Article 33: Notification of a personal data breach to the supervisory authority
  • Article 34: Communication of a personal data breach to the data subject


Naming a Data Protection Officer

The data controller/processor must appoint a Data Protection Officer (DPO). The DPO can be either contracted or directly employed. Although mandatory for public authorities, the private organizations must also appoint a DPO, if the data processing includes regular, systematic and large scale monitoring of data subjects.


Where to find the rules?

  • Article 37: Designation of the data protection officer
  • Article 38: Position of the data protection officer
  • Article 39: Tasks of the data protection officer


What Does It Mean for the Customers of HRMTS?

HRMTS' goal is to provide the Customers with a default configuration, so that their use of the System is 100% compatible with GDPR right out of the box (Privacy by Design and Privacy by Default). This way, the Customers do not have to worry about anything. However, those Customers who have heavily modified email templates and various custom text will need to update the contents on few of them. HRMTS Support will assist them fully in this process for a smooth and transparent transition.


What is HRMTS Doing?

HRMTS has full focus on GDPR, and is undergoing modifications and optimizations to implement the GDPR compliance in the System on behalf of our Customers. Following is a brief overview of some of the most visible efforts. (Not in a particular order.)


Scope

HRMTS offers three main applications:

  1. Talent Recruiter
  2. Talent Manager
  3. Talent Onboarding


The work around GDPR compliance focuses on following areas:

Focus Area
Applications
  • How data controller and data subjects access, use and process the data?
  • What options are available for data subjects?
  • Etc.
Organization
  • How HRMTS staff access, use and process the data?
  • What processes and limitations are implemented for Support, Implementation, Development and DBA, and so forth?
  • Etc.
Vendors & Suppliers
  • How data is stored, accessed and processed at the data centers, and at other suppliers?
  • How is backup and restore managed?
  • Etc.


Categorization of Data

The foremost important task in the GDPR compliance is to identify and categorize the types of data, stored and processed in the applications, upon which all the controls will be built on. The data will be divided into three categories:

CategoryDefinition Under the GDPR
Personal DataAny information relating to an identified or identifiable natural person.
Sensitive DataPersonal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Non-Personal Data

Any information that by itself cannot be used to identify a person.

(Non-Identifiable, de-personalized, anonymous)


The applications are already designed according to the Principle of Least Privilege, where all access is closed, except when necessary for authorized users and legitimate purposes. More efforts are being put in to gain the full level of Privacy by Design and Privacy by Default. Each application uses different sets of data. The categorization of data will make it possible to implement processes and controls to provide maximum protection. The applications will implement special rights based on which users can access and use the various categories of data. On the organization level, similar controls will be implemented based on the role of the staff members. Similar controls and processes will be implemented for vendors and suppliers.


New Options to Data Subjects

The data subjects will be given access to following new features:


Access to Data

The data subjects will be provided option to request an overview of their personal data stored and processed in the applications.


Right to Rectification

The data subjects will be provided option to rectify their data, in accordance with the regulations, even after application form is locked after due date. (Applies to Talent Recruiter.)


Right to be Forgotten

The data subjects will be provided option to request (demand) to be forgotten by the applications. In this case, the applications will delete all their personal data from the System, only keeping non-identifiable metadata for statistics and references. The deletion will also propagate to backups of the databases.


Extended User Rights

The applications will offer extended roles and rights for the users for accommodate their usage according to GDPR. The following is a brief overview of the new rights:

RightDescription
GDPR OfficerAssigned to an administrative user that will receive various notifications regarding GDPR, and also trigger deletion of data requested by data subjects.
View Personal DataAssigned to a user that is permitted to view personal data of data subjects.
Edit Personal DataAssigned to a user that is permitted to edit personal data of data subjects.
Print/Email Personal DataAssigned to a user that is permitted to print/email personal data of data subjects.
Delete Personal DataAssigned to a user that is permitted to delete personal data of data subjects.
View Sensitive DataAssigned to a user that is permitted to view sensitive data of data subjects.
Edit Sensitive DataAssigned to a user that is permitted to edit sensitive data of data subjects.
Print/Email Sensitive DataAssigned to a user that is permitted to print/email sensitive data of data subjects.
Delete Sensitive DataAssigned to a user that is permitted to delete sensitive data of data subjects.


Extension of User Roles

The user roles will also be extended to fine-tune which roles can view what type of documents. E.g. it will be possible to configure that some users can only see the CV of the candidates, while others can also see the diplomas, and so forth. In case of Talent Manager, the extension will also include configuring job types.


Minimize Document Download & Sending

The documents uploaded by data subjects may contain various types of data that is not possible to categorize. As all the applications offer functions to download and email the documents, it also poses a challenge to keep track of them once they have left the System. Although, it is technically the users' (Customers') responsibility to use these functions with care, HRMTS plans to offer mechanisms to make it easier for the users to continue work as they are used to while minimizing the risks.


View Documents in the Browser

The first function to be offered will be the option to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.


Send Links to Documents Instead of Attachments

The second function to be offered will be the option to send the documents in the emails as links, instead of attachments. The recipients of the emails can click on the links to view the documents right in the application (Internet Browser) without the need to download them. They will still have the option to download them, but only when the intent is exactly that.


In addition, there will be an option to configure a time limit for validity on these links, so that they get expired after X number of days.


Stop/Limit Access from Outside EU

All access to data will by default be limited to inside EU, except for following:

  1. The Customers configure their accounts to allow their users to access data outside EU.
  2. HRMTS' DBA outside EU who will be performing database administration, and creating custom reports.


Exhaustive Logging

All applications will offer exhaustive logging (in terms of activity logs) for the administrators where they can keep track of which users have accessed, edited, or deleted what type of data. The logs will also explicitly keep track of all access from outside EU.


Updated DPA with Customers

All Data Processing Agreements (DPAs) will be updated with Customers to include the terms and conditions of GDPR.


Updated Consents from Data Subjects

All data subjects will receive option to give/renew their consent to updated terms for data storage and its use.

Appendix A - Infrastructure for data handling

Encryption and security

More information on how HR Manager treats data when it comes to encryption can be found here: Encryption and security of data in HRMTS.

Logging

Read about different levels of logging supported by HR Manager here: Logging in HRMTS

Database backups

Read about our backup routines and find information about how we do backups of databases.

Authentication and Authorization

Authentication is done our identity server, HRID, and users are authorized through department memberships and roles. Read more about it here : Authentication and Authorization

Appendix B - Additional GDPR Checklists

The following are the guiding checklists used by HRMTS to focus on various details of the compliance.


Application Checklist

Main AreaSub AreaCheckpoint
Privacy by Design & Privacy by Default

Personal & Sensitive Data Protection

Sensitive data protection principles are part of the core application design.
The application has data classification or data taxonomy features for personal and sensitive data.
Prevent unencrypted personal and sensitive data from leaving the perimeter during data transfer.
Log and monitor network traffic to identify and investigate inappropriate personal and sensitive data transfers.

Ensure data exchange through secure means during data collection and exchange with third parties.


Ensure mechanisms for anonymization of personal and sensitive data based on stripping, so that data is no longer personal or sensitive.


Ensure mechanisms for anonymization of personal and sensitive data based on encryption / pseudonymization, so that data is still personal or sensitive when used with certain criteria/keys.


Ensure mechanisms for anonymization of personal and sensitive data while porting data from production systems to test/development systems.

Ensure mechanisms for anonymization of personal and sensitive data from reports, and other interfaces.


Ensure mechanisms for restriction of copying of personal and sensitive data to unapproved containers (e.g. email, web browsers), including controlling the ability to copy, paste and print sections of document.


Ensure mechanisms for hardening mobile device configurations and features such as password protection and remote wipe facilities.


Deployment ControlsEnsure change management controls to detect any addition / deletion of personal data or sensitive fields in the application.
Ensure that the application tracks all the changes made to an individual's personal data.
OperationalizationEnsure application scalability and future-proofing for GDPR compliance for all future possible changes in the application.
DocumentationEnsure Privacy by Design & Privacy by Default  in the application.

Certify the application to comply with requirements for Privacy by Design & Privacy by Default.


Rights & Consent ManagementCapture Rights

Ensure mechanisms to capture data subjects' rights to consent, to be forgotten, and so forth.


Ensure that intentional updates of personal data are synchronized to all relevant places where the information is stored in the application.


Ensure that application systematically removes any personal data of a subject upon request.

(Right to be forgotten.)


Ensure that application supports controllers obligation to inform the data subject of the collection of personal data.

(E.g. built-in notice to the user when signing up in a website.)


Consents

Ensure that the application have features to track or alert consent decisions to authorities in the organization.

(E.g. DPO)


Ensure that the application has features to collect and store consents.

Ensure that the application provides functions to document digital consent (not signed) from data subject or other authorization for processing of personal data (lawfulness of processing).

(E.g. log files documenting user acceptance, or technical documentation that it is not possible to create a user profiles without giving consent.)


Automation

Ensure that the application has automated ways to comply with the rights of the data subject.


Ensure to describe automated compliance of rights in the system documentation.


GovernanceDataEnsure that the application tracks and logs all the changes made to an data subjects' personal data.

Consider to introduce feature for de-duplication of sensitive data.


Consider handling multi-lingual sensitive data.


TechnologyConsider an automated governance process for securing the data in motion, in use and in rest.
ProcessEnsure set up of processes and policies for personal data usage/consumption.

Consider processes by which following gets updated regularly:

  • PII (Personally Identifiable Information)
  • PHI (Protected Health Information)
  • PCI (Payment Card Information)

Ensure maintenance of rights traceability. Document the process in data sharing at application level.


Document the method of customer data archival.
PeopleDocument role based access for different datasets.

Document the security levels existing today.

(E.g. Row based, object based, Report based etc.)


Ensure flexible configuration supporting easy changes in access rights.

(E.g. when changes in organization or reassignments)


Breach AssistanceMonitoringEnsure that the application has a breach notification capability.
Ensure that it is possible to generate fully comprehensive and reliable compliance reports.
Breach Prevention

Ensure that the application has a methodology for breach prevention.

(E.g. predictive analytics solutions)


AssuranceQuality FrameworkDocument assurance practices or controls.


Organization Checklist

Main AreaSub AreaCheckpoint
Organization & Setup

Warranty, Certificates & Authorizations

Provide a warranty to implement applicable physical, technical and organizational security requirements to comply with GDPR and the rights of data subjects.


Prepare a Code of Conduct that describes guidelines for processing of personal data.


Include the clause the DPA regarding transfer of personal data to outside EEA in regards to DBA.


Roles & ResponsibilitiesAppoint Data Protection Officer (DPO).
Document who will be responsible for fulfilling the obligation to inform Customers in case of security breaches.
Data Processor AgreementStandard Data Processor AgreementEnsure that the DPAs comply with the regulations both before and after 25.05.2018.
Create/update a standard DPA including GDPR requirements.
Supervisory AuthorityDocument/clarify any individual requirements of supervisory authorities in Norway, Sweden and Denmark.
Level of Confidence / Security LevelDocument how to assist the Customers to assess/define the applicable security level.

Document how the Customers ca control the HRMTS' compliance with the security requirements.

(Including frequency of audits, expenses (time and material) related to audits, etc.)


Sub-Vendors

Clarify HRMTS' policies around sub-vendors:

  • DPA is signed with all sub-vendors. (Current and future.)
  • DPA with sub-vendors cover the requirements of DPA with Customers.
  • Customers' approval/consent is not obtained during selection/change of sub-vendors, as long as it does not affect the DPA.

ProceduresBreach AssistanceDocument the contingency plan in case of a security breach.
Document the procedures to notify the Customers', without undue delay, after becoming aware of a personal data breach.

Document the procedures to supply adequate documentation to Customers related to personal data breach, and assist the Customers in ensuring compliance with the obligations to report data breaches to authorities and/or data subjects.


ProceduresDocument how HRMTS will handle inquiries from data subjects with objections or request for access to the processing of their personal data.

Document how HRMTS can access data, during the term of the contract and after its termination.


Document the termination plan.

Physical Security

Document the physical security regarding physical access to personal data and equipment containing personal data. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.

(E.g. lock facilities/rooms, access control, alarm, video surveillance, fire and water damage protection, siting of screens, destruction of data medias, etc.)


Technical Security

Document the technical security regarding protection of data from unauthorized access and ensure availability in case of incidents. Include backup routines. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.

(E.g. firewalls, anti-virus, anti-malware, backup, restore, etc.)


Organizational Security

Document the organizational security regarding access to personal data only by authorized personnel. Include details about compliance with requirements, including regular test and evaluation of the efficiency of the security measures.

(E.g. policies, instructions, internal authorizations, governance of access rights, review of logs, governance of deletion of data, audits, etc.)


Document contingency plans including worst case scenarios. Also document how they will remain available in worst case scenarios.
Other Documentation

Document all the personal data processing done in the applications.


Risk AssessmentContribution

Document risk assessment.


Document to what extent HRMTS can contribute to Customers' own risk assessments.




On this page


Terminology

TermDescription
HRMTSHR Manager Talent Solutions
SystemSolutions offered by HRMTS, e.g. Talent Recruiter, Talent Manager, Talent Onboarding
CustomerCompany or organization subscribing the System
GDPRGeneral Data Protection Regulation
Personal DataAny information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
Data Controller

The entity that determines the purposes, conditions and means of the processing of 'Personal Data'.

(In this context, a Customer of HRMTS is represented as 'Data Controller'.)

Data Processor

The entity that processes data on behalf of the 'Data Controller'.

(In this context, HRMTS is represented as 'Data Processor'.)

Data Subject

A natural person whose 'Personal Data' is processed by a 'Data Controller' or 'Data Processor'.

(In this context, end-users of the System are represented as 'Data Subjects'.)

DPO

Data Protection Officer

An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.

DPA

Data Processing Agreement

An agreement between 'Data Controller' and 'Data Processor' to reflect the parties' agreement with regard to the processing 'Personal Data' on behalf of 'Data Controller', in accordance with the requirements of Data Protection Laws.