The EU General Data Protection Regulation (GDPR) comes into effect in May 2018. This legislation is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Zeel Solutions will comply with applicable GDPR regulations as a data processor when they take effect on 25th May 2018. Working in conjunction with our clients, we will explore opportunities within our services offerings to assist our customers to meet their GDPR obligations.
Where Do We Stand?
We are committed to address EU data protection requirements applicable to us as a data processor. These efforts have been critical in our on-going preparations for the GDPR:
Our ability to fulfil our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using a third-party like us to process personal data.
Third-party audits and certifications
Zeel Solutions has the distinction of being one of the first recruitment software providers to be ISAE 3402 audited and complaint. The audit covers internal governance, production operations, change management, data backups, security and software development processes. It evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
ISAE 3402 offers independent verification that our security practices offer a recognised standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all customers are concerned with their data and its security, Zeel Solutions has integrated its ISAE 3402 controls into its operating procedures. These procedures span the organisation, teams or functions that provide service or support to our clients on our platform.
Encrypted Data in Transit
Our hosted solutions are accessed via https:// which means data is encrypted in transit between the browser and the server – this is for all web portals.
Encrypted Data at Rest
We offer data Encryption at Rest, where the database is encrypted, as an optional service – this is our preferred / recommended option for customers.
Web Portal Security
- User passwords are stored in an encrypted format
- Preventing weak passwords
- Secure forgotten password / reset
- Captcha tests
- Locking down to customer owned IP address or range.
- We use SSL with locked down SSL protocols and ciphers.
- We have many user permissions, so that you can restrict access to specific categories of data and areas of our solutions to only those users who need access.
Where do you stand as a Data Controller
The legislation places new obligations on you as a Data Controller and on our relationship with you as your Data Processor.
Get to know GDPR: Familiarise yourself with the provisions of the new regulation, particularly how it may differ from your current data protection obligations and consider the relationships you have with both your clients and candidates.
Audit your data and processes for data capture: Consider creating an updated and precise inventory of personal information that you control. Review your current controls and processes to ensure that they’re adequate, and build a plan to address any gaps.
Stay informed: Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you. We recommend regular review of the Information Commissioner’s website.
Helping your candidates to exercise their rights under GDPR
Many of the rights of data subjects are already supported by our solutions.
We are committed to assisting our customers in meeting their requirements under the GDPR and, where possible, making the process easy to manage.
We acknowledge that your customers, workers and third party suppliers have the right to access their personal information. In all cases, we have no direct relationship with the individuals whose personal information it processes. We recommend that anyone who seeks access, or who seeks to correct, amend, or delete personal information should direct their query to you as the data controller.
The Right of Access
You can provide customers, candidates, workers and third party suppliers with what personal data you hold on them via our solutions
The Right of Rectification
Customers, workers and third party suppliers should contact the data controller to rectify any data that is incorrect.
Right to Erasure
Customers, workers and third party suppliers should contact the data controller to remove any data.
Right to Data Portability
The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in our solutions is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities.
Our ICO Data Protection Registration
Zeel Solutions Limited are registered for Data Protection with the Information Commissioners Office (ICO) our registration is Z1329630.