Whether you are a data processor or controller, you need first-rate security intent measures. The introduction of the General Data Protection Regulation (GDPR) has quite honestly stricken fear into the hearts of many companies, but where many saw a challenge, HireRight saw the opportunity to demonstrate to our clients and candidates that we are taking their data security and privacy very seriously.
Here are the 8 steps that HireRight took to prepare for the GDPR and beyond:
- We Mapped Our Data Flows
Our first step was to create a map of where data comes from and moves to during the screening process – how does candidate information get into our system and, once it’s in there, where does it go? This isn’t as simple as it might sound, having to take into account clients, vendors, sources, candidates and laws from across the world.
Once we had it mapped, we could work out how we could improve how we move all that data. We also used it to categorise our vendors in terms of the sensitivity of the data that they handle, to ensure they all adhere to the same high encryption standards.
- We Achieved ISO Certification
To make it clear how seriously we take data security, we applied for and gained the respected ISO/IEC 27001:2013 certification. Any size or type of business can apply for this accreditation, which according to the independent standard setting-body, ISO, proves that an organisation is “establishing, implementing, maintaining and continually improving an Information Security Management System”.
Becoming certified to ISO 27001 provides independent assurance that our Information Security Management System has been tested and audited in line with internationally-accepted standards. It provides guidance for implementing appropriate measures to mitigate risks, with recommended technical measures in line with the requirements of the GDPR. It also promotes a culture and awareness of information security that makes sure data security is entrenched across the business.
HireRight’s Information Security Manager for EMEA and APAC believes the accreditation is a valuable step as firm evidence of the real quality of your data operations: “The ISO certification is wide-ranging, covering everything from password management and access control to network security. It’s not easy to achieve, requiring a number of stages of information collection and audits which ensure your processes are robust, controlled and clearly managed.
“What’s really important about this certification is that it’s about the ongoing management of systems. It’s not a one-off, ‘let’s tick that off the list’ award, but a standard to be upheld as the security landscape continues to change at a pace. We used it as a template so that we knew we were delivering exactly what was required and now we are building on that even further to ensure that our information security management is second to none.”
- We Carried out Data Privacy Impact Assessments (DPIAs)
Data controllers are required to carry out DPIAs. A vital part of the idea of ‘Privacy by Design’, they are a tool to make sure that privacy and data protection is a key consideration when sharing data – and that risks to EU citizens data are highlighted and addressed.
Because data is so integral to everything we do, we have decided to carry out DPIAs across almost the whole business and will continue to do so as the GDPR and our understanding of the regulation develops.
- We Improved Our Policies and Procedures
Our services are quite esoteric; our clients are not simply outsourcing payroll. We’ve been looking at how we carry out criminal checks, media checks and references to make sure we are focusing only on information that potential employers need to know about.
We reviewed the full candidate journey and asked ourselves, “What can we do better? How can we make sure everything that we do is clear, transparent, open and fair?”
- We Ring-Fenced Our EU Data
At the heart of the GDPR is putting control of personal data back into the hands of the individual. Everyone, under the regulations, has the right to determine what personal data is used and how and where it is processed and transferred. In practical terms, if a background screening company is processing the data of an individual for the purposes of employment on behalf of a third party – the employer – the individual has the right to refuse his or her data being transferred or processed outside of the EU.
This means that data processors, such as background screening companies, need to be able to demonstrate systems, processes and IT design that ensure that no personal data, other than that which is pertinent to a particular check, is transferred outside the EU. This includes customer service representatives viewing files with personal data. With greater controls and rights for data subjects and their personally identifiable information, HireRight has integrated the ability to ring-fence the storage of EU nationals’ data to within our EU data centres. This ensures it meets the conditions laid out in the GDPR for the protection of their information.
- We Created Supporting Documents
Until now, people were given the option to opt-out of screening at the very start and were made aware that their data wouldn’t be sent beyond the EU. That just doesn’t go far enough anymore.
To meet the principles of the GDPR and our own commitment to be as clear and transparent as possible, in our supporting documents, we now invite candidates to read much more information and to get in touch if they’ve got any questions.
We tell them who’s screening them and why they’re being screened. We let them know where their data might go, when and the sources of information. This helps candidates to feel safer and more secure about the process.
We have adopted a layered approach to strike the balance between providing full, clear and transparent information vs. overloading a candidate with too much information: this means that a candidate can explore the various levels as they wish, with the aim of providing the right level of information at both ends of that spectrum, readily and easily available.
- We Updated Consent Forms and Privacy Policies
To help our clients with their obligations as data controllers, we’re preparing for candidate queries about the rights to be forgotten, for access and to erasure.
We’ve also agreed our breach notification policies. There are narrow time frames imposed by GDPR and we want to know the exact process to correct issues and communicate with clients and candidates.
We’re making sure that we have strong data processor agreements in place with all our clients so that the regulators know how we are working together.
- We Offered Aligned Products and Services
We’ve got an increasingly global workforce with increasingly complex legislation, so we have created a single global platform that delivers consistent results and ensures clients have an entirely level playing field in how they are assessing candidates.
You can read more about how HireRight prepared for the GDPR in our GDPR White Paper.