General Data Protection Regulation (GDPR) is all set to come into effect on 25th May 2018. GDPR will certainly be a positive move, shedding light on consumer privacy and data security, creating more value for customers. GDPR aims to fortify and unify data protection within the European Union.
GDPR has outlined specific laws and regulations that organizations dealing with citizens/ consumers (data subjects) of EU (European Union) should abide by. The GDPR is all about the rights of the data subjects vis-a-vis their data as well as roles and responsibilities of organizations collecting/ using this data.
Being a pre-employment skill assessment software, the most relevant forms of data for iMocha include personally identifiable information or (PII), which can include people’s name, email addresses, telephone numbers, and any other information that reveals someone’s identity.
Our team at iMocha has worked diligently to ensure that we are compliant with the regulations stipulated by GDPR and have refined our product which in turn empowers our customers to be GDPR compliant as well.
iMocha’s approach to GDPR compliance
For efficient evaluation of candidates, organizations are required to collect identifiable data, essential to building candidate profile. Our customers use iMocha’s assessment platform to assess skills of candidates. Since we process the candidate data on behalf of our customers, we become Data Processors while our customers are Data Controllers. While processing the data for our clients we have ensured that we have complied with GDPR in the below ways:
Rights of Data Subjects
Article 5 of GDPR stipulates personal data can be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘lawfulness, fairness and transparency’)”. In addition to the above, Article 6 of GDPR states the lawful reasons to process data are as below:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
In accordance with this, iMocha has updated its terms & conditions with messages that clearly mentions how we process information in a fair, transparent, and legal manner with the explicit consent of the data subject.
iMocha has the mechanism in place to honor a data subject’s right to revoke their consent, the right to be forgotten, and rectify the data.
While GDPR states that the data subject can revoke their consent at any time, it also permits this request to be declined by the data controller if the processing of this request is required for legitimate purposes.
Data Management and Processing
Secure Data Processing by design and default:
In compliance with Article 25 of GDPR, we ensure that the highest possible safeguards for Data security have been put in place. All candidate data is secured and encrypted at rest. In addition to this, our assessment platform is designed to process and store information using appropriate security measures.
Data Storage
As per GDPR guidelines, PII data should not be stored indefinitely. iMocha has provided its customers (data controllers) the right to define the length of time their candidates’ personal data is to be stored and when it will be deleted.
Data Transfer
Article 46 of GDPR states that if the customer (data controller) and iMocha (data processor) have entered into a contract, and if the data processor has appropriate security measures in place, the data can be transferred outside EU borders. iMocha has a standard EU- specific data transfer and processing agreement to ensure compliance with GDPR.
Record Maintenance
Article 30 of GDPR stipulates that each data controller’s representative needs to maintain a record of all activities concerning the personal information of a data subject. iMocha on its part maintains a detailed Audit log which enables its customers to maintain the data record.
Data Breach Notification Process
In accordance with Article 33 of GDPR, any data breach has to be reported to the supervisory authority within 72 hours of the occurrence. iMocha has adequate data monitoring measures to be intimated of any such breach. On discovery of such a breach, iMocha will notify its customers (data controller) within 24 hours. The communication will be sent as per the guideline mentioned in Article 33. This ensures sufficient time for our customers to inform about the breach to the respective authorities.
Data Protection Officer
In keeping up the regulation, we have appointed a Data Protection Officer (DPO) to ensure the protection of data, internal monitoring, and compliance with GDPR. For any GDPR related queries, you can contact our DPO, Neha Kulkarni on support@imocha.io
The way ahead
iMocha is fully GDPR compliant with the requisite changes made in our software to ensure our customers are GDPR compliant as well.
If you have any questions related to our GDPR compliance, please drop us an email on support@imocha.io
Happy Recruiting!