At HireTeamMate, Inc. dba Hiretual ("HTM"), we believe personal information is important, valuable, and private to its owner ("data subject"). HTM is always committed to making the greatest endeavors and taking a serious policy and technical measures to protect data of our customers and the individuals involved.
As HTM builds advanced sourcing technology in our product in order to understand and serve customers better, we are keenly aware of our ultimate accountability to data subjects' rights to privacy and security and have been transparent to data subjects that they have every right to control how their data are used. Currently HTM is fully compliant with EU-US Privacy Shield Framework set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.
Beyond EU-US Privacy Shield Framework, with the upcoming General Data Protection Regulation ("GDPR") going to take effect on May 25, 2018, our partners and customers can count on the fact that HTM is committed to GDPR compliance. HTM welcomes this law as an important step forward in personal data protection across the European Union.
The GDPR effectively extends the reach of the European Union's data protection laws and establishes many new requirements for organizations that fall under its scope. In essence, GDPR demands data controllers and processors greater transparency with E.U. residents' rights and principles on how their personal data is lawfully, fairly and transparently collected and processed, which means companies in and outside of the E.U., as long as they touched personal data of E.U. residents, they must make sure they will comply with GDPR. GDPR imposes harsh penalties for violation or non-compliance.
The deadline to make sure GDPR compliance is May 25, 2018. HTM is committed to and has been working on enhancements to our policies, processes and product for the purposes of being compliant as both a data processor and a data controller under the GDPR.
GDPR applies to both data controllers and processors. The data controller determines the purpose and means of processing personal data from any E.U. natural person, who is called "data subject", while the processor processes personal data on behalf of the controller. Once the GDPR is in force, data controllers and processors must implement appropriate security measures, both on a technical and organization level, to ensure that when personal data is collected it is only used for the specific purpose mentioned.
HTM's users and customers are basically in U.S. Generally, HTM has no specific intent or purpose to process data from E.U. residents, or transfer data to or from E.U. While the impact of GDPR on HTM is relevantly small, HTM will still ensure its GDPR compliance.
HTM as a Data Controller
For purposes of collecting potential personal data and market to our own customers and prospects, HTM is considered a data controller under GDPR and will be required to meet all requirements imposed on data controller under the regulation.
HTM as a Data Processor
For purposes of providing sourcing services to our customers, HTM is a data processor under GDPR and will also be required to meet all requirements imposed on data processors. When our customers use HTM services and instruct HTM to collect, source, and process E.U. job candidates on their behalf, our customers are data controllers and responsible for their GDPR compliance.
As a Data Controller, HTM collects the following data from public sources:
Social profile picture
Social profile links
As a Data Processor, the kind of data collected by HTM at customers' discretion may include:
Social profile picture
Social profile links
The data subjects' rights under GDPR include the following:
Right to Data Portability - the right to receive data from and transmit data to a data controller, owning control of their personal data.
Right to be Forgotten - the right of erasing or removing personal data if there is no compelling reason for its continued processing.
Right to Restrict Processing - the right to block or suppress processing of personal data. If the personal data in question has been disclosed to third parties, they must be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to be Informed - the right to ensure that data subjects are clear on how their personal data are to be used for what purposes.
Right to Rectification - the right to have incomplete personal data completed.
Right of Access - the right to allow access to their personal data so that they are aware of and can verify the lawfulness of the processing.
Right to Object - the right to object to the use of personal information in certain circumstances including profiling and marketing unless the data controller has compelling legitimate grounds.
Right in relation to Automatic Decision Making or Profiling - the right is to safeguard against potentially damaging decisions taken without human intervention.
HTM is working diligently to ensure the privacy rights of its users, customers and partners. As part of our continuous efforts, we have implemented the following organizational measures:
Implement a new data protection policy, which stipulates our privacy collection methods and practices and ensures that our users, customers and partners are informed about their privacy rights and obligations in a transparent manner.
Following ISO/IEC 27001 standard, which sets out the standard requirement for company's information security management system (ISMS). ISMS manages sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
Following ISO/IEC 27018 standard. ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In addition, HTM uses Amazon Web Services (AWS). AWS is ISO/IEC 27018 certified and has a system of controls in place that specifically address the privacy protection of HTM's content.
Pursuing SOC 2 certification. SOC 2 is an auditing procedure that ensures HTM securely manage data to protect the interests and privacy of customers.
Continuously evaluate and improve current internal and external system security for data protection, for example, with continual HTM penetration testing and vulnerability scanning, improving the security of data processing, and tightening endpoint security on HTM devices and platforms.
Improve HTM real-time ability to identify breach, investigate breach, and prevent breach attempts by malicious actions.
We are in the process of implementing the GDPR into our day-to-day routine, by structuring, together with our legal counsel, a comprehensive GDPR-compliance readiness training handbook, which specifies the precise measures which should be taken in light of the new regulation.
GDPR expects that personal data "may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes". HTM and our customers will therefore need to pay extra attention to what personal data is being stored - and why. Both HTM and our customers will not store personal data that is not necessary or justifiable for that purpose, or use it for other purposes. In order to comply with GDPR, HTM is executing the following changes in the product and marketing practice:
Appointed HTM's Data Protection Officer (DPO), who will be properly and timely involved in all issues related to the protection of personal data and report to the highest management at HTM.
Integrated separate "Consent" page in HTM's online portal and agreements with users - GDPR requires that consent be freely-given, specific, informed, unambiguous and given via a clear affirmative action. Single opt-in methods, pre-ticked checkboxes, or "implied consent" do not meet these expectations. In addition, users will be informed that the consent can be withdrawn at any time.
Document every location where personal data, flowing to and from E.U., is located, processed, stored, or transmitted.
Conduct Data Protection Impact Assessment (DPIA).
Enhance the ability to identify and report breach. Make sure to report any breach to the GDPR supervisory authority and the controller when HTM is a processor, without undue delay, and where feasible, no later than 72 hours after having become aware of the breach.
Under GDPR, a transfer of personal data to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection ("adequacy decision"). If HTM will collect and transfer E.U. personal data to U.S., a third country or an international organization, in the absence of an adequacy decision, HTM will ensure to provide appropriate safeguards and effective legal remedies, such as by standard contractual clauses adopted by the Commission or an approved certification mechanism. HTM is currently certified and compliant with EU-U.S. Privacy Shield Framework where participating U.S. companies are considered to have adequate data protection.
*HTM's GDPR readiness roadmap
Conduct Data Protection and Impact Assessment
Document every instance where personal data, flowing to and from E.U., is located, processed, stored, or transmitted
Develop HTM's GDPR compliance measures and training
Design privacy, data management, and security management standards
Test out organizational and technical measures to become GDPR compliant
Monitor and evaluate the results
Improve the systems to ensure continued compliance
Pursue industry standard security and framework certifications
HTM's primary responsibilities to our customers are as a data processor are to ensure that our operating policies and practices, and our product and platform adhere to GDPR requirements. Also, we are working hard to cooperate with and offer our customers features that help them in their efforts to be GDPR compliant while using HTM products. Part of that commitment is providing tools that make it easier and more efficient for our customers to manage their compliance with privacy directives and legislation such as GDPR. HTM does not offer any specific GDPR compliance services to our customers. We recommend that our customers seek their own advice from legal counsels.