FAQ on GDPR
As HTM builds advanced sourcing technology in our product in order to understand and serve customers better, we are keenly aware of our ultimate accountability to data subjects' rights to privacy and security and have been transparent to data subjects that they have every right to control how their data are used. Currently HTM is fully compliant with EU-US Privacy Shield Framework set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.
Beyond EU-US Privacy Shield Framework, with the upcoming General Data Protection Regulation ("GDPR") going to take effect on May 25, 2018, our partners and customers can count on the fact that HTM is committed to GDPR compliance. HTM welcomes this law as an important step forward in personal data protection across the European Union.
Overview of GDPR
When does GDPR go into effect?
HTM is committed to and has been working on enhancements to our policies, processes and product for the purposes of being compliant as both a data processor and a data controller under the GDPR.
Who does GDPR apply to?
Once the GDPR is in force, data controllers and processors must implement appropriate security measures, both on a technical and organization level, to ensure that when personal data is collected it is only used for the specific purpose mentioned.
What areas of HTM's business might be impacted by GDPR?
HTM as a Data Controller
HTM as a Data Processor
What personal data does HTM collect?
- Name
- E-mail address
- Phone number
- Estimate Location
- Education overview
- Career overview
- Social profile picture
- Social profile links
- Skills
may include:
- Name
- E-mail address
- Phone number
- Estimate Location
- Education overview
- Career overview
- Social profile picture
- Social profile links
- Skills
What rights do data subjects have under GDPR?
- Right to Data Portability – the right to receive data from and transmit data to a data controller, owning control of their personal data.
- Right to be Forgotten – the right of erasing or removing personal data if there is no compelling reason for its continued processing.
- Right to Restrict Processing – the right to block or suppress processing of personal data. If the personal data in question has been disclosed to third parties, they must be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
- Right to be Informed – the right to ensure that data subjects are clear on how their personal data are to be used for what purposes.
- Right to Rectification – the right to have incomplete personal data completed.
- Right of Access – the right to allow access to their personal data so that they are aware of and can verify the lawfulness of the processing.
- Right to Object – the right to object to the use of personal information in certain circumstances including profiling and marketing unless the data controller has compelling legitimate grounds.
- Right in relation to Automatic Decision Making or Profiling – the right is to safeguard against potentially damaging decisions taken without human intervention.
HTM's ongoing commitment to data protection
- Implement a new data protection policy, which stipulates our privacy collection methods and practices and ensures that our users, customers and partners are informed about their privacy rights and obligations in a transparent manner.
- Following ISO/IEC 27001 standard, which sets out the standard requirement for company’s information security management system (ISMS). ISMS manages sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
- Following ISO/IEC 27018 standard. ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In addition, HTM uses Amazon Web Services (AWS). AWS is ISO/IEC 27018 certified and has a system of controls in place that specifically address the privacy protection of HTM’s content.
- Pursuing SOC 2 certification. SOC 2 is an auditing procedure that ensures HTM securely manage data to protect the interests and privacy of customers.
- Continuously evaluate and improve current internal and external system security for data protection, for example, with continual HTM penetration testing and vulnerability scanning, improving the security of data processing, and tightening endpoint security on HTM devices and platforms.
- Improve HTM real-time ability to identify breach, investigate breach, and prevent breach attempts by malicious actions.
HTM's GDPR Readiness
must not be further processed in a manner that is incompatible with those purposes". HTM and our customers will
therefore need to pay extra attention to what personal data is being stored – and why. Both HTM and our customers
will not store personal data that is not necessary or justifiable for that purpose, or use it for other purposes. In
order to comply with GDPR, HTM is executing the following changes in the product and marketing practice:
- Appointed HTM’s Data Protection Officer (DPO), who will be properly and timely involved in all issues related to
the protection of personal data and report to the highest management at HTM. - Integrated separate "Consent" page in HTM’s online portal and agreements with users – GDPR requires
that consent be freely-given, specific, informed, unambiguous and given via a clear affirmative action. Single
opt-in methods, pre-ticked checkboxes, or "implied consent" do not meet these expectations. In
addition, users will be informed that the consent can be withdrawn at any time. - Document every location where personal data, flowing to and from E.U., is located, processed, stored, or
transmitted. - Conduct Data Protection Impact Assessment (DPIA).
- Enhance the ability to identify and report breach. Make sure to report any breach to the GDPR supervisory
authority and the controller when HTM is a processor, without undue delay, and where feasible, no later than 72
hours after having become aware of the breach. - Under GDPR, a transfer of personal data to a third country or an international organization may take place where
the European Commission has decided that the third country, a territory or one or more specified sectors within
that third country, or the international organization in question ensures an adequate level of protection
("adequacy decision"). If HTM will collect and transfer E.U. personal data to U.S., a third country or
an international organization, in the absence of an adequacy decision, HTM will ensure to provide appropriate
safeguards and effective legal remedies, such as by standard contractual clauses adopted by the Commission or an
approved certification mechanism. HTM is currently certified and compliant with EU-U.S. Privacy Shield Framework
where participating U.S. companies are considered to have adequate data protection.
*HTM’s GDPR readiness roadmap
1) DPIA |
|
2) Design |
|
3) Execution |
|
4) Conform |
|
HTM's obligations to customers in regard to GDPR compliance
HTM does not offer any specific GDPR compliance services to our customers. We recommend that our customers seek their own advice from legal counsels.
If you have a question about HTM's compliance with GDPR or other data privacy regulations, who should you contact?
Copyright © Hiretual 2020. All Rights Reserved