Xpand and the General Data Protection Regulation (GDPR)
Updated: May 25, 2018
Web Sites Covered
Please note: The following is based on Xpand’s understanding of GDPR requirements and should not be relied upon as legal advice or to determine how GDPR might apply to your organization. We recommend seeking expert legal advice regarding your obligations under GDPR.
The European Union’s General Data Protection Regulation (GDPR) takes effect today, May 25, 2018 and has had a significant impact on how companies collect and process personal data.
GDPR’s new legal requirements increase company obligations concerning employee data rights, and adhering to GDPR will help companies improve the experience for employees.
In keeping with Xpand’s commitment to privacy and security, we are committed to being compliant with the GDPR.
As such, our team has been working to make sure that Xpand helps and supports our corporate customers in being GDPR compliant in their data processing activities, including providing notice to employees, support employee “data subject” rights, and safeguarding personal information to the greatest possible extent.
Xpand’s position on the GDPR and how we will be supporting the GDPR compliance of our customers follows. (Note: the information presented below is not legal advice).
Understanding the GDPR Framework
The GDPR is an EU natural personal rights law and affects any organization that employs or recruits EU persons. It applies to any organization with people in the EU as employees or consultants. Some attorneys argue that GDPR applied to EU citizens regardless of location, but feel that it applies to citizens of any country when they and/or the personal information about them is in the EU.
To best understand the roles of Xpand, our customers and their employees under the GDPR, it is vital to understand the terms: data controller, data processor and data subject.
- Data Subjects are the employees of our customers residing in or possibly moving to or from the EU.
- Data Controllers are our customer companies that decide (control) what data to collect, why, where, when and how to process it.
- Data Processors are companies like Xpand which support data controllers by processing data, but only in ways in the ways they are instructed to by the data controllers.
Controllers, processors and subjects have different rights and responsibilities under GDPR.
Documenting how you process Personal Information
Under GDPR, data controllers and processors are generally required to formalize contractual obligations, especially with respect to safeguarding personal information and respecting data subject rights. They must also maintain records of their information processing activities, including details of what personal information is stored and where, why, how and with whom do you process it.
Data Security Standards
Data controllers (i.e., you, Xpand’s customers) are obligated to only engage with processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights.
In order to meet these requirements, data processors (like Xpand) must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Since nearly all the personal information processed in employee onboarding is protected under GDPR, Xpand has always been deeply committed to protecting the security (confidentiality, integrity and availability) of data and already implements all reasonable measures including:
- Background checks for all employees
- Foundational application of Privacy-by-Design principals
- Physical security and network security
- Encryption of all data-at-rest -- hard disks, databases, and backups
- Encryption of all data-in-transit – secure connections (application access via https only)
- Role-based access controls and strict need-to-know limitations
- Logs of all access of Xpand systems and applications including all personal data
- Active monitoring and response to security and availability issues
- Regular privacy and cyber security training for all employees
Data Subject Privacy Notice
A big theme of the GDPR is transparency - requiring organizations to provide much more information to individuals in the form of a Privacy Notice that explains the purpose, legal basis for, and manner of data processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
There are six distinct legal grounds by which a data controller can process personal data:
- the data subject has given consent;
- processing is necessary for the performance of a contract to which the data subject is party (e.g. an employment contract);
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”
As long as just one of the above conditions applies, data processing is covered under the GDPR. The four most likely legal bases for processing of personal information in the context of employment are:
- Performance of the employment contract (e.g., banking and payment data)
- Required by law (e.g., taxation data)
- Legitimate interest (e.g., employee benefits)
- Consent (e.g., optional communications)
As a data processor, Xpand does not and cannot determine the lawful basis for processing employee data on behalf of its customers (the data controllers) as customers can customize the data subject data they collect. It is however important to note that if consent is used as the basis for processing, GDPR requires data controllers to allow data subjects to withdraw consent. Since employers have many contractual and legal obligations to process employee data, they should generally use consent only where those obligations do not apply.
Customers are advised to obtain legal advice regarding the lawful bases for processing employee personal data. Note that it is important to document the legal bases for processing.
Data Transfers
Xpand customers do not require consent from data subjects to transfer their personal data from the EU to the US because Xpand is EU-U.S. and U.S.-Swiss Privacy Shield certified for Human Resources data.
Additionally, Xpand has executed data transfer agreements or amendments with many customers using the standard contractual clauses adopted by the EU Commission. Xpand stands ready to execute similar agreements for any other customers that so desire.
Data Subject Rights
GDPR grants data subjects rights of access, rectification, erasure, restriction of processing, data portability, objection, and to not be subject to a decision based solely on automated processing. While these rights are sometimes limited, controllers and processors must respond to data subject requests “without undue delay and in any event within one month of receipt of the request.” Xpand is fully capable of supporting these data subject rights to the extent required by controllers.
What actions should Xpand’s customers take?
GDPR places a number of responsibilities on employers as controllers of employee data.
Hopefully customers have already been working on GDPR compliance in an effort including Human Resources, Privacy, Legal Counsel, Information Technology and Information Security groups, with the goals of:
- Documenting how you handle employee data;
- Providing Notice to data subjects (employees);
- Ensuring legal bases for collecting and processing employee data;
- Being prepared to respond to requests from employees to exercise their “data subject rights”; and
- Ensuring data is adequately safeguarded by both you and third-party processors.
Questions?
If you have any questions about Xpand and GDPR, please contact support@xpand.io.