BambooHR is pleased to announce that its systems and processes are compliant with the new General Data Protection Regulation (GDPR). (GDPR is the new standard in the European Union (EU) governing the privacy and data protection of EU residents. This new standard goes into effect on May 25, 2018.) This means that, BambooHR stands ready to support and assist its clients who have employees residing in the EU as they also meet their own obligations under the GDPR.
To comply with GDPR, companies who have EU based employees need to comply with the following important requirements:
- Obtain consent to collect and process personal information
- Protect personal data
- Control access to personal data
- Provide the option to erase personal data
- Inform customers of data breaches
How BambooHR Handles GDPR for HR Professionals
BambooHR is staying ahead of the GDPR changes, both in its role as a data processor and in support of data controllers. BambooHR’s efforts include:
- Providing a great software platform that allows client companies to comply with the GDPR requirements while still having a great experience.
- Deploying industry-standard technical processes and procedures that protect data, both when it is in transmission and while we are hosting it. BambooHR demonstrates our compliance with these critical requirements through our annual SOC II audit by an independent auditing firm.
- Providing a hosting center and data collection network within the EU. We selected world-class service providers for these critical processes: Rackspace and Amazon Web Services. Their stringent standards for data protection and security made them our choice for all of our customer data, including customers in the United States and the EU.
- Working with EU and U.S. legal counsel to develop a Data Processing Agreement (DPA) that complies fully with the GDPR. This DPA, which will be the contract with all clients who are data controllers under the GDPR, also incorporates the European Model Clauses, also known as the Standard Contractual Clauses. (The Model Clauses were approved by the European Commission and are the industry standard for when personal data is transferred outside of the European Economic Area.)
- Being certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. This certification also ensures that we comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
- Following the GDPR definition of acceptable timelines when processing client data requests, whether it’s gathering consent, providing access, or erasing data. We will also provide prompt notification in the event of a data breach.
- Staying abreast of continuing GDPR developments and guidance, to support our clients’ compliance efforts.
What You Can Do to Protect Your GDPR HR Data
While it’s always a great time to think about improving data security, the GDPR deadline provides a good target for reviewing your organization’s privacy and security policies and evaluating how you put them into practice. While BambooHR has yet to have a data breach from hacking, there have been instances where individual customers have been careless with their login credentials or access permissions.
The best protection of personal information comes from a combination of continuously updated technology, thorough training for HR employees who handle and have access to personal data, and seamless communication about new requirements. BambooHR addresses each of these concerns with our features and support, and we will continue to support our clients as regulations evolve.
For more information on the upcoming GDPR changes, visit the official EU homepage.