We’re Fully GDPR Compliant – What We Did

One of the most important legislation changes with regards to data protection and security and data bases in EU over the last decades. The regulation was adopted on 14 April 2016 and becomes enforceable on May 25^th 2018. Yup, that is tomorrow. Hence we consider this to be the best opportunity to talk to you about our preparations that we did to be fully GDPR compliant.

First off, we have to say that Csabi, our technical adviser dedicated a lot of his time since the beginning of the year to research, understand and find ways to implement the new EU regulations in Human Direct. On behalf of the team, we want to thank Csabi for his efforts and implication and congratulate him for the success of this implementation.

We started our preparations at the end of March, when we contacted a lawyer specialized in the matter, to prepare the documentation for us and strategize the next steps to take. The first discussions with the lawyer materialized in a report and a well-established plan of compliance. It was this point where we started to make all the necessary changes and adjustments to comply with GDPR. We will mention them to you as they happened, so what we did was to:

• Secure both cloud servers (website, API);
• Set a new password policy within Human Direct;
• Signed a Data Processing Agreement with all third-party software vendors;
• We have migrated all the site applicants into Workable (whenever someone applies for a job on our website, the data is automatically synced into Workable, and the data from the website will be automatically deleted) - This helps us to stay compliant in the long run :)
• We have enabled compliance mode in Workable and we have notified our entire database of our new privacy policy;
  What it’s important to mention here is that when someone asks us to delete their data, we'll manage this using Workable (possibly Google Drive and/or email/Slack/Skype for conversations). Once deleted from Workable, we will not be able to add that candidate to our database, unless he or she applies to a job. So, once we delete an applicant’s data, there's no going back from this point. Their information is forever deleted from our system, and we’re not able to re-add them later, manually.
• We have migrated all our clients’ inquiries to HubSpot;
• We have a transparent cookie statement, and we use an external service to automatically scan the website every 30 days;
• We have completely rebuilt the legal pages on the site, including the Privacy Policy page, that you can see here: https://www.humandirect.eu/legal
• We have created an email address for privacy requests ([email protected])
• We have opted for an external GDPR request management service https://humandirect.gdprform.io; We've translated the form in Romanian, since it didn’t support our language which shows how much effort and interest we have put in to comply with the GDPR regulations;
• We have built a GDPR guide for our clients;
• We reviewed all of our clients' contracts, and created a Data Processing Agreement that we will sign with all active contracts with ongoing campaigns before 25^th of May;
• We have appointed a DPO (Data Protection Officer) as required by GDPR;
• We have cleaned up the office and made sure no printed CVs and documents that could contain PII (Personal Identification Information) are laying around;

  

• We have deleted all the PII from all of Human Direct computers;
• We have enabled the Google Vault module to access eDiscovery, so we can search through the drive and emails of the entire company, to easily find PII and have a trail audit if the case be;
• We have set a strict workflow through which each candidate will be able to exercise their rights, and if they do not respond within 30 days of being added to Workable, their data will be automatically deleted from the system, no questions asked.

At the moment we are testing a few services that allow you to automatically scan PCs, Drives and Databases (SQL) for PII. Our aim is to remain GDPR compliant in the future as well. We’re still debating which service suits us the best in this sense. If you have some recommendations in this regards, please do not hesitate to contact us, we would really appreciate it!

Overall, we think we went the extra mile to do everything in our power to comply with the new GDPR regulations and we will continue to do so in the future. Our candidates' data are very important to us, and we fully respect their wishes and requirements.

We believe that GDPR is a very good thing, that allows us to have more control over our personal data online and who does what with it.

All the efforts and hard work we put in complying with GDPR is due to the fact that we value and respect our clients and candidates but also our work and what we do. Over the years, we've put a lot of passion, dedication and work into what we do, that has made us who we are today. It’s been a long way to go, and our intent is to continue walking on this path for many years to come.

We invite you to walk along with us!