GDPR stands for General Data Protection Regulation. It is a European Union law that requires businesses to protect the personal data and privacy of individuals living in the European Union (EU). The GDPR also regulates the exportation of personal data outside the EU. You are obligated to comply with the GDPR in any interaction with EU citizens or individuals living in the EU, regardless of whether or not your organisation is based in the EU or has offices within the EU.
This newsletter provides general guidance on GDPR compliance in connection with your usage of the Predictive Index solutions, but we encourage you to seek professional legal councel as well.
Sort and Anonymise Data in PI Software
It is up to your company to ensure that data is stored in compliance with the GDPR. Data should be sorted in a folder hierarchy where users only have access to the data they need. How this is set up will depend on your company structure and number of users. Software administrators can restrict access by setting up the folder structure and assigning access to users in the Administration module. Old data should be anonymised (deleted) from PI Software. This can be done manually, or administrators can set up the software to automatically anonymise candidate data older than a certain number of days (recommended). The data stored in PI Software is categorised as personal data but it is not sensitive personal data.
Ongoing Process for GDPR Compliance
All software users should ensure that individuals are categorised correctly in PI Software when onboarding and offboarding – i.e. candidates should be categorised as such and the category should be changed to employee when someone is hired. Likewise, former employees’ data should also be anonymised, either manually or by changing the status / type should to Other or Candidate. Software admins are responsible for informing all new software users about how long data is stored, and that they are responsible for categorising their own data correctly. Admins should also ensure that access to PI Software is removed when users leave the organisation or the role for which they needed access.
GDPR Guides and Further Information
Click HERE to download our GDPR guides for existing clients. If you have additonal questions, you are more than welcome to contact us at firstname.lastname@example.org for further information related to data privacy and GDPR compliance in relation to your use of The Predictive Index.
DATA PROCESSING AGREEMENT (DPA)
The Predictive Index is the main Data Processor. Humanostics is a Data Sub-Processor as your PI Certified Partner. Your company is the Data Controller. A data processor agreement (DPA) between the Data Processor (The Predictive Index) and the Data Controller (you) should be signed. Among other things, the DPA outlines how data is handled and protected, and how The Predictive Index complies with all the rules and guidelines stipulated by the EU (the so-called New Standard Contractual Clauses of 2021). Humanostics will reach out to your organisation in the near future in case you do not have a signed, up-to-date DPA in place.