Intro

General Data Protection Regulation (GDPR)

As of 25 May 2018, European data protection legislation will be updated for the first time in 20 years. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.

You can rest assured that People is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing stringent privacy and security protections that are built into our service and contracts.

What you can do

What are your responsibilities as a customer?

People customers will typically act as the data controller for any personal data they provide to People in connection with their use of our services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. People is a data processor and processes personal data on behalf of the data controller when they use the People facility.

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority.

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.

Where should you start?

As a current or future customer of People, now is a great time for you to begin preparing for the GDPR. Here are some considerations:

  • Firstly, familiarize yourself with the provisions of the GDPR, especially the differences from your current data protection obligations.
  • Consider creating an updated inventory of personal data that you handle. You can use People to help identify and classify data.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending.
  • Consider how you can leverage the existing data protection features on People as part of your own regulatory compliance framework. Review People third-party audit and certification materials to see how they may help with this exercise.
  • Monitor updated regulatory guidance as it becomes available.
  • Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

WHAT WE’RE DOING

People commitments to the GDPR

Alongside other duties, data controllers are required to only use data processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of People:



  • EXPERT KNOWLEDGE
  • OUR POLICIES
  • FUNCTIONALITY
  • DATA PROCESSING
  • PROCESSING ACCORDING TO INSTRUCTIONS
  • EMPLOYEE CONFIDENTIALITY
  • USE OF SUBPROCESSORS
  • DATA RETURN & DELETION
  • DATA CONTROLLERS
  • STANDARDS & CERTIFICATIONS

EXPERT KNOWLEDGE

People employs and works with security and privacy professionals to maintain our systems, develop security review processes, build security infrastructure, and implement People's security policies.

Our teams engage with customers, industry stakeholders, and supervisory authorities to shape the People services in a manner that helps customers meet their compliance needs.

OUR POLICIES

Our terms have been updated to reflect GDPR and are available on terms page on this website.

FUNCTIONALITY

We have verified that our application, People HR, has all of the necessary functionality for compliance with the GDPR. The method we use for deletion and retention of data is acceptable for use under the GDPR. This verifies to our customers they are using software that is going to keep them compliant when May 25th, 2018 comes around.

DATA PROCESSING

We promise to maintain a high level of security, and will ensure timely breach reporting to meet all GDPR expectations. To reflect this, we have signed up to Rackspace managed security: https://www.Rackspace.Com/en-gb/managed-security-services This is the gold standard for security management. This service introduces automated analysis of the log files, forensic analysis of breach detection and timely notification and then recovery. We've purchased this on behalf of all of our customers. It's active as of now and we will be contractually assuring our customers of the use of it. It's incumbent upon data controllers to ensure the data processors have the right infrastructure in place to process your data. By purchasing this service, we can assure you we have the technical infrastructure in place which goes above and beyond regulation requirements.

PROCESSING ACCORDING TO INSTRUCTIONS

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements.

EMPLOYEE CONFIDENTIALITY

All of People’s employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. People’s Code of Conduct outlines expected behaviour with respect to the protection of information.

USE OF SUBPROCESSORS

People directly conduct all of data processing activities required to provide the People HR services.

DATA RETURN & DELETION

Administrators can delete employee data, via the functionality of the People HR services, at any time during the term of the agreement. We have included data export commitments in our data processing terms since we began trading, and we will continue offering those after the GDPR comes into force. We are always working to enhance the robustness of the data export capabilities of the People HR services.

People store data backups for two weeks before the backups are replaced fully and any old data is removed.

DATA CONTROLLERS

How People assists data controllers

Data Subject's Rights

People HR can provide an export customer data, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force.

Data Protection Officer

The People HR Data Protection Officer is Sukhjinder Singh, any questions can be directed to him regarding data protection concerns.

Incident Notifications

People will provide contractual commitments around incident notification. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force.

Certifications

Our customers and regulators expect independent verification of security, privacy, and compliance controls. The People platform and service undergo several independent third-party audits on a regular basis to provide this assurance.

STANDARDS & CERTIFICATIONS

Our customers and regulators expect independent verification of security, privacy, and compliance controls. The People platform and service undergo several independent third-party audits on a regular basis to provide this assurance

ISO27001 Accredited
People® has been independently audited, and meets the requirements for BS EN ISO 27001:2013 registration. The scope covers how we manage information security in providing online Human Resource Management software and services to our customers.

Data Protection Registration
People® is registered with the Information Comissioner’s Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA).
ICO Registration Number: ZA185401

Penetration Testing
We commission regular independent penetration testing of our infrastructure, to ensure we keep our system free from vulnerabilities. With many high profile customers in the financial sector, we recognise the need for tight security at a very technical level.

FAQs

WHAT IS THE GDPR?

The General Data Protection Regulation is a new EU privacy legislation that will replace the 95/46/EC Directive on Data Protection of 24 October 1995.

WHEN WILL THE GDPR TAKE EFFECT?

The GDPR will be directly applicable in all European Union Member States starting from 25 May 2018.

WILL THE GDPR GIVE CUSTOMERS THE RIGHT TO AUDIT PEOPLE?

Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. The updated data processing agreements we will offer from 25 May 2018, when the GDPR comes into force, therefore include audit rights for the benefit of our customers.

WHAT ROLE DOES THE THIRD-PARTY ISO 27001 REPORT PLAY IN COMPLIANCE WITH THE GDPR?

Our third-party ISO certification can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place.

WHAT OTHER INFORMATION HAS PEOPLE PROVIDED ON THE GDPR?

Are you looking to improve your HR processes and grow your business?

Try People For Free