GDPR for Customers
Important Information for candidates who have registered with an Eploy Customer:
If you are a candidate who has applied for a job with an Eploy customer using our software and have a question about your rights as a data subject please click here
https://www.eploy.co.uk/information/candidates-of-eploy-customers/
Eploy - Our Commitment to GDPR
The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.
What is personal data?
In recruitment, we collect lots of data about our candidates - but which of it is deemed ‘personal’ or ‘sensitive’?
The UK GDPR applies to that data which could identify or make identifiable, a living individual - whether directly or indirectly by ‘all means reasonably likely to be used’.
So, names, addresses, email addresses etc. would automatically fall into the remit of the UK GDPR.
Helping you meet your obligations as a Data Controller
The legislation places obligations on you as a Data Controller and on our relationship with you as your Data Processor.
Eploy are committed to complying with the UK GDPR as a data processor and helping you to comply with your obligations as a data controller. We have been, and are continuing to, work closely with our legal team to ensure we have an optimal understanding of the GDPR and whatever changes come about post-Brexit.
How are we working toward best practice compliance?
Adopting the highest level of Information Security Standards
Our Information Security Management System has been assessed to the IASME standard https://www.iasme.co.uk/the-iasme-standard/ . Based on ISO27001 and international best practice, the certification is risk-based and includes aspects such as physical security, staff awareness, and data backup. The IASME standard was recently recognised as the best cyber security standard for SMEs by the UK Government.
Our IASME & GDPR Ready certificate is No.SA003163 - https://www.iasme.co.uk which includes IASME's 'GDPR Ready' checkmark. Further information about Eploy's security and compliance certification can be found here https://www.eploy.co.uk/information/security-status/
Helping your candidates to exercise their rights under the UK GDPR
Many of the rights of data subjects are already supported by Eploy’s Candidate Portal functionality. For example:
Secure, online self-service
Providing secure, online self-service is considered to be Best Practice.
We are committed to assisting our customers in meeting their requirements under the UK GDPR and, where possible, making the process easy to manage – particularly enabling secure ‘self-service’ for candidates to access their GDPR rights.
The Right of Access
Candidates can see what personal data you hold on them.
The Right of Rectification
Candidates can easily request that incorrect data is rectified.
Right to Erasure
A candidate should be able to request being deleted - System users with the appropriate access rights can delete candidates.
Right to Data Portability
A candidate should be able to request a copy of their data in a ‘machine readable’ format. This is possible via the Eploy Core System by an Eploy system user running a report against the candidate – this would allow them to put the data into a spreadsheet/CSV file.
Consent and Legitimate Interest
Under the UK GDPR consent needs to be freely given, specific, informed & granular, verifiable, easy to withdraw and time limited, Further details on the new functionalities for managing granular consents can be found here: https://www.eploy.co.uk/lp/gdpr-compliant-applicant-tracking-system/. Alternatively, customers may choose to use legitimate interest or lawful processing to justify processing data. Either consent or legitimate interest can be supported by Eploy GDPR functionality.
Data Security
Eploy hold the IASME Certification & GDPR Ready Checkmark, IASME Cyber Essentials Plus, further information can be found here https://www.eploy.co.uk/information/security-status/
Encrypted Data in Transit
Data in transit is via TL1.2 and above, with TLS1.1 and below disabled.
Encrypted Data at Rest
All customer data is encrypted at rest.
Encrypted Data Backups
Customer backups are encrypted and carried out as per our Customer Backup Policy (available on request).
Unencryptable User Passwords
User passwords are stored in an encrypted format in the Eploy database and are unencryptable (even by Eploy). Customers can create and enforce a password policy, including:
- Preventing weak passwords
- Preventing password re-use
- Login via an approved third party (Facebook, Google, LinkedIn) - further information on Apps click here
- Disabling auto-complete for login pages
- Secure forgotten password / reset
- Captcha tests
- Locking down to customer owned IP address or range.
Eploy security headers get an A+ rating on SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=admin.eploy.net&hideResults=on )
User Permissions
Eploy has many permissions, so that you can restrict access to specific categories of data to only those users who require access.
MFA and SSO
Eploy supports Multi Factor Authentication (MFA) and Single Sign On (SSO).
Eploy only use UK Datacentres
Eploy only use UK datacentres and we have appropriate data processing agreements in place with our suppliers. Our Datacentre suppliers are ISO27001 certified.
Our ICO Data Protection Registration
Eploy is registered for Data Protection with the Information Commissioners Office (ICO) our registration is ZA248720