As of May 2018, the General Data Protection Regulation (GDPR) will come into effect, two years after its adoption and with the aim of protecting the data of EU citizens. GDPR compliance is mandatory and will apply to Watu as we hold the data of thousands of staff.
The regulations define new standards and procedures which companies handling data will have to follow, in order to protect EU citizens and help them be aware of their data rights and security.
How does this affect agencies?
Agencies hold thousands of staff member’s private details including names, email addresses, home addresses, and so on. The GDPR states that there are two main parties involved who must align to ensure the standards are carried out.
A controller specifies how and why personal data is processed, while a processor conducts the actual processing of the data (source). In this case, agencies are the controllers and Watu is the processor, and in this instance, the controller is responsible for ensuring the processor is following the law.
What are the new rules, and how will Watu approach them?
If our security within Watu was ever to be breached and data exposed which could result in a risk for the individuals, it is Watu’s responsibility to inform the agency as soon as possible. The rules state that notification to the individuals must be within 72 hours.
Right to access:
Individuals may, at any time, request “from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose” and this must be provided as a free service with the option of the information being provided in electronic format.
- If the Watu team receives a request from a staff member for details about their data, we will confirm that the agency is processing the data provided via the profile template questions, for use related to booking them work.
- The data is already provided via their staff profiles, which staff have free access to at any point, and we can provide copy in electronic format if so requested.
Right to be forgotten:
Staff may state that they withdraw consent of their personal data being held at any time. In this case, Watu would be responsible for removing the data as well as ensuring the agency no longer accesses this personal data.
- If a staff member contacts Watu after having cancelled their account, and requests that their personal data be erased, we are able to do so by changing their personal details to ‘blanks’. If they were no longer due any payment, we would also be able to erase bank details. As such, the agency would no longer have access to the staff member’s details effective immediately.
- The profile itself would not be deleted however, as this is used as an important holding space within the software’s history, for example, in previous payroll, previous jobs, and so on. Having the profile exist, even with blank information, is crucial as it retains the factual history of Watu, especially considering the potentially high turnover rates.
This rule states that the individual must have access to their held data and we must be able to provide it in ‘machine readable format’ to be passed on to another controller.
- If a staff member reaches out to Watu, we are able to provide them with this data which would include their profile template details and bank details, as they were ‘previously provided’ by the individual.
Privacy by design:
This refers to building a safe structure from the start, as well as limiting the access of data.
- Watu ensures that its data is kept extremely secure, and its our first priority with regards to the software. The data is held with a reputable company called Linode, and includes encryption where necessary.
- With regards to ‘data minimalisation’ which states that only the minimum data must be required and accessed, we encourage agencies to only ask questions in the profile template which are relevant to the type of work.
- Additionally, bank information is only gathered after a staff member has been confirmed by the agency, so that we do not unnecessarily collect private data.
- As for access being limited to only those who need to access the information, we have ensured that each client account is kept separately and this is why each Watu client has a unique URL, to ensure there is never crossover. The only people with access to this data are the agency managers, the Watu customer happiness team, and the developers.
Data protection officers:
A company must hire a DPO if handling a certain type of data, such as criminal convictions, or if monitoring the data subjects on a large scale. Watu does not have a specific DPO, however we consider the protection of data to be the responsibility of the entire team and as mentioned earlier, the security of this data remains our absolutely priority. As changes in law come about, we will work together to ensure Watu remains in accordance with the legal requirements.
As per the above guidelines, Watu already fulfils many of the requirements stated by the new GDPR. We have a consistently transparent and helpful policy and many of the requirements have been in practice already, such as offering to wipe staff data or ensuring that structures are designed with security in mind.
We will continue to operate as such, and welcome queries and comments from any agencies.