GDPR and Security / Assuring compliance with GDPR

BrightHR currently operates two products, a legacy system, HROnline which is not under active development, and a new offering, BrightHR. Both systems are compliant with GDPR.
When you subscribe to BrightHR we become the data processor and you remain the data controller. BrightHR will process the data in a way that is compliant with the guidance in GDPR, and other data protection guidance. We will always store data local to the company that is using it, and we use encryption to protect it. We use secure protocols for transporting the data, and when asked to delete the data we delete it permanently from the system.
As a controller of the data you have a responsibility to act on individual's rights. You will need to act on their right to see what information you hold or right to erasure, so you could choose whether you retain the lawful right to hold that data or you need to remove it. If you choose to remove one of your user's data we would honour that and completely and permanently remove that data from the system.
We have a full time Data Protection Officer, based in our offices in Manchester.
Q. How do we agree BrightHR's responsibilities as the data processor?
You retain the responsibilities of the data controller, BrightHR is the data processor. To be clear about our responsibilities we provide a Data Processing Policy.
We conform to the ICO guidelines for breaches, so we would inform you without undue delay. As the data controller you would need to inform the ICO within 72 hours of becoming aware of a breach.
We only process your data in the way that we state in our terms.
We ensure that our staff and any subcontractors only process personal data in the way agreed by ensuring that the data cannot be accessed by our staff except for the purposes agreed.
We also use customer data to create aggregate statistics that do not allow identification of a customer or an employee. The aggregate data is used to develop new features as part of the service, provide information for us to plan and operate the service and for marketing purposes.
The location of our data storage is compliant with the legislation in the Data Protection Act (DPA - UK), the General Data Protection Regulation (GDPR - European Union), the Privacy Act 1988 (Privacy Act - Australia) and the Personal Information and Electronic Documents Act (PIPEDA - Canada).
Data for customers subscribing to the service in the UK is stored in the UK and the European Union, data for customers subscribing to the service in the Republic of Ireland is stored in the European Union, data for customers subscribing in Australia is stored in Australia and data for customers subscribing in Canada is stored in Canada.
Q. Following exit from the European Union do we need a standard contract clause?
The European Union has formally recognised the UK’s high data protection standards. This will allow the continued seamless flow freely between Europe and the UK following agreement by the European Union to adopt ‘data adequacy’ decisions.
Still not answered your question? Get in touch with someone on our friendly Service Team.
You can quickly raise a support case, enter a few details and we will be straight back in touch.
Log a support case