Over a year ago, the EU Data Protection Commission adopted the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, and is set to replace the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. GDPR introduces some important changes in data protection laws aimed at strengthening data protection for individuals in the EU.
While Globoforce’s previous data protection measures met many of GDPR’s standards, we will need to implement certain new controls called for by the new regulations. The purpose of this document is to provide an overview to our clients of how we are addressing some of the operational changes under GDPR in our role as data processor and to highlight ways we can help our clients meet their obligations as data controllers.
Privacy Impact Assessments: Although previously part of Globoforce’s risk program, we commit to undertaking more robust privacy impact assessments aligned with our obligations under GDPR, and to review all of our processing activities and take steps to address specific concerns. Further, we will support our clients when performing their own privacy impact assessments and will provide any information necessary to assist our clients with their documentation efforts required under the new regulations.
Data Protection Officer: Prior to GDPR, Globoforce appointed a Data Protection Officer to oversee our compliance with data protection laws applicable to the services we provide our clients. We will continue to depend on our Data Protection Officer in order to provide the best resources and support for our clients.
Data Transfers: GDPR continues to allow personal data to flow outside of the EU, and ensures that existing data transfer mechanisms will remain valid. As such, our clients may continue to leverage (i) Globoforce’s Privacy Shield Certification or (ii) to the extent Privacy Shield is no longer recognized as a valid transfer mechanism, enter into standard contractual clauses to validate transfers outside of the EU.
Data Subjects’ Rights: GDPR strengthens rights of data subjects in many ways by including rights to request access to, correct, restrict, object, and/or erase personal data processed about them. Globoforce has built a solution to streamline data subject access requests that we receive which will assist our clients with compliance with these new rights. Our framework specifically details an internal procedure for responding to such requests and ensures our responses are within the timeframes required by GDPR.
Consent: GDPR places a much higher threshold on controllers that rely on consent as a basis for processing personal data. Globoforce is updating the ways it receives explicit consent so that data subjects are presented with a clear choice prior to making use of our client sites. For those that refuse or withdraw consent, we offer alternative ways to use our services. This way, employees have a genuine choice without jeopardizing their ability to realize the value of their awards.
Data Processing Agreement: Since the adoption of GDPR, we have taken steps to update the data processing terms (DPA) we offer our clients to meet their GDPR requirements. This DPA is available to Clients upon request.
Data Breach: GDPR implements new notification requirements for data breaches that lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. While Globoforce has a comprehensive Incident Response Policy in place already, we have updated this Policy to align with the new notification requirements which will ensure our clients can meet their obligations to data subjects in the unlikely event of a beach.
Subprocessors: In order to assist our clients with documenting processing activities carried out on their behalf, we are creating a webpage specifically dedicated to our subprocessors that may have access to personal data. The site will include a list of subprocessors, their location, purpose of the processing, due diligence we perform and contractual safeguards we make sure to include. This page can be used as a reliable source for our clients in their GDPR compliance efforts.
At Globoforce, we always strive to provide you with the utmost confidence in our partnership and we are committed to ensuring we each meet our responsibilities under GDPR. We will continue to update you as our GDPR compliance efforts progress.