Globoforce’s GDPR Readiness Update

Globoforce is ready for GDPR!  We have been refining internal processes on how we take, process, store and transfer personal data.  We have updated our privacy policies and updated the way we inform users about our practices within our solution.  Should you have any questions about how we handle personal data, please use the direct link to our privacy team – privacy@globoforce.com.


Over a year ago, the EU Data Protection Commission adopted the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, and is set to replace the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.  GDPR introduces some important changes in data protection laws aimed at strengthening data protection for individuals in the EU.

While Globoforce’s previous data protection measures met many of GDPR’s standards, we will need to implement certain new controls called for by the new regulations. The purpose of this document is to provide an overview to our clients of how we are addressing some of the operational changes under GDPR in our role as data processor and to highlight ways we can help our clients meet their obligations as data controllers. 

Privacy Impact Assessments: We will support our clients when performing their privacy impact assessments and will provide any information necessary to assist our clients with their documentation efforts required under GDPR

Data Protection Officer: Prior to GDPR, Globoforce appointed a Data Protection Officer to oversee our compliance with data protection laws applicable to the services we provide our clients. We will continue to depend on our Data Protection Officer in order to provide the best resources and support for our clients.

Data Transfers:  GDPR continues to allow personal data to flow outside of the EU to third countries that are considered adequate under EU Data Protection Law or in the absence of an adequacy finding, transfers are permitted provided the personal data is transferred with appropriate safeguards. As such, our clients may continue to leverage (i) Globoforce’s Privacy Shield Certification or  (ii) to the extent Privacy Shield is no longer recognized as a valid transfer mechanism, we will agree to enter into standard contractual clauses to validate transfers outside of the EU.  

 

Data Subjects’ Rights:  GDPR strengthens rights of data subjects in many ways by including rights to request access to, correct, restrict, object, and/or erase personal data processed about them.  Globoforce has built a solution to support data subject access requests that we receive which will assist our clients with compliance with these new rights and has formalized processes to specifically support the right to object, and the rights of access, rectification and erasure.  Our framework specifically details an internal procedure for responding to such requests to ensure that our clients can meet their timeframes required by GDPR.

Consent:  GDPR places a much higher threshold on controllers that rely on consent as a basis for processing personal data. It will be dependent on our clients to determine the purpose and means of processing and to ensure it provides instruction on the lawful processing of personal data it sends to Globoforce. For your employees that refuse to allow their personal data to be processed or withdraw their consent and you have no other lawful reason to process their data, we can try and offer alternative ways to use our services. This way, employees have a genuine choice without jeopardizing their ability to realize the value of their awards. For data which Globoforce receives directly from your employees, Globoforce is updating the ways it receives specific, informed, freely given and unambiguous consent so that data subjects are given a clear choice prior to making use of our sites.

Data Processing Agreement: Since the adoption of GDPR, we have taken steps to update the data processing terms (DPA) we offer our clients to meet their GDPR requirements. This DPA is available to clients upon request.

Data Breach: GDPR implements new notification requirements on both controllers and processors for data breaches that lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. While Globoforce has a comprehensive Incident Response Policy in place already, we have updated this Policy to align with the new notification requirements which will ensure that we can update our clients without undue delay, to further allow our clients to meet their obligations under GDPR in the unlikely event of a personal data breach. 

Subprocessors:  In order to assist our clients with documenting processing activities carried out on their behalf, we will provide a list of our subprocessors that may have access to personal data. The list will include the name of each subprocessor, their location, and the purpose of the processing.

Security: We employ strong technical and organizational security measures that represent industry best practices, but have recently undertaken some specific modifications and implemented new technical processes to ensure compliance with GDPR.  These enhancements include modifying some of our invoicing and other customer processes, and embracing a more robust encryption technology which will further ensure our security standards meet GDPR’s requirements.

At Globoforce, we always strive to provide you with the utmost confidence in our partnership and we are committed to ensuring we each meet our responsibilities under GDPR. We will continue to update you as our GDPR compliance efforts progress.

 

(Last modified as of March 29, 2018)