Since coming into effect on May 25, 2018, the General Data Protection Regulation (GDPR) has introduced some important changes in data protection laws aimed at strengthening data protection for individuals in the EU.
While Globoforce’s previous data protection measures met many of GDPR’s standards, we have implemented new controls called for by the regulations. The purpose of this document is to provide an overview to our clients on how we are addressing some of the operational changes under GDPR in our role as data processor and to highlight ways we can help our clients meet their obligations as data controllers.
Privacy Impact Assessments: We fully support our clients when performing their privacy impact assessments and will provide any information necessary to assist our clients with their documentation efforts required under GDPR.
Data Protection Officer: Prior to GDPR, Globoforce appointed a Data Protection Officer to oversee our compliance with data protection laws applicable to the services we provide our clients. We will continue to depend on our Data Protection Officer to provide the best resources and support for our clients.
Data Transfers: GDPR continues to allow personal data to flow outside of the EU to third countries that are considered adequate under EU Data Protection Law and, in the absence of an adequacy finding, transfers are permitted provided the personal data is transferred with appropriate safeguards. As such, our clients may continue to leverage (i) Globoforce’s Privacy Shield Certification or (ii) to the extent Privacy Shield is no longer recognized as a valid transfer mechanism, we will agree to enter into standard contractual clauses to validate transfers outside of the EU.
Data Subjects’ Rights: GDPR strengthens rights of data subjects in many ways by including rights to request access to, correct, restrict, object, and/or erase personal data processed about them. Globoforce has put a process in place to support data subject access requests that we receive which will assist our clients with compliance in supporting the right to object, and the rights of access, rectification and erasure. Our framework specifically details an internal procedure for responding to such requests to ensure that our clients can meet their timeframes required by GDPR.
Data Processing Agreement: Since the adoption of GDPR, we have taken steps to update the data processing terms (DPA) we offer our clients to meet their GDPR requirements. This DPA is available to clients upon request.
Data Breach: GDPR implements new notification requirements on both controllers and processors for data breaches that lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. While Globoforce has a comprehensive Incident Response Policy in place already, we have updated this Policy to align with the new notification requirements which will ensure that we can update our clients without undue delay, to further allow our clients to meet their obligations under GDPR in the unlikely event of a personal data breach.
Subprocessors: In order to assist our clients with documenting processing activities carried out on their behalf, we will provide a list of our subprocessors that may have access to personal data. The list will include the name of each subprocessor, their location, and the purpose of the processing.
Security: We employ strong technical and organizational security measures that represent industry best practices, but have recently undertaken some specific modifications and implemented new technical processes to ensure compliance with GDPR. These enhancements include modifying some of our invoicing and other customer processes, and embracing a more robust encryption technology which will further ensure our security standards meet GDPR’s requirements.
At Globoforce, we always strive to provide you with the utmost confidence in our partnership and we are committed to ensuring we each meet our responsibilities under GDPR.
(Last modified as of August 1, 2018)