Skip to main content
All CollectionsGetting Started
PeopleLinx's commitment to GDPR
PeopleLinx's commitment to GDPR

Read this article to learn more about GDPR and EU-US Privacy Shield compliance within PeopleLinx & how you can manage your data

Natalie Martinez avatar
Written by Natalie Martinez
Updated over a year ago

In May 2018, GDPR legislation will become applicable and affect all organizations that have business relationships with EU data subjects. We at PeopleLinx are committed to making our product and organization compliant with this new set of rules and, in the process, will also help our customers to prepare.


We are already undergoing changes in processes, policies, and infrastructure to make that happen. Some of the most common topics and questions regarding GDRP and EU-US privacy shield covered in this article were created to help customers and partners understand where we currently are and what to expect.

Discover personal data

Search for and identify personal data
For PeopleLinx, personal data of our customers stored in our application is located in Azure Cloud and in internal systems needed for operations that are also cloud applications. We've made internal policy changes to ensure that there is no personal data stored locally by employees outside of this scope. For data that belongs to our customers as controller in their accounts, it is only stored in Azure Cloud. It is recommended for customers to access their infrastructure as this is their responsibility to handle personal data in their accounts.

Categorization
We do not make a conscious effort to collect personal data of specific groups, such as information about persons under 18 years of age, for example, that are specifically mentioned in GDPR regulations.

Maintain an inventory of personal data holdings
Currently, we have a clear separation of personal data about our employees and customers used in a number of systems (CRM, Intercom, PeopleLinx application, Slack). Personal data of data subjects in customer accounts are stored and processed only in the PeopleLinx application. Outside of the PeopleLinx application, we use and process such data only as aggregated for analysis purposes.

Manage data

Enable data governance practices and processes
We are in the progress of developing a scope of processes that will affect many departments and respect data subject rights under the GDPR ruling and how we handle them.

Provide detailed notice of processing activities to data subjects
We developed a ‘Trust’ page on the website with an updated privacy policy that will cover how we use data of our customers as the controller. There is also an explanation of how personal data in their PeopleLinx accounts will be processed (as the processor).

Discontinue processing on request
On the ‘Trust’ page, there will be a request form and we are implementing a process to stop processing personal data of data subjects and notify data controllers (customers).

Collect unambiguous, granular consent from data subjects
We will use personal data of our customers and employees under the ‘legitimate interests’ clause as it's needed to fulfill our contractual obligations or to provide customer support in using the PeopleLinx platform. For data subjects in our customers' accounts, it is their responsibility as data controllers to obtain consent or use other reasons (compliant with GDPR) to get and store personal data. We, as the processor, are here to help respect the rights of data subjects and provide info on how we process such data.

Rectify inaccurate or incomplete personal data regarding data subjects
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Erase personal data regarding a data subject
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it. In April, we will implement an internal process as to how we will fulfill such requests.

Provide data subject with their personal data in a common, structured format
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Restrict the processing of personal data
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Review data processing conducted by automated means
On the ‘Trust’ page and in the privacy policy, we will highlight the cases when we use automated means of processing personal data or profiling it.

Protect data

Data protection and privacy by design and default
As part of going through GDPR compliance implementation, we've reviewed, our internal policies and how we approach building new value for customers with privacy in mind.

Secure personal data through encryption
By May 1st, we are planning to use encryption for data stored in the PeopleLinx application in Microsoft Azure Cloud (subject to technical or performance limitations).

Secure personal data by leveraging security controls that ensure the confidentiality, integrity, and availability of personal data
A three-way approach is currently in place. First, we've updated our internal employee policies to grant access to needed roles and limit breach possibilities. Secondly, processes to respect GDPR rules are in implementation. Finally, technical improvements in infrastructure, such as the Azure key vault and DB encryption, are planned until May 25th.

Prepare for, detect, and respond to data breaches
The process and policies we develop right now will cover how we communicate about possible breaches while technical improvements should limit such risks.

Facilitate regular testing of security measures
During 2017, we undertook a 3-month period of intensive application security testing and fixed 15+ vulnerabilities. After May 2018, we will plan another session to analyze the current situation.

Report

Keep a record to display GDPR compliance
We store data in processed or raw formats and have a list of processing activities that can be combined for each record if needed.

Track and record flows of personal data into and out of the EU
To cover such flows, we've applied and are currently in the process of self-certification for the EU-US privacy shield program for the migration of data between the EU and the US. Also, our employees (or contractors) will sign contracts with contractual clauses that will cover the transfer of data to countries other than these covered by EU-US Privacy Shield. The data, that moves through integrations in our customers' accounts, belongs to them as data controllers, in addition to the connected accounts. To make sure such applications cover compliant record flows of personal data, customers should consult representatives of these organizations.

Track and record flows of personal data to third-party service providers
Personal data of our customers or employees that moved to third party providers (such as our internal systems that are needed to automate company operations) are stored there and can be accessed or deleted at any time. We also have log tracks of data flows from the point where we collected this data to third party systems (if such transfer occurred).

Facilitate data protection impact assessment
As of now, we have implemented the first wave of processes and technical changes needed to be compliant. After that, we will consider taking the data protection impact assessment.

Did this answer your question?