GDPR policy
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing reporting on these issues. This aims to create one uniform policy across the EU regardless of whether the UK is part of the European Union. Any business that deals with EU nationals and business alongside their data must comply with the legislation.
The term 'IT Graduate Recruitment' or 'us' or 'we' refers to the owner of the website, Hudson And Flowerdew Ltd whose registered office is 30 Avon Castle Drive, Ringwood, BH24 2BB, carrying on business as an Agency and Employment Business (agency name “IT Graduate Recruitment”). Our company registration number is 08683882, registered in England & Wales. The term 'you' refers to the user or viewer of our website.
We aim to comply with the applicable GDPR regulations as a data processor and controller. Working alongside our employees, clients, candidates and suppliers we will comply when the GDPR legislation takes effect on 25th May 2018. We use Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, data subject refers to the person or entity submitting data and can include employees, candidates, clients and other individuals or organisations that we work with.
We deliver great service, connecting innovative organisations and talented graduates. We want to gain the trust of our employees, clients and candidates and aspire to treat data collected on them with integrity and respect. We would continue to improve and change operations where necessary to comply with new legislation. Internally we review the systems in place and aim to improve this continuously. This statement aims to outlines our GDPR strategy and policies surrounding data control and processing.
How do we comply with GDPR?
Consent and Data Collection
We explain what you’re consenting to clearly and ask that you explicitly consent to us contacting you and holding your data. We advertise our opportunities and placements publicly and people submit their information freely. Data collection and processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. We also have a disclaimer on all job advertisements that data submitted can be used for both current and future opportunities. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, email and mobile number. This data is necessary to ensure the data subject is suitable for engagement including but not limited to, placements we advertise, business opportunities within us and other reasons for communication. We reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.
Breach Notification
In the event of a breach we will notify affected users within 72 hours of first having become aware of the breach. As per the GDPR guidelines we must report a data breach within 72 hours after becoming aware of the breach, unless the breach itself is low risk. This is to be reported to the top authorities which would be ICO (Information Commissioner’s Office) and the Data Protection Act Submission Form. This can be done online or by reporting by phone on 0303 123 1113. Once a data breach or leak has been detected than it would be reported to this authority. A data breach or leak includes but is not limited to, a lost USB stick, loss or theft of portable devices or data sent to the wrong person.
Right to Access
Users can request confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, we shall provide a copy of the personal data, free of charge, in an electronic format.Subjects must request their data by phone, email or letter stipulating what data they would like erased and this will be processed within 48 hours. We would send confirmation of this either by email or letter.
Right to be Forgotten
Once we have compared your (the subjects') rights to "the public interest in the availability of the data", we may delete your personal data where you have requested this. Data would be hard erased after the data retention period unless the subject of the data requests otherwise or has been engaged with during this time and data on them is necessary for archiving purposes in the public interest. Subjects of data have the right to be forgotten and erased from records upon request.
Data Portability
We allow you to receive the personal data concerning you, which we will provide in a 'commonly used and machine readable format' and you have the right to transmit that data to another ‘controller’.
Privacy by Design
We implement appropriate technical and organisational measures, in an effective way, in order to meet the requirements of this Regulation and protect the rights of data subjects'. We hold and process only the data absolutely necessary for the completion of our duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Retention
We would keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on them in a portable format. Data subjects must request their data by phone, email or letter stipulating what data they would like to access to, and this will be processed within 48 hours. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.
Internal Policies for GDPR
We have stringent security and access policies for employees that safeguards data and protects the integrity of data. We also ensure this doesn’t impact business function and the data subject or data subject experiences. We have a data security policy, confidentiality policy, a password policy and a policy to target Bring Your Own Devices (BYOD) in the workplace. We permit the portability of data on mobile devices like mobiles or laptops, as well as advocating home working, under restriction and/ or limitations. This is also for the benefit of data subjects. Access to this data can be terminated or limited as and when necessary to prevent data breaches or leaks. Every reasonable step is taken to ensure that data accessed outside the network is secure. These policies aim to mitigate any instance of data breach or leaks and employees are trained in maintaining data security.
IT policies for GDPR
We outsource our IT system maintenance and management to a Third-Party. This Third Party supplier are responsible for safeguarding the network and terminals with access to the network. They would manage the anti-virus on the machines and security updates to mitigate against data breaches and leaks. To further this they are also responsible for employee accessibility in granting, limiting or terminating this where necessary. The data this Third Party collects on employees is limited within the organisation and is also bound by data privacy and confidentiality clauses.
Our ATS and Database
We use a dependable and resilient ATS system for data processing. As a data controller we rely on compliant systems and our ATS System and Database is audited which covers internal governance, production operations, change management, data backups, and software development processes. These evaluations determine they have the appropriate controls and processes in place in accordance with related standards. Our ATS and database complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.
This document is provided as of January 2018, for informational purposes to explain our stance on GDPR legislation and compliance. It is subject to change or removal without notice.