GDPR Procedure Manual
This plan aims to outline how Digital Gravity Recruitment LTD aim to;
The procedure manual aims to cover all aspects of how GDPR will impact Digital Gravity Recruitment LTD and how Digital Gravity Recruitment LTD aim to:
Digital Gravity Recruitment LTD is a recruitment company which specialises in offering support and recruitment related services. They are located in Central London and have international reach.
Digital Gravity Recruitment LTD was founded in 2017 (April 2017). It is also a private limited company (LTD) which indicates that Digital Gravity Recruitment Ltd is an independent company which does not share or trade on stock exchange. The company registration number is 10660641.
Data Subject
This is the subject who has data stored on them and can include candidates, clients and employees. This data will involve identifying factors such as name, date of birth and email for example.
Data processor
The data processor is the person, group or system which collects and processes data, often storing it.
Data Controller
The data controller is the person, group or system which controls access to data. This can include limiting or restricting certain data to other groups, individuals or the public.
IR35
IR35 is tax legislation that is designed to combat tax avoidance by workers supplying their services to clients via an intermediary, such as a limited company, but who would be an employee if the intermediary was not used. Such workers are called ‘disguised employ
GDPR stands for the General Data Protection Regulation imposed by the European Union as a means to give greater autonomy for people in regards to data on them, with the need for consent and the ability to be forgotten. To further this it is a measure to impose on businesses to ensure their systems which collect and store data is secure.
Digital Gravity Recruitment LTD aims to comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers it will comply when the GDPR legislation takes effect on 25th May 2018.
Digital Gravity Recruitment LTD uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, data subject refers to the person or entity submitting data and can include employees, candidates, clients and other individuals or organisations that Digital Gravity Recruitment LTD work with.
Digital Gravity Recruitment LTD advertise opportunities and placements publicly and people submit their information freely. Data collection and processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. The Contract a data subject enters will entail Digital Gravity Recruitment LTD Terms and Conditions which is made available to them in both the signed contract, on the website and by request. The Company also have a disclaimer on all job advertisements that data submitted can be used for both current and future opportunities. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, email and mobile number. This data is necessary to ensure the data subject is suitable for engagement including but not limited to, placements Digital Gravity Recruitment LTD advertise, business opportunities with Digital Gravity Recruitment LTD and other reasons for communication. Digital Gravity Recruitment LTD reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.
Digital Gravity Recruitment LTD would keep data on file for a period of 10 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on them in a portable format. Data subjects must request their data by phone, email or letter stipulating what data they would like to access to, and this will be processed within 1 week. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.
Digital Gravity Recruitment LTD aims to keep data on file for a period of 10 years unless otherwise stipulated. Data would be hard erased after this time unless the subject of the data requests otherwise or has been engaged with during this time and data on them is necessary for archiving purposes in the public interest. Subjects of data have the right to be forgotten and erased from records upon request. Subjects must request their data by phone, email or letter stipulating what data they would like erased and this will be processed within 1 week. We would send confirmation of this either by email or letter. Data would be destroyed securely and confidentially.
GDPR pertains to certain requirements on data controllers for the portability of personal data. The data stored on our ATS and database is controlled by the Company. Digital Gravity Recruitment LTD permit the portability of data on mobile devices like mobiles or laptops, as well as advocating home working, under restriction and/ or limitations. This is also for the benefit of data subjects. Access to this data can be terminated or limited as and when necessary to prevent data breaches or leaks. Every reasonable step is taken to ensure that Digital Gravity Recruitment LTD data accessed outside the network is secure.
Principle 1
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Upon employment with Digital Gravity Recruitment LTD you will be notified where your data is stored and how Employees can access this. This is stipulated within the Employee Handbook.
As part of the Contract of Employment and contained within the Hand book are a number of references to data confidentiality, privacy and security. These are read and signed by Employees upon induction. This is to protect data integrity and security.
Processing is managed and maintained by a select group of users and the Employee themselves. Data submitted is accessible by the Employee, while they also have the ability to amend this where necessary. Data processing is necessary for new or leaving staff internally, as well as business function in recruitment.
Consent is required to process personal data and Digital Gravity Recruitment LTD will be unable to assist without such. Internally Employees will need to submit personal data regarding their name, address, email and banking details. This is in order to ensure our records are up to date, we can maintain communication and in order to credit Employees with their wage.
Externally applicants will need to consent to having their data logged on Digital Gravity Recruitment LTD database and this is necessary to find them a position or to satisfy a role. Personal data such as name, email, phone number and address are intrinsic to the employment process and to maintain communication. Personal data will be processed and stored for future reference as well even if the candidate doesn’t meet the requirements of the role or is not suited to it, and this is to ensure they can be placed at other roles or placements.
Data withheld at any process may implicate Digital Gravity Recruitment LTD ability to maintain data integrity and relevancy. In reference to external candidates, it may implicate the ability for them to be found for roles in the database and their job search. Data subjects need to request for their data to be withdrawn if they do not want it kept on the database
Principle 2
Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data is used for business function, including internally with regards to new users and leavers of the business, as well as externally and the main business function of recruitment.
Internally personal data obtained is necessary for communication regarding employment, including letters and bank payments. It would also contain medical information or information on disabilities in order to ensure Digital Gravity Recruitment LTD can accommodate its staff without risk posed to them. Internal information is only used for these purposes and not passed to Third Parties unless consent is provided (such as in the case of joining Digital Gravity Recruitment LTD Insurance Scheme)
Externally and in the Recruitment Process (see below) than information is required to ascertain the candidate name, current job, salary expectations and work history to determine their suitability for the role. Digital Gravity Recruitment LTD would also obtain the candidates address in order to see whether they are proximate to their job posting and again to ascertain their suitability for the role. This data is not passed to Third Parties without consent, such as CVs will not be submitted unless the candidate has agreed beforehand.
Principle 3
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data is used for business function, including internally with regards to new users and leavers of the business, as well as externally and the main business function of recruitment.
Internally the personal data collected is pertinent to their employment and health and wellbeing. This includes data on their address, banking information and absence within the company. Digital Gravity Recruitment LTD would not consider this excessive is it is necessary for an Employees contract and in order to maintain their wellbeing. Data such as religion or sexual orientation otherwise considered excessive is not required.
Externally, personal data collected is required for employment and placement opportunities. Data on the candidates and clients including salary, location and work history is very important. Data collected is not excessive for the purpose of employment and necessary for compliance, such as VISA or passports, or IR35 legislation.
Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
The onus of ensuring data is kept up to date is put on the Employee. They have access to an online portal where they can amend their personal details on themselves, including bank details and address. They are responsible for ensuring this is up to date and relevant, they also have the ability to not populate information.
Employees are also responsible as part of their job and training to update data on the system and discriminate data where possible, such as what is necessary and what is not. Any data that has not been used or no longer needed will be deleted and this is to ensure data is accurate and secure.
Principle 5
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
Digital Gravity Recruitment LTD will aim to keep data no longer than ten years (often for financial records). Anything beyond this point will be deleted unless otherwise stipulated by the data subject. This data is kept for the purpose of financial or legal records, but as soon as it is no longer required, it will be hard deleted from the system.
Digital Gravity Recruitment LTD Employees have the ability to amend and delete their data to a degree, and they can request for data to be deleted (right to be forgotten) before this point provided it is not needed.
In regards to the business model, personal data is processed in order to seek employment for candidates and fill placements for clients. With this in mind data is kept for the purpose of filling these positions and in order to keep records of previous placements and fees. This is important for Digital Gravity Recruitment LTD business function and records.
Principle 6
Personal data shall be processed in accordance with the rights of data subjects under this Act.
In order to ensure data will be processed in accordance with legislation and the rights of data subjects, Digital Gravity Recruitment LTD has stringent controls over personal data.
Internally, access to personal information is limited to directors and the Human Resources Department (including Accounts). The data subject (Employee) can access data on themselves via their own online portal. Access to this portal can be limited based on the needs of Digital Gravity Recruitment LTD
Externally, data processed by Employees in reference to candidates or client data is also processed in accordance with the rights of the data subject. Where possible data is obtained from candidate CV’s and data obligingly over the phone or email. This is documented on the database and is auditable.
Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Principle 8
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Digital Gravity Recruitment LTD use IT and software for its core business function including communication, marketing and cash flow. This data is stored on independent systems which have been audited and reviewed upon GDPR legislation.
| Part | Responsibility and Details |
| Hosting Provider | Microsoft Exchange Server |
| Who manages this? | Keybridge IT Solutions |
| In house or hosted | In house |
| What is it stored on | In house server |
| Where is this stored? | Stored on the in-house server in London Office. |
| Is this backed up? If so how regularly | Yes, every night |
| Where is this backed up? | This is backed up in the cloud, this back up is based in the UK |
| Who has access to back up? | Digital Gravity Recruitment LTD can request access to this. Keybridge IT Solutions manage this. |
| Is it secure and encrypted? | Yes |
| Who has access to this and what do they have access too? | Employees have access to their own email accounts which they manage. Managers and directors may have emails from their employees or people who have left. |
| How is data controlled? | Access to emails is determined by Digital Gravity Recruitment LTD and executed by Keybridge IT Solutions who administer the email solution. |
| How do you terminate or prevent access? | Digital Gravity Recruitment LTD advise if access needs to be limited or revoked. Keybridge IT Solutions manage this and will terminate access when requested. |
Bullhorn are our Recruitment Database (ATS) System. It is hosted and accessible online. It is responsible for holding sensitive information on contracts, candidates and clients.
Supplier Details
| Hosting Provider | Bullhorn, hosted by Salesforce |
| Who manages this? | Bullhorn |
| Who has access to this? | Bullhorn Employees. Only a few Bullhorn employees are authorized to access customer data, and they only can do so through a limited access point bridging the platform and infrastructure layers. |
| In house or hosted | Hosted online, based on in house servers based in the UK. |
| What is it stored on? | Stored on in house servers part of Sales Force. |
| Where is this stored? | Hosted online, based on in house servers in the UK. Their servers are housed in purpose built, multi-million-pound data centers in the U.K. These are specifically UK only data centers and provide full redundancy across two geographically separate sites. Bullhorn uses three geographically separate colocation data centers. CenturyLink facilities are located in Boston (Waltham), Massachusetts and Slough, United Kingdom. The Switch SUPERNAP facility is located in Las Vegas, Nevada. Their data center partners cover the physical security procedures including network provider redundancy, power/electrical redundancy and failover, HVAC, fire suppression, and physical access control. Our facilities have accredited certifications and operate at or above industry standards. |
| Is this backed up? If so how regularly | Should the primary database server fail, the backup database server takes over as the primary and assumes all traffic. Once the failed server is brought back online, it becomes the backup database server.Differential backups are taken nightly, transaction-log backups are taken every 30 minutes, and full-tape database backups are taken weekly, encrypted, and stored at a secure offsite facility |
| Where is this backed up? | Backup to Server.Bullhorn partners with CenturyLink and Switch, who together provide a network of state of-the-art data centers in the U.S. and UK that are SSAE16 compliant. |
| Who has access to back up? | Bullhorn Employees. They do not download or store any client data on their internal infrastructure, all data is held on Bullhorn’s servers located at their data centre. Data is encrypted at rest.Printed confidential information of which there is little to none is disposed of in secure Shred-It bins for disposal through a third party organisation.No client data is transported from their offices. If data needs to be migrated away than this is stored on a secured drive and encrypted. |
| Is it secure and encrypted? | Bullhorn provides exceptional levels of protection against hackers, beginning with firewalls that prevent unauthorized outside access. To protect customer data and communications traveling across the internet, Bullhorn leverages the strongest encryption products available today, including 128-bit Geotrust Transport Security Layer (TSL) Certification and 1024-Bit RSA public keys.To access Bullhorn, users must have a valid username and password combination. During transmission, username and password combinations are encrypted with TSL protocols, and an encrypted session ID cookie is used to uniquely identify each user.The server facility is physically protected 24 x 7 by on-site security guards. Only authorized data-centre staff have physical access to the data halls and servers. |
| Can you do a hard delete of records (disappear from the system AND backups?) | |
| Do you train your employees and staff on GDPR and compliance? | Yes they train staff on data quality and management. |
| Certifications | SSAE 16 auditPrivacy Shield Framework |
Internal Processing
| Who has access to this and what do they have access too? | Employees have access to their own login accounts which they manage, as well as access to the database in order to source candidates. They would have access to all data put on Bullhorn. Directors may have admin level in order to do more on the system. Bullhorn provides all the tools, processes, and access control level (ACL) capabilities needed to allow, restrict, and deny employee access to specific data and functions. |
| How is data controlled? | Access to Bullhorn is determined by management and executed by Digital Gravity Recruitment LTD who administer Bullhorn. Data can be controlled by IP or by day. |
| How do you terminate or prevent access? | Management advise if access needs to be limited or revoked. Keybridge IT Solutions can revoke email access and Digital Gravity Recruitment LTD manage Bullhorn access, and will terminate access when requested. |
Digital Gravity Recruitment LTD use CloudCall for telephony and VOIP, which is not a physical handset or in-house phone system. CloudCall uses the internet line to make and receive calls. Calls are recorded via CloudCall and put onto Bullhorn. CloudCall can be used on the mobile via the CloudCall app. Access to CloudCall and the app is conditionals and based on correct passwords.
There is a disclaimer before calls to the company that calls may be recorded for training and quality management. The retention period for these calls is 12 months.
The recorded calls are stored on CloudCall servers
Digital Gravity Recruitment Ltd use IT and telecommunications as a core function of the business, including internet or web-based applications.
Digital Gravity Recruitment Ltd use a VOIP system called CloudCall which will use softphone applications on the PC.
Digital Gravity Recruitment Ltd use a CRM system called Bullhorn for all recruitment purposes. Deals and engagements are logged on this system and this is how behavior and work is monitored and tracked.
Digital Gravity Recruitment LTD take data privacy and breaches very seriously which is why it is engrained in their induction, culture and training. Employees are subject to Terms and Conditions upon employment and this means they are bound by data privacy laws and regulations, including but not limited to data privacy, data confidentiality and more.
The Digital Gravity recruitment team will focus on mid to senior level roles, supporting the Directors. They will focus on building networks and intelligence. They will often view things from the candidate viewpoint.
The Research team will also train users on Bullhorn upon induction to ensure they make the most out of Bullhorn and use it accordingly. They might teach some tricks or shortcuts to improve efficiency.
Employees sign a non-disclosure agreement.
Employees are responsible for updating personal data on themselves as and when circumstances change. They are liable if data is incorrect.
Data on employees is stored on the shared drive under HR > Staff File.
When someone is hired the following needs to be collected from them:
Further information on their personal file will be
Employees can see records on their employment at Digital Gravity Recruitment LTD including Contract of Employment, Offer Letters, Pay Reviews and more. All details on their employment are accessible from the HR folder.
Directors will be able to go into other records on their employees, including the same as above. Access is limited to permissions on the system. No one can view another person’s personal file unless they are director level (super admin).
Data is accurate and is the responsibility of the Employee to update this. They can easily do this by logging into the HR folder and amending the details where they see fit. Employees can see records on their employment at Digital Gravity Recruitment LTD including Contract of Employment, Offer Letters, Pay Reviews, etc.
Data can only be viewed by employees who have permission to do so, but they have access to data on themselves.
When someone has left the business, the following is carried out:
The marketing process is comprised of all aspects of advertising, sales and website. The consultants work on this process in order to post jobs, however the website, SEO and campaigns are worked on by the Digital Marketing Manager.
Volcanic
Volcanic is our website provider and has multi-posting technology software which integrates into Bullhorn. It permits CV parsing into Bullhorn.
To post a job on our website the consultant first needs to make the advert on Bullhorn. They should ensure the detail is correct including job role, salary and location. The would obtain this information from the client, alongside job roles and responsibilities.
Once a job post has been submitted on you cannot change this. In order to amend you need to go to the backend website to change details. To do this go to the website and login with the admin credentials.
