At HRLocker we know the importance of your company data, that is why we take this responsibility very seriously. We are committed to providing our customers the most up to date security and privacy protections.
HRLocker recognises that through the day-to-day operation of its business, we have an impact on our internal and external environment. Also, we ensure that due consideration is given to the potential impact that Information Security aspects may have on the operation of our core processes. As a result, HRLocker has established this Information Security Policy Statement, to communicate awareness and understanding of Information Security aspects throughout the business.
Information Security Leadership at HRLocker has appointed Phil Byrne of Mentor Consulting to develop and implement company initiatives to help us achieve our Information Security goals. Their role will also involve communicating HRLocker policies to all interested parties through the delivery of internal presentations and promoting awareness externally as appropriate. Information Security aspects are considered at our weekly management meetings.
While HRLocker ensures that all personnel consider process-related Information Security impacts, we also have identified the following aspects for attention;
1) HRLocker ensures that we meet relevant regulatory requirements and minimise any adverse Information Security effects caused as a result of our activities,
2) That we raise awareness, provide knowledge and support to employees on Information Security management,
3) Give training on the importance of protecting business and customer information throughout our business,
4) Promote awareness of Information Security objectives,
5) Regularly review our Information Security practices and policy in accordance with the principles of ISO 27001, to which we are certified
6) Establish performance objectives, targets and management programmes to achieve these.
Risk assessments are carried out with the main objective of all being to manage the Confidentiality, Integrity and Availability of company information and systems.
HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. All operational and support processes are within the scope of the management system. All personnel participate in regular internal audits of the processes in which they are involved. The resulting document is audited externally as part of our certification for ISO 27001.
Information Security Policy (ISO 27001)It is the policy of HRLocker to provide products and services that always meet and where possible, exceed our business objectives and customer requirements, based on the following precepts;
1) The requirements of our customers are collected effectively to ensure that HRLocker is capable of achieving customer expectations,
2) The requirements of all interested parties are clearly understood so that our products and services can be delivered in a timely and professional manner,
3) All processes employed by HRLocker to deliver our products and services are determined, resourced appropriately, documented, monitored and measured to ensure conformance to; Customer requirements, Business objectives, and Any applicable industry regulations and legislation,
4) All HRLocker employees are competent for their area of work through academic achievement, training and experience, where appropriate,
5) Effective mechanisms are in place to monitor and measure customer satisfaction so that HRLocker achieves its commitment to continual Improvement. To provide for this policy, HRLocker has established a management system in compliance with our certification to the ISO 9001 Standard. The management system is an integral part of our process management and the organization is dedicated to its continual improvement by;
6)Providing clear focus on priorities by establishing business and quality objectives, which are reviewed periodically through the management review process,
7) Making available the necessary resources to ensure that the management system remains effective in achieving business and quality objectives, conforming to the requirements of our ISO 9001 Standard certification,
8) Top management’s participation in the monitoring and measurement of the performance of the management system is focused on providing an effective framework for acting on opportunities for continual improvement. HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. All operational and support processes are within the scope of the management system. All personnel participate in regular internal audits of the processes in which they are involved. The resulting document is audited externally as part of our certification for ISO 27001.
Quality Policy StatementHRLocker has implemented this policy statement to provide guidance to all interested parties on our approach to managing personal information throughout our organization, with full consideration for our obligation toward relevant data protection legislation, including EU-GDPR.
The company management system has been developed to include appropriate measures determined by the ISO 27001 Standard, to which we are certified.
Where appropriate, HRLocker has determined specific mechanisms to control how personal data is managed throughout operational and support processes, based on the following precepts with consideration for Article 5 of the GDPR directive (Principles relating to the processing of personal data):
1) Personal information is only gathered for the legitimate purposes of our business, including where necessary, legal and regulatory purposes.
2) Only the minimum amount of information necessary for effective operations is processed.
3) HRLocker ensures that we only process relevant and adequate personal information throughout operations.
4) Personal information is processed in a fair and lawful manner.
5) HRLocker maintains an inventory of categories of personal information processed by the organisation.
6) All personal information is kept accurate and up-to-date.
7) Personal information is only retained for as long as is necessary for legal or regulatory reasons or for legitimate organisational purposes and HRLocker then ensures its timely and appropriate disposal.
8) In all circumstances, the rights of natural persons to their personal information are respected.
9) Adequate resources are allocated to ensuring that all personal information is processed and stored by HRLocker in a secure operational environment.
10) The transfer of personal information outside our national boundary is only done in circumstances where it can be adequately protected.
11) Where we provide our goods and services to EU citizens across national boundaries, HRLocker ensures that appropriate regulatory aspects are addressed.
12) HRLocker does not currently carry out any operations where the application of the various exemptions allowable by data protection legislation is required.
13) We have developed our management system to provide for the formal management of personal information, which provides for all measures documented herein.
14) HRLocker has identified internal and external interested parties and the degree to which they are involved in the governance of the organisation’s management system relevant to personal information.
15) Top management has appointed management representatives with specific responsibility and accountability for personal information within the management system.
16) Appropriate records of processing of personal information are maintained throughout operations. HRLocker has implemented an Internal Audit Programme to ensure that the ongoing suitability, conformity and continual improvement of the management system is assured. The management system complies with ISO 27001 and is subject to regular external audits in order to maintain our certification to this standard. The management system has the full support of all interested parties. All operational and support processes are within the scope of this management system. All personnel have been provided with a copy of this document.
Data Protection Policy StatementSome of the most topical questions we are asked at the moment are understandably regarding HR and GDPR (General Data Protection Regulations).
First of all, it’s important to clarify that no HR or recruitment software solution will ensure you’re instantly Compliant on how you handle employee data – or manage consent. Outside of the integrity of the supplier and their security standards and data storage locations, it is your policies, not your system that will ensure Compliance. But, dependent on their infrastructure, many HR systems will assist you greatly in meeting requirements in line with the right policies being defined. HR professionals are obviously concerned about the impact the GDPR will have on People Management and Talent Acquisition. There are plenty of checklists online, official guidelines (UK and Ireland) and infinite pages of advice or legal notes.
Some extra points to consider:
You should check in your region about extra legislative requirements on data retention. This might include data retention laws on what information you’re obliged to keep on terminated employees for wider legal reasons that might otherwise contrast or supersede ‘general‘ GDPR commitments that might be more appropriate to marketing or less specific business issues. For example, with HR software systems that have a strong element of employee self-service in how they manage their personal contact details and similar data – is it reasonable to keep next-of-kin records following a team member’s exit from the organisation?
Perhaps it could be if there is a life insurance policy or pension attached to a deceased team member that can benefit their partner or spouse. Another example is construction workers. In some jurisdictions, former workers’ records must be held indefinitely, in case they were ever in contact with Asbestos. So such an organisation needs to retain their records but likely does not have a need to retain its receptionist’s data. Again. This is you meeting your relevant policies and obligations to be widely Compliant, not the system. The system just enables this customisation to your specific case. HRLocker allows you to trim down information retained to just tangible or legal reasons – and demonstrate that in ‘one bucket’. HOW TO CALCULATE ROI FROM HR SOFTWARE
Ultimately it is your policies meeting regulations that will make you Compliant. Let’s take recruitment and retention of data for CVs you receive as an example. How long should you keep applicant details following a job application? What is a realistic and justifiable period to retain this information in line with your recruitment pipeline’s lifecycle? Only you can define this, not the system.
Do you inform applicants what your policies are – and why? (E.g., you might state in an automated response to applicants that you like to keep CVs for future or alternative opportunities you may have – and request their consent.) HIRELocker is secure and will satisfy auditors relating to security standards. But you will only be GDPR Compliant if you have the right policy – for appropriate reason and purpose – on how long you store the data. (If you are concerned about policy setting and Best Practices, please note that HRLocker offers First-Call HR Support on Professional price plans upwards. We are happy to assist you with setting up processes and are always interested to hear your business case. The HRLocker system is fit for purpose, but you have to define the policy template for retention periods – and why they are set to whatever period you agree and declare. So, if you have a request to delete data, it’s easy to manage and demonstrate diligent handling and purging of data with a cloud solution like HIRELocker or HRLocker. If you have disparate records in multiple systems and/or cannot refer to a supplier’s Information Security Standards then you are leaving yourself – and your data subject’s personal details – subject to vulnerability.
During a customer’s lifetime as an HRLocker client, HRLocker will act responsibly as both a data controller and processor. HRLocker will never delete the client’s data – until an account is terminated – and then all data is deleted permanently from the system (although we will retain information such as that customer account’s financials to meet our own record-keeping duties). Therefore it’s your responsibility to manage the data held within the system. And to remove it and manage it responsibly once you have extracted it.
In summary
HRLocker will not make you Compliant. Only you can do that by setting the appropriate policies. But HRLocker gives you all the tools to manage data responsibly and demonstrate your levels of accountability and our integrity as a supplier. All data is stored in the EU.
Microsoft Azure has the most comprehensive compliance coverage of any cloud provider.
1) More certificates than any other cloud provider.
2) Industry leader for customer advocacy and privacy protection.
3) Unique data residency guarantees.
Data is stored in the EU or the UK. (per customer’s request) Microsoft Azure cloud data centres in the Republic of Ireland or in the UK.
Yes of course – firstly Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We also conduct our own penetration testing in sync with this.
General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades.
This replaced the Data Protection Directive (DPD) that came into force in 1995 when web technology was in its infancy, before the arrival of cloud services and the proliferation of mobile devices.
In the UK the 1998 Data Protection Act (DPA) is in similar need of replacement as technology has evolved.
Many aspects of the DPD (and DPA) are now obsolete so new legislation is being passed to protect EU citizens and their data from being exploited.
GDPR requires organisations to respect and protect personal data – no matter where it is sent, processed or stored.
It imposes new rules on companies, non-profits, government agencies and other organisations that offer goods and services to people in the EU.
This is an important step forward for individual privacy rights by giving EU residents greater control over their personal data and removing ambiguity about the definition of personal data.
GDPR will impact all organisations and each industry will face its own unique challenges with regards to data protection.
The costs of non-compliance are significant in terms of reputation damage and financial penalties that could be as much as 4% of annual turnover or €20m.
While there is currently uncertainty surrounding some of the detail and the implications of GDPR, this much we do know:
GDPR was first adopted in May 2016 with a 2 year transition period to give organisations time to bring themselves into compliance.
This applies to all organisations handling the data of EU citizens and GDPR regulation will apply from 25 May 2018.
Given the ramifications of this directive, organisations are urged to begin reviewing their privacy and data management practices now.
Controlling who has access to personal data has always been crucial and is now even more of a priority in the context of GDPR compliance.
HRLocker controls include granting users access permissions making it easy to control who has access to information.
HRLocker prevents unauthorised access by controlling the permissions and also the ease of revoking privileges.
Using HRLocker is a significant step towards being GDPR compliant. Each organisation is responsible for managing its own data, but more will depend on the capability of organisations to manage their own information and which systems they use to do this.
Being ISO 27001 certified means HRLocker has established and adheres to internationally recognised standards for implementing, maintaining, and continuously improving an information security management system, ensuring the confidentiality, integrity, and availability of sensitive data.
HRLocker ISO 27001 (NSAI) HRLocker ISO 27001 (IQNET)Being ISO 9001 certified signifies that HRLocker follows globally accepted standards for establishing and upholding a quality management system, focusing on consistent processes, continuous improvement, and meeting customer expectations to deliver high-quality products or services.
HRLocker ISO 9001 (NSAI) HRLocker ISO 9001 (IQNET)To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs.
As a small team, we also can’t make individual changes to our DPA since we don’t have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back-and-forth discussion that would be cost-prohibitive for our team.
We must ensure that we are properly flowing down our obligations to our subprocessors and so compliance must be a tightly managed routine, which we are unable to deviate from.
A Service Level Agreement (SLA) is a formal agreement that outlines the specific expectations, responsibilities, and performance metrics between a service provider and their customer, ensuring clear communication and accountability for the quality and delivery of services.
Please download our SLA below.
Service Level AgreementAt HRLocker, we work with trusted partners to provide secure and efficient services to our customers. Below is a list of subprocessors who may process customer data on our behalf:
1. Microsoft Azure
2. HubSpot
3. Lead Forensics
At HRLocker, protecting your data is our priority. We are committed to maintaining the highest standards of data protection and information security. Our practices are designed to comply with the General Data Protection Regulation (GDPR) and align with ISO 27001 standards. Below is an overview of the Technical and Organisational Measures (TOMs) we implement to safeguard personal and business data.
1. Access Control
2. Data Encryption
3. Network and Systems Security
4. Data Minimisation and Retention
5. Physical Security
6. Data Breach Response
7. Data Breach Communication
8. Employee Awareness and Training
9. Subprocessor Management
10. Monitoring and Audit
11. Data Protection Impact Assessments (DPIAs)
12. Business Continuity and Disaster Recovery
Commitment to Data Protection
HRLocker ensures all subprocessors comply with GDPR and other relevant data protection laws. We continuously review our partnerships to maintain the highest standards of security and privacy. These measures are continuously reviewed and improved to adapt to evolving security challenges and regulations.
For more information, please contact our Data Protection Officer at support@hrlocker.com.