Introduction
The General Data Protection Regulation (GDPR) which will be live from 25 May 2018 is the first major overhaul of data protection legislation in 20 years, and will have significant impact on businesses throughout the EU and beyond. Fourth Limited ("Fourth”) takes its responsibilities as a Data Processor of Customers’ data, and compliance with applicable privacy law, very seriously. This important change in law is no exception and we have been working internally on what this means for Fourth in its capacity as Data Processor since 2016.
We know that our Customers are doing the same from their own vantage point of Data Controller, and will need to understand what Fourth will be doing in order to comply, and to allow our Customers to comply.
This article explains the steps which Fourth is taking to ensure compliance.
1. Technical and Organisational Measures to Ensure Processing Meets the Requirements of the GDPR
Please see the Supporting Documents section below for:
- Fourth’s Information Security Policy
- Fourth’s Data Hosting and Security Policy
- The ISO Certificate for our European Economic Area (EEA) data centre
All security standards are measured as part of our ongoing risk process, as documented in our Information Security Policy. Fourth’s Security & Compliance Manager meets with risk owners at least once a quarter to review control effectiveness and the need for additional controls against any identified additional risks. Every quarter strategic risk is discussed and addressed at the Risk Steering Committee, which is attended by the senior management team, together with the heads of the Risk and Legal teams. Additional resource is assigned as necessary to allow Fourth to continue to deliver a robust set of security controls.
2. Controller to Processor Contractual Relationship
We have updated our standard data protection and privacy terms (now entitled “Data Processing Agreement and Privacy Policy” to better reflect their purpose) to ensure they allow both Fourth, and our Customers, to be GDPR compliant.
The new GDPR compliant Data Processing Agreement and Privacy Policy will be incorporated into your existing contracts with Fourth once our Data Processing Addendum for Customers (which can be found in the Supporting Documents section below and at www.fourth.com/agreements) has been signed. The Data Processing Addendum has been pre-signed by Fourth and needs to be countersigned on behalf of each Customer and returned to Fourth; instructions are contained in the Addendum itself.
It is Fourth’s view that each Customer needs to countersign this Addendum in order to itself be compliant with GDPR. However, if the Addendum is not signed and returned by a Customer before 25 May 2018 (the GDPR implementation date), continued use of any Fourth solution, products and/or services from this date will be deemed as acceptance of these new provisions by a Customer.
The Data Protection Addendum will also incorporate Fourth’s standard Data Retention Policy into your contract. This policy can also be found in the Supporting Documents section below and at www.fourth.com/agreements.
3. Use of Sub-Processors by Fourth in the Provision of its Workforce Management Solution to Customers
Fourth uses sub-processors to provide its solutions and services. A list of our authorised sub-processors are available at https://www.fourth.com/legal/sub-processor-list. For notifications of changes to our sub-processor list follow this community topic: Sub-Processor Changes
We have in place written terms with each of our sub-processors and will ensure these terms comply with our applicable GDPR obligations. Irrespective of this subcontracting, Fourth will remain contractually responsible to our Customers for acts and omissions of our subcontractors. These points are addressed in more detail in our updated Data Processing Agreement and Privacy Policy.
4. Retention of Employee Records
As set out in our Data Retention Policy (referred to in paragraph 2 above) we are undertaking development work which will automatically apply default retention periods to categories of data in our Workforce Management Solution. The default retention periods shall only apply to employees who have already been terminated (except in the limited circumstances specifically set out in our Data Retention Policy, referred to in paragraph 2 above). Each customer will be able to customise the default retention periods. A release note will be issued once the development work is complete, ahead of the GDPR implementation date, to explain how this can be done. Our Data Retention Policy provides more detail about these default periods.
5. Notification of Data Breaches
Please see our updated Data Processing Agreement and Privacy Policy, which now includes an obligation on Fourth to notify the Customer of any data breaches, in line with our GDPR obligations. This can be found in the Supporting Documents section below and at www.fourth.com/agreements.
6. T&A Clocks
For those of our Customers who have purchased the clocks which work with our T&A Solution we have prepared a separate document relating to the processing of biometric data which can be found in the Supporting Documents section below and at www.fourth.com/agreements.
7. Internal Processes
As part of our GDPR compliance project we have also been reviewing our internal processes in relation to how we receive and store Customer data (for example as part of an implementation project, or when a Customer raises a case). Certain of these processes may result in changes to Fourth’s recommended best practice e.g. that Customers send us employee data via a secure method rather than simply sending us this data by email. These recommendations will be communicated as necessary by the appropriate Fourth personnel.
8. Supporting Documents
Comments
Please sign in to leave a comment.