Bodhi’s GDPR Commitment
The EU will be implementing a new data privacy and protection related regulation, General Data Protection Regulation (GDPR) starting May 25, 2018. GDPR outlines the main responsibilities for organisations, with the aim of ensuring that private individuals’ data is processed transparently and only for the specific purposes for which they hold the data.
The scope of this regulation has far-reaching consequences from data storage and encryption to the rights of individuals on managing their data. It seeks to unify data privacy regulations under the EU umbrella with the goal to ease international business processes while dealing with EU residents. The regulation applies globally to all businesses dealing with data subjects in the EU. There is no grandfathering and all businesses have a mandate to comply by the deadline, May 25, 2018.
At Bodhi, we take compliance very seriously. For GDPR, we are working diligently to ensure that we are compliant with the rules laid out by the law and provide product functionality that enables our customers to remain compliant. In the following sections, we have outlined Bodhi’s approach to comply with the regulations outlined in the law.
Bodhi Health GDPR Compliance
During the course of creating user’s account, an organization needs to collect personally identifiable data from candidates. This information is crucial to build a profile of the candidate. At Bodhi we help our clients perform an automated evaluation of these users by using our platform.
Because we process candidates on behalf of our client, according to GDPR, we are considered a Data Processor and our clients are regarded as Data Controllers. In the capacity of a Data Processor, all the user information we receive or collect will be handled securely with adequate data protection. We will also ensure that we have an incident response plan to address an unforeseen incident that can put customers’ candidates’ personal information at risk, in accordance with the Article 32 of the GDPR regulation.
Data Subject Consent
As a processor, we require users to sign up using their emails to access our platform. Any profile information requested for collection by our customers (the data controllers) will come under the purview of GDPR. Such information would be data elements like name, education, location, phone number, etc., that can identify an individual.
According to Article 5 of the regulation, personal data can be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘lawfulness, fairness and transparency’)”.
In addition, according to Article 6 of GDPR, lawful reasons to process are any of the following:
- Data subject has given consent
- Processing is necessary for the performance of a contract to which the data subject is party
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
While GDPR requires that a data subject can revoke their consent at any time, pursuant to above stipulations in Article 6, it also allows this request to be declined if the processing of this information is required for legitimate interests pursued by the data controller. In other words, customers can decide whether to accept or deny the request from the candidate. We will take action based on the customer’s direction on how to proceed with any such request.
Data Management and Processing
This following section details exactly how we manage and process the data once we obtain it. It can be further broken down into 3 sections:
Secure Data Processing
Rights of the Data Subject
GDPR provides broad rights for data subjects on how to manage their personal data. These can be further broken down into:
- Right to Access
- Right to Rectification
- Right to be Forgotten
- Right to Data Portability
- Right to Object
As discussed, per Article 5, we established that the information needs to be collected, stored and processed since there is legitimate interest for the controller to make the system fair. So, the customer (data controller) can determine if the candidate’s (data subject’s) request is valid and can be fulfilled. Customers can also deem the request as invalid and not fulfill, according to their agreed upon terms with the data subject.
As a processor, Bodhi will empower its customers with configurable tools that give them the flexibility to determine their data policies, which offer rights to their candidates. This will include:
- Ability to set a routine data deletion process at a cadence determined by the customer.
- Ability to export information regarding a candidate.
- Ability to delete information regarding a candidate. The personal data will be removed and the non-personal data will be anonymized.
- Ability to edit candidate information.