Appogee HR and our commitment to GDPR
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and is the most significant piece of European privacy legislation in the last twenty years. GDPR strengthens the rights that EU individuals have over their personal data, unifies data protection laws across Europe and places more responsibility on customers of HR software (as data controllers) and on providers of HR SaaS software (as data processors).
For many organisations holding your data centralized in a system like Appogee HR can help you meet your GDPR requirements as a data controller.
Appogee HR is committed to providing the controls needed to assist our clients to meet their obligations as a data controller under GDPR, and our own as a data processor, as GDPR compliance takes effect on May 25th 2018.
Appogee HR already incorporates security by design. Amongst the core features of the service are that it is built on the state-of-the-art Google Cloud Platform (GCP) and is hosted in Google’s own European data-centres which are certified under ISO 27017 for cloud security and ISO 27018 for protection of personally identifiable information in public clouds. All data held in Appogee HR is encrypted both at rest and in transit between our service and your browser and is fully backed up. Our service is subject to penetration tests and protected by Google’s advanced intrusion detection services. Appogee HR supports advanced authentication including the use of G-Suite and Office 365 account authentication and integration (if configured by our customers).
Whilst data in Appogee HR is held solely in Google’s European data centres at rest. Our hosting contract with Google is also subject to EU Model Contract Clauses which have also gained confirmation of compliance from European Data Protection Authorities, affirming that GCP contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world (if needed), in accordance with the Data Protection Directive.
The Appogee HR applications and service itself provides our customers with numerous access controls to help meet their obligations as data controllers. These include: multiple security roles (including Employee, Manager, HR and Admin) which can be combined with the ability to configure different access rights (including read, edit, no access, masked) for individual types of personal data held in the service. The service also includes comprehensive auditing to allow our customers to track data updates and modifications. These combine to give our customers maximum flexibility to meet their obligations as a data controller under GDPR.
In further planned enhancements before enforcement of GDPR in May 2018, Appogee HR has updated our Terms of Service in October 2017 to more clearly articulate and document the data processing terms and to document our privacy and incident notification commitments to customers.
We will also shortly be introducing further product service enhancements specifically to clarify our customer’s data deletion options and make our customer’s data export options more flexible and comprehensive.
In order to achieve compliance with GDPR customers of Appogee HR should familiarise themselves with their obligations under the regulations as a data controller; in particular you should consider creating an updated and precise inventory of the personal data that your process and control in Appogee HR; you should review the lawful basis on which you process that data (e.g. and review how your organisation configures it’s advanced security roles and access settings in Appogee HR.
If you have specific questions about GDPR compliance we’d like to hear from you.