GDPR & PageUp Security

Overview

PageUp is well prepared for the GDPR. We setup an internal working group over 12 months ago to flesh out exactly what were compliant with, and where there were gaps that we needed to address before GDPR comes into affect.

The aim of this article is to talk though some key terms and the parts of the GDPR that matter to our clients and how we are addressing them. It is worth noting this is purely from a Security side and does not include all GDPR obligations and should not be treated as such.

We also touch on what went well, what didn’t and advice for other companies going through a similar process. Let’s address that first, in case you want the high level TL:DR version.

What worked well?

• Having a ISMS (Information Security Management System) already in place and independently audited meant that the majority of the items that are called out in the GDPR (from a Security side) were already being addressed by PageUp. If you are already ISO 27001/17/18, PCI, NIST, CIST etc compliant, you be well on your way to GDRP compliance from a Security standpoint.
• Setting up a diverse working group — from the very early days PageUp identified the right people to work on the issues that GDPR presented. Having Legal, Security, Support, Implementation, Sales etc as part of this working group ensured that we had the right inputs and flagged as many potential issues as possible, as early as possible.

What didn’t?

• Vendor requests and follow-ups - even though PageUp use a limited set of 3rd party vendors to help us deliver our services, the nature of GDPR meant that these vendors were/are inundated with GDPR requests from clients like us that rely on the there services to deliver our platform.
  Be patient to begin with, but make it a priority to get in touch with the right department early and wherever possible try to get a single point of contact.

What was challenging?

• Being a global company (with UK offices, UK clients and other clients that do business in the UK), but based predominantly in Melbourne Australia presented some unique challenges to PageUp. How would we manage out of hours support from UK clients with our follow the Sun model?
• Being a Talent Management solution, collecting and analysing personal data is what we do. In some respects, our industry is one of the toughest for GDPR.
• Managing the influx of questions from our clients (this is ongoing). Clear consistent messaging across your client base in important. Track these requests and replies, look at the most commons questions and then prepare a document/blog to address these specifically for your business.
• As PageUp are data processors, we are often approached by the data controllers (ie, our Clients) for advice on reaching GDPR compliance via PageUp. Being approached for what would be deemed Legal Advice but not being in a position to legally provide this has been challenging.
  This is likely a common challenge for many data processors and will likely increase as we move closer to May.
• We are yet to see this but we know it will likely happen. But once the GDPR changes are live, we will have deletion and right to be forgotten requests from candidates. While we are able to execute these, we must forward that individual to the client themselves for them to make the request. PageUp does not modify client data unless they request it. We are developing a process for this to occur via our normal support channels, but like anything new, it will likely need some fine tuning.

As a HR company, what specific use cases did we need to consider for our clients?

• Clients will be changing their Privacy policies — this is a big one that we are hearing from our clients.
• PageUp allows our clients to show job applicants their Privacy Policy, and require them to tick a box to accept before continuing. We anticipate that a number of our clients would need to change their Privacy Policies.
  We also anticipate that these clients would also require existing candidates to accept their updated Privacy Policy.
• Because of this, we knew that clients would need to know (and report on)-
  1–Who has accepted the new Privacy Policy
  2-What date did they accept
  3-Who is yet to accept the new Privacy Policy — to mitigate risk.
• Furthermore, we also wanted to offer our clients a means to mass communicate this change to all existing candidates and a way to delete any candidates who hadn’t accepted the new Privacy Policy in X number of days (if that was their chosen course of action).
• The mail out and policy agreement functionality is being put in place to support our clients achieving this outcome, and also to support any future revisions of their privacy policies.
• Clients are likely to receive requests from candidates/ex staff etc to be removed — PageUp already offer a “delete profile” functionally, but we suspect that these requests will rise.
• Data Retention Changes — PageUp can already action these requests from clients, but will their be a need to allow clients to self service these?

Key Terminology and Applicability

The following key terms are important to define in the context of the GDRP and their applicability to PageUp or PageUp Clients.

Data Processor

One of the key developments of the GDPR is that it introduces the concept of a ‘data processor’. A ‘data processor’ means a person or company which processes personal data on behalf of the controller.

PageUp will be a ‘data processor’ in the context of the data we hold on behalf of our clients. Under the GDPR, data processors have direct obligations and liabilities under the law. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a data protection officer where required; and notify the controller on becoming aware of a personal data breach without undue delay.

The provisions on cross border transfers also apply to processors. The GDPR will require that contracts are implemented with service providers (including where the service provider engages sub-processors).

Data Controller

Under the GDPR, a data controller is a person or company that determines the purposes and means of the processing of personal data. In the context of PageUp’s business, our clients will be the ‘data controllers’ in relation to the data we hold in their behalf.

Essential Steps for the GDRP and PageUp’s Approach

Use an information security framework.

Article 32 of the Regulation mandates that controllers and processors “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Information security frameworks represent a collection of best practices accumulated by professionals across industries over time and, as such, offer ideal starting points for developing appropriate measures.

PageUp has been ISO 27001 certified since January 2014. PageUp is currently certified to ISO/IEC 27001:2013. ISO 27001 is widely regarded as best practice for implementing an ISMS and the most complete security guideline available.

SAI Global - Certification Register - Licence Details

Identify personal data, including “special” data

The term “personal data” has been expanded and “special data” is now also included. Special data can include -

· Data revealing racial or ethnic origin, political opinions, religious

or philosophical beliefs, or trade-union membership; and

· Data concerning a person’s sex life or sexual orientation

PageUp has, as part of it Secure Development Lifecycle, developed a “Data Protection Framework”. This framework details the following –

· Classification of different data types — Client Personal Information, Confidential Information, Client Data, Meta Data, Public Domain Data

· A definition of the above data types

· What PageUp can do with the information

· When to speak to the Legal Team

· Encryption requirements

· Storage region requirements

· Processing region requirements

As part of the EU GDRP changes, PageUp is revisiting this Framework and adding ED GDRP specific data types to clarify this across the platform.

Determine if your processing is considered “high risk”

Recital 89 of the Regulation suggests that “high risk” processing operations of personal data may be those “which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.”

PageUp hold personal information on behalf of our clients, as the collectors and ‘owners’ of the information (and the ones with the relationship with candidates) our clients need to handle and manage that data in accordance with their Privacy Policy; Privacy Statement and the relevant Privacy Principles/Policies.

PageUp has several controls as part of our IS Policy — Customer and Third Party Security and IS Policy — Information Classification & Handling which details the stringent requirements that we place on ourselves and on any 3rd Parties that are involved in the delivery of our service.

Conduct a data protection impact assessment

The Article 35 data protection impact assessment (or DPIA), similarly requires that an assessment be conducted “[w]here a type of processing in particular using new technologies” is likely to result in a high risk to individuals.

As per 4.3, PageUp classify all data and therefore the controls around it via the clauses in IS Policy — Information Classification & Handling and IS Policy — Customer and Third Party Security. This is a policy that is mandated as part of ISO 27001 and has been in place, reviewed and updated regularly since January 2014.

Perform and document risk mitigation actions

Recital 83 requires that controllers and processors evaluate the risks inherent in the processing and then implement risk mitigation measures. In the event that processing is considered “high risk,” the Regulation requires controllers to consult with supervisory authorities when they’re unable to sufficiently mitigate those risks (Recs. 84 and 90). In the event of a data breach, the controller will likewise need to document the mitigation actions it has taken in response (Art. 33(3)(d)), engage with the supervisory authority (Art. 36), and further demonstrate the effectiveness of those actions in light of a proposed administrative penalty (Art. 83(2)(C)). Processors will likewise have to document risk mitigation as part of their technical and organizational measures (Art. 28(1)) and damage mitigation in the event of a breach (Art. 83(2)(C)).

PageUp uses a two-tiered approach for managing information security risk. Using a two-tiered approach allows for the periodic assessment of risks across the entire organisation, as well as ongoing day-to-day management of individual risks as they are identified.

Information Security risks might transcend into either an asset risk or tactical risk. Asset risks are directly related to the structure of the PageUp ISMS, whereas tactical risks are discovered during the implementation of the ISMS.

Risk Management is a key part of the ISO 27001 standard and drives the requirements under our IS Procedure — ISMS Risk Management. This procedure outlines the following in detail –

· Types of risks

· How to identify them

· What details to capture when documenting risks

· Assets affected by risks

· Mitigating controls

· Risk owners or resources

· Likelihood and Consequences of the risk

· Risk acceptance criteria

ISO 3001 Risk Management Framework. PageUp’s risk management framework is based on ISO 3001 and forms a key piece of it’s ISMS

Review your use of encryption

The Regulation cites use of encryption as an exception to the requirement that controllers notify data subjects in the event of a personal data breach, assuming that the personal data in question was effectively encrypted (Art. 34(3)(a)). It also cites encryption as one “technical and organisational” security measure (Art. 32(1)(a)).

PageUp use a number of encryption techniques and algorithms within its application that have been approved by our Information Security Governance Committee. Data in transit is encrypted with industry standard TLS or SSH 2.0. Client data at rest utilises a number of technologies including PGP and most commonly AES-256. Information is secured in transit via HTTPs / TLS security.

Our use of encryption is mandated by the controls detailed in IS Policy — System and Process Development and this policy is reviewed and updated frequently to ensure that only secure methods are used at PageUp.

As a reminder, we have recently completed the removal of support for TLS 1.0, move information can be found below.

PageUp Disabling TLS 1.0

Add “resilience” to your CIA triad

Article 32 of the Regulation requires that controllers and processors implement security measures that include the “ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

PageUp use best in breed technology to deliver our platform. We are in a key strategic position, being 100% hosted on Amazon Web Services to be able to deliver a secure, reliable, and trustworthy platform for all our clients.

AWS are highly regulated and currently certified to the following —

Compliance Programs - Amazon Web Services (AWS)

PageUp also leverages other 3rd party tools to ensure greater visibility and proactive alerting around Security and Availability issues, these include Incapsula, Cloud Conformity, Stax, Pingdom, New Relic among others.

Review your BCP/DR & Security Incident Response Plans

Article 32(1)(C) requires, as a security measure, “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident[.]” and In the event of a data breach, a controller must be able to report to the relevant supervisory authorities “without undue delay” and where feasible, within 72 hours of becoming aware of the breach (Art. 33(1)). In the event of a “high risk” event, the controller must notify data subjects “[w]ithout undue delay” (Art. 34(1)). A processor must be able to notify the controller “without undue delay” (Art. 33(2)). Notifications from the controller must contain the following:

• The nature and details of the breach;

• Contact information for the data protection officer;

• The likely consequences of the breach; and

• What measures have been taken (or are proposed) to address the breach, including efforts to mitigate adverse effects.

PageUp as part of its ISO 27001 requirements, implements, tests and annually reviews its BCP, DR and Security Incident Response Plans. A copy of the plans and/or outputs of the tests can be provided on request to clients under Non-Disclosure Agreements (NDA) only.

Invest in Security Certification or Attestations

Article 42 of the Regulation introduces the idea of “the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”

This aligns closely to 4.1, PageUp are and continue to be ISO 27001 Certified. There are not yet options for attestations for EU GDPR locally, however PageUp would evaluate the appropriateness of these should they become available.

Vendors that are reading this article and have made it this far, take note, drop me a line and we can evaluate the offering if applicable.

Be ready for the “right to be forgotten”

Under current EU law, data subjects have the right to access personal data that a controller has about them and, if the processing is not in compliance with the law, to have that data rectified, erased or blocked. Under Article 16 of the Regulation, the data subject also has the right of rectification and, under Article 17, to have personal data erased simply because it is no longer necessary for the controller to have it — the so-called “right to be forgotten.”

PageUp has already had experience in responding to these requests. We are able to action individual requests for individual data to be erased, archived or blocked. PageUp applicants are able to self service this request via a “Delete Profile” if configured by our clients during setup.

The short-term improvement we are currently working towards, is a documented procedure for these requests to ensure they are actioned consistently.

Article 32 — “Security of Processing”

Security Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

PageUp notes the importance of Article 32 within the GDPR and our individual response are below –

(a) — The approach that PageUp takes to protect all client data is to encrypt all client data at rest with AES-256.

(b) — This is detailed in section ‘Add “resilience” to your CIA triad’, in addition, PageUp is currently certified to ISO/IEC 27001:2013. ISO 27001 is widely regarded as best practice for implementing an ISMS and the most complete security guideline available.

ISO 27001 focuses heavily on the identification and protection of assets and risks to the systems in scope.

We would encourage clients to review our controls in our 27002 controls document, especially sections — 4 (Asset Management), 7 (Physical and Environmental Security), 12 (Information security aspects of business continuity management) which are especially relevant here as are the policies which are referenced in this controls document. This document can be made available to current clients on request.

(c) — This requirement is covered in detail in section ‘Review your BCP/DR & Security Incident Response Plans’ above.

(d) — PageUp’s ISO 27001:2013 certification is independently assessed and audited by our accredited certification body (SAI Global) to ensure that the management system meets the requirements of the standard. This occurs at least every 12 months.

We must also undergo an internal audit (which we also use a 3rd party to facilitate), using the following criteria:

• review a subset of the ISO 27001 Annex A controls, such that all the controls will be reviewed over a 3 year time period

• review whether the ISMS conforms to:
— the information security requirements defined in the PageUp People ISMS Scope and Objectives document
— clauses 4–10 in ISO/IEC 27001:2013

Summary reports of the above can be provided on request for clients under a current NDA.

If you have any specific queries around this document or the EU GDPR and it relation to PageUp in general, please contact GDPR@pageuppeople.com

For other Security information, please visit -

Security Recruitment - How We Do It - PageUp