The General Data Protection Regulation (GDPR) came into force on May 25, 2018 to bring consistency to the data protection landscape across Europe, to enhance data protection compliance obligations that apply to both data controllers and data processors, and to safeguard the privacy of EU data subjects. It embodies the principles of transparency, fairness and accountability and offers strengthened rights for individuals to control their data. GDPR introduced a risk-based approach to data protection with the intent to encourage and enable innovation in the global digital economy while respecting an individual’s right to privacy.
Visier placed a high priority on GDPR readiness and proactively engaged a highly accredited privacy compliance solutions provider, TrustArc (formerly known as TRUSTe) to conduct a thorough assessment of Visier’s data privacy practices. While Visier already maintained a robust Privacy and Data Protection Program, we took steps to further mature this program and to prepare for GDPR’s increased accountability obligations. This included appointing a Data Protection Officer, updating privacy policies and notices, adopting privacy-by-design in how we design, build and govern our solutions, enhancing contract language, refreshing employee privacy training, managing vendor relations, and preparing records of processing activities to ensure that we know what data we collect, where it resides and the purposes for processing.
Visier understands that demonstrating compliance with GDPR is an ongoing journey. Our commitment includes continuously monitoring emerging developments, regulator guidance, and lessons learned as the effects of GDPR take hold. We will continue to refine our privacy practices and Privacy and Data Protection Program to reflect this shifting landscape while supporting our customer’s goals and expectations.
In addition to GDPR, Visier also complies with other applicable data protection laws and aligns with industry standards, frameworks and privacy best practices.
To learn more about our privacy commitments, please read our Privacy Overview.
Your Data and Using Visier People
Visier strives to create a trusted environment in which our customers feel confident that their data is being protected and safeguarded in an ethical, meaningful and secure manner.
Visier customers are, and remain, the data controller for the data being processed in the Visier People solution. As the data processor, Visier shares responsibilities for data protection with your organisation, and has implemented processes to ensure data is handled appropriately throughout the data lifecycle.
1. You can determine exactly what and how much personal data is sent to Visier to load into the Visier People solution.
As the data controller, your organisation decides what personal data is collected from your employees and candidates, and determines how this data should be processed by Visier.
When deciding what data is to be collected, your organisation needs to determine the lawful basis for collection. For example, you may assess that there is a legitimate interest in collecting certain employee attributes such as name and date of birth to help identify an individual and manage the employment relationship.
Next, your organisation decides how much of that personal data will be transmitted to the Visier People solution to help you make business decisions about your employees and candidates. This step is fully controlled by your organisation.
2. Personal data is processed only in accordance with your instructions.
Visier acts as a data processor and only processes the data for your organisation’s use within Visier People. Visier strictly adheres to its obligations of confidentiality and does not distribute or disclose the data to any other party. In addition, Visier adopts access controls based on the principles of ‘least privilege’ and ‘need to know’ to ensure that only authorised individuals are permitted to process your data.
3. Processing of ‘special categories of personal data’ is determined by your organisation.
As described under the GDPR, there are certain types of sensitive data that come under the ‘special categories of personal data’. This includes data that reveals an individual’s racial or ethnic origin, trade union membership, health data, and sexual orientation. Just like any other personal data types, the decision as to whether any of this sensitive data is loaded into Visier People is solely determined by your organisation as the data controller.
4. Providing Privacy Notices to employees and candidates of data processing activities
Your organisation as a data controller is required to advise your employees and candidates about the information that is collected at the time of data collection. This advice includes informing individuals about the purpose of all processing activities and, where applicable, the transfer of data to third-party service providers.
For example, it is good practice to include a privacy notice on the webform where you are collecting the candidate data. Advising individuals about the purposes for collecting their information helps them to determine if they want to provide their data to your organisation.
5. Responding to a data subject’s right of access request.
Visier People is a solution that leverages the source data that your organisation transmits to Visier. Therefore, if an individual requests access to their data, this can be fulfilled by extracting this information from your internal human resource management system or your candidate applicant tracking system as these systems contain the original and complete data.
6. Responding to a data subject’s right of erasure (deletion) request.
All data that feeds into Visier People is directly controlled by your organisation. If your organisation determines that a data subject’s personal data must be deleted, including their data that was transferred to Visier, you can notify Visier of the request by opening a Support ticket or by speaking with your Project Manager.
Please keep in mind that any data deletion means that analytic results may be incomplete or may impact the historical information displayed in the solution. For example, if you want to retain aggregate information such as the total employee headcount, you need to retain at least some data attributes that allow this individual to be counted, but not identified. Another example is if an employee’s base pay amount is removed; the organisation’s total base pay is incomplete as it will not include that individual’s base pay amount.
7. Establishing a data retention period.
Under the GDPR (Article 5), personal data should be kept for no longer than necessary for the purposes for which it is being processed and considering any legal obligations. Customer data is securely destroyed in all formats and from all media within 30 days following the termination or expiration of the Customer’s subscription agreement. If your organisation has additional data retention instructions for the data transferred to Visier, notify Visier of this request by opening a Support ticket or by speaking with your Project Manager.
8. Addressing a data subject’s concern about automated decision making.
The Visier People solution provides insights to executives and human resources professionals to help them make effective business decisions related to their employee and candidate data. It does not make automatic decisions. This means the automated decision making provisions (Article 22) of the GDPR do not apply to the solution.
9. Visier has embedded ‘privacy by design or default’ principles into the solution.
Visier incorporates privacy by design practices when designing its solution. Our Product Managers (PMs) regularly meet with the privacy team to ensure that new features and functions address privacy considerations and requirements. As an example, by default, the data attribute “date of birth” is turned off unless your organisation elects to make that visible. Visier also empowers your organisation to set up its own users with the appropriate roles-based access security settings to ensure that only authorized users have access to certain features and functions.
10. Visier has implemented technical and organisational security measures to protect your data
Visier adopts technical and organisational measures to secure your data. We annually undergo a SOC 2 Type II audit using an internationally recognised accounting firm which outlines the technical and organisational measures we take. For a summary of the SOC 2 report, see our SOC 3 report.
Visier has implemented a comprehensive vulnerability management program that adopts a multi-layered defence strategy. We encrypt your data using industry best practice, and monitor your data and services continuously to detect and respond to security threats. For more information about our security practices please read our Security Overview.