Visier GDPR Readiness
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive European data protection law that will enter into force on May 25, 2018 within the European Union. It is a unified law that replaces the previous European Data Protection Directive 95/46/EC. Significant fines may be imposed under the GDPR for failure to comply.
The GDPR is intended to safeguard the privacy of European data subjects and provides enhanced rights for individuals to control their data. Organisations must also ensure they process personal data under a lawful basis (for example, obtaining consent if required; or considering the “legitimate interest” for processing).
How does it impact Visier’s customers?
The GDPR impacts those customers who collect, use, disclose and store European personal data. It even affects organisations located outside the European Union which offer goods and services or monitor the behaviour of individuals in Europe. Under the GDPR, stringent data protection requirements are in place that may result in a need to plan and budget for improved personal data handling through the entire data life cycle.
What is Visier doing to comply with GDPR?
Visier has placed a high priority on GDPR compliance as it is an important law that promotes the fair handling of personal data and aligns with our commitment to protect the privacy of your data. Visier engaged a highly accredited privacy compliance solutions provider, TrustArc (formerly known as TRUSTe) to conduct a thorough assessment of Visier’s data privacy practices and GDPR readiness. While we already maintain a robust data privacy program, we are taking further steps to strengthen it. These steps include appointing a data protection officer, educating our employees on the GDPR, adopting improved privacy-by-design processes for Visier’s services, implementing enhanced contract language that accommodates data protection considerations, and further developing other documentation to support our customers in complying with the GDPR.
Want to know more about Visier’s privacy practices? Review Visier’s other privacy commitments in the Privacy Overview.
Meeting your obligations under the GDPR using Visier People
Visier has placed a high priority in complying with the General Data Protection Regulation (GDPR). For more information about the comprehensive steps that we have taken to achieve GDPR compliance, refer to the information at the top of this page. As the data processor, Visier shares responsibilities with your organisation, which acts as the data controller, to ensure data subject rights are appropriately protected.
There are a number of processes that Visier has implemented and steps your organisation can take when using Visier People to ensure the stringent requirements of the GDPR are met.
1. You can determine exactly what and how much personal data is sent to Visier to load into the Visier People solution.
As the data controller, your organisation decides what personal data is collected from employees and candidates, determines how this data should be processed, and oversees the management of this data.
When deciding what data is to be collected, your organisation needs to determine the lawful basis for collection. For example, you may assess that there is a legitimate interest in collecting certain employee attributes such as name and date of birth to help identify an individual and manage the employment relationship.
Next, your organisation decides how much of that personal data will be transmitted to the Visier People solution to help you make business decisions on your employees and candidates. This step is fully controlled by your organisation and Visier People does not integrate with your systems in any way.
2. Personal data is processed only in accordance with your instructions.
Visier acts as a data processor and only processes the data for your organisation’s use within Visier People. Visier strictly adheres to its obligations of confidentiality and does not distribute or disclose the data to any other party. In addition, Visier adopts access controls based on the principles of ‘least privilege’ and ‘need to know’ to ensure that only authorised individuals are permitted to process your data.
3. Processing of ‘special categories of personal data’ is determined by your organisation.
There are certain types of sensitive data that fall under ‘special categories of personal data’ as described by the GDPR. This includes data that reveals an individual’s racial or ethnic origin, trade union membership, health data, and sexual orientation. Just like any other personal data types, the decision as to whether any of this sensitive data is to be loaded into Visier People is solely determined by your organisation as the data controller. In fact, there is no requirement to load any sensitive data at all.
4. Providing Privacy Notices to employees and candidates of data processing activities
Your organisation as a data controller is required to advise employees and candidates about the information that is set out in Article 13 of the GDPR at the time of data collection. This includes advising individuals about the purpose of all processing activities and, where applicable, the transfer of data to third party service providers. For example, when you are collecting candidate data, it is a good practice to include a clearly written privacy notice on the webform where you are collecting their information. Advising individuals about the purpose for collecting their information will help them to determine if they wish to provide their data to your organisation.
5. Meeting the data subject’s right of access request.
Visier People is a solution that leverages the source data your organisation transmits to Visier. Therefore, if an individual requests access to their data, this can be fulfilled by extracting this information from your human resource management system or your candidate applicant tracking system as these systems will contain the original data.
Additionally, you can easily extract information about individuals using the Visier People solution, or you can also set up users within the solution to access their own data.
6. Meeting the data subject’s right of erasure (deletion) request
All data that feeds into Visier People is directly controlled by your organisation. Therefore, if your organisation is required to erase a data subject’s information, you can remove their information from your source systems and provide new files to Visier, at any time. Once we reload the new data file into the solution and delete the original data file, the deleted data subject’s information will no longer appear in the solution and their data will be deleted.
Please keep in mind that any data deletion you perform will mean that analytic results may be incomplete or impact the historical information displayed in the solution. For example, if you wish to retain aggregate information such as the total employee headcount, you will need to retain at least some data attributes that allows this individual to be counted but not identifiable. Another example is if an employee’s base pay amount is removed, the organisation’s total base pay will not be complete as it will not include that individual’s base pay amount.
7. Addressing a data subject’s concern about automated decision making
The Visier People solution provides insights to executives and human resources professionals to help them make effective business decisions related to their employee and candidate data. It does not make automatic decisions. This means the automated decision making provisions (Article 22) of the GDPR do not apply to the solution.
8. Visier has embedded privacy by design principles into the solution
Visier incorporates privacy by design practices when designing its solution. Our Product Managers regularly meet with the privacy team to ensure that new feature ideas are compatible with privacy by design principles. As an example, by default the data attribute “date of birth” is turned off unless your organisation elects to make that visible. Visier also empowers your organisation to set up its own users with the appropriate role access security settings to ensure that only authorized users have access to sensitive information.
9. Visier has implemented technical and organisational security measures to protect your data
Visier adopts technical and organisational measures to secure your data. We annually undergo a SOC 2 Type II audit using an internationally recognised accounting firm which outlines the technical and organisational measures we take. For a summary of the SOC 2 report, see our SOC 3 report.
Visier has implemented a comprehensive vulnerability management program that adopts a multi-layered defence strategy. We encrypt your data using industry best practices and monitor your data and services continuously to detect and respond to security threats. The security measure we adopt are more fully set out in our Security Overview.