Sapling and the GDPR

The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and has had a significant impact on how companies collect and process personal data.

Sapling believes the legal requirements of GDPR will raise the bar for honoring employee data rights and help companies support a greater and more transparent team member experience.

In keeping with our commitment to our partners’ privacy and security, Sapling is committed to being compliant with the GDPR.

As such, the Sapling product and team:

  1. Supports customers to be compliant in their data processing activities
  2. Remains compliant with handling customer data

We’ve provided the information below to help you learn more about Sapling’s position on the GDPR and how we support the GDPR compliance of our customers (note: the information presented below is not legal advice).

Understanding the GDPR Framework

The GDPR is an EU citizen rights law and affects any organization that employs or recruits EU citizens. It applies to any organization with EU citizens as employees, regardless of location - a EU citizen working in San Francisco would require that company to be GDPR complaint.

To best understand the role of Sapling and role of our customers under the GDPR, it’s critical to first understand three key terms as they relate to the GDPR: data controllers, data processors and data subjects.

  • Collecting data about EU residents and deciding why and how that data is collected and processed will likely classify an entity (i.e. your company) as a data controller under the GDPR
  • As a solution partner, Sapling is a data processor as we support our customers with the processing of their data
  • The data subjects are your EU citizen employees using the Sapling application

Each of these entities (controllers, processors and subjects) carry different legal rights and responsibilities in the GDPR framework.

Documenting how you handle employee data

With the adoption of GDPR at your company, previously informal obligations should be formalized and made known to your broader team.

GDPR requires that companies with more than 250 employees are required to maintain records of their processing activities (see Article 30).

This should serve as an information asset register – what personal information is stored and where, why, how and with whom do you process it. Someone in your company (typically the Data Protection Officer) will be responsible for producing a document that outlines this and data controllers must be able to provide this data upon request to a supervisory authority.

This key requirement placed on documentation around how employee data is collected, stored and processed means having standardized processes in place can help make GDPR compliance simple, and ensure that you stay on top of your responsibilities.

The GDPR framework requires companies to know where the data came from, who has access to it, where it is stored, as well as any processes around access and deletion.

Data Security Standards

Data controllers (i.e. you, Sapling’s customer) are obligated to only engage with processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights.

In order to meet these requirements, data processors (i.e. Sapling) must comply with the measures outlined in Article 32, which state that both data controllers and data processors implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

To earn and maintain the trust of the world’s most progressive and people-focused companies, Sapling is deeply committed to the confidentiality, integrity, and security of data and already implements all reasonable measures including:

  • Physical security and network security
  • Encryption of hard disks, databases, and backups
  • Secure, encrypted connections (application access via https only)
  • Role-based access controls
  • Audit logs of all access to Sapling systems and applications including all customer data
  • Active monitoring with alerting for system and application health
  • Regular training of all employees

Data Subject Consent

A big theme of the GDPR is transparency - requiring organizations to provide much more information to individuals. The GDPR mandates that employers must have a legal basis for collecting and processing employee data.

According to Article 6 of the GDPR, there are six distinct legal grounds upon which a data controller can process personal data:

  1. the data subject has given consent;
  2. processing is necessary for the performance of a contract to which the data subject is party (e.g. an employment contract);
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”

As long as just one of the above conditions applies, data processing is covered under the GDPR. The four potential legal bases likely to be relevant to your relationship with Sapling’s collection of this data are:

  • Performance of the employment contract (e.g. financial data)
  • Required by law (e.g. time off data)
  • Legitimate interest (e.g. employee benefits)
  • Consent (e.g. employee data)

As a data processor, Sapling does not and cannot determine the lawful basis for processing employee data on behalf of its customers (i.e. data controllers) as Sapling allows customers to customize the data subject data that they collect.

Since customers decide what employee data is to be collected, it is up to the customer to determine or seek legal advice regarding the lawful bases for processing an employee’s personal data. Lastly, it is important that this is documented by your team to ensure alignment on standards.

Data Transfers

Sapling customers do not require consent from data subjects to either process their personal data or to transfer it into the US based on Article 46 of the GDPR.

The article states that data transfer to the US is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission, or if an approved certification mechanism demonstrates the processors commitment to certain data protection safeguards.

Examples of this are the “Model Clause” contract that Sapling typically enters into with many of its customers under the GDPR framework.

The Right to Object

Article 21 of the GDPR grants data subjects the right to object to their personal data being processed for direct marketing purposes.

Any data subject seeking to exercise this right can disable the notifications feature in Sapling which will prevent Sapling from sending any marketing emails to that employee.

Enhanced Rights to Notice and Access (Portability)

The GDPR increases a data controller’s obligations regarding the information that it is required to provide to data subjects.  Article 15 includes the right to access their personal data and entitlement to obtain their personal data in a commonly used format.

Among the items that must be disclosed at the time personal data is collected is what is the purpose of the processing, any recipients of the data, whether the data will be transferred internationally, what for, and how long the data will be stored.

Sapling’s application enables customers to complete requests from individuals to access the personal data concerning them. This means that if an employee leaves your company, they can obtain the data they’ve provided to you and reuse this information with their next company.

For HR professionals, this means you should keep a single system of record and ensure your employee data is in a standardized format, so employees can easily collect and export everything without any additional administrative burden.

Data from Sapling can be provided to the employee in the form of a CSV file, which will satisfy the GDPR requirement of data portability outlined in Article 20.

Your employees also have the right to correct any personal data that is deemed inaccurate or incomplete. This is so that they can verify the 'lawfulness of the processing' and ensure that their data is being managed correctly. For HR teams currently using spreadsheets and paper-based files to manage their workforce, GDPR provides an urgent catalyst to modernize employee record keeping.

The Right to Be Forgotten

The GDPR confers a new right upon data subjects: the right to be forgotten outlined in Article 17. This seeks to achieve the broader goal of expanding individuals’ control over the use of their personal data.

Data controllers must erase personal data when requested by the data subject when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”

Sapling will have company settings that will allow you to comply with these obligations by setting a deletion time frame when your company's legitimate interest in retaining employee data has expired. You will also be able to delete a team member’s data easily on the team member’s profile in your Sapling account.

What actions should customers take?

The GDPR puts greater responsibility on the employer as the steward of employee data. You may have already been asked by your IT or security team; but as an HR professional, we believe that the key goals that you should focus on are:

  • Documenting how you handle employee data
  • Ensuring consent to collecting and processing employee data
  • Maintaining portability; being able to move employee data to a new source
  • Ensuring accessibility; employees can ask and obtain access to their personal data

Please note: the above is based on Sapling’s understanding of the GDPR requirements and should not be relied upon as legal advice or to determine how GDPR might apply to you and your company. We recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR.