As we've recently shared on the Saba blog, this May marks an important milestone in global privacy legislation and for HR organizations worldwide.
On May 25, 2018, a new privacy law, the General Data Protection Regulation (GDPR), will come into effect in the European Union. GDPR replaces the existing EU Data Protection Directive and aims to standardize and strengthen the data privacy rights of EU residents. This means that any organization, regardless of location, that collects, processes, and/or stores personal data from an EU resident must meet new standards of transparency, security and accountability.
Saba recognizes that the GDPR also means our customers have new obligations. It will change how organizations can handle personal data, including their employee's personal data. The main changes are around access, rectification, deletion and transfer rights, as well as new requirements around reporting a data breach.
This post summarizes some important key GDPR terms, Saba's approach and commitment to our responsibilities under the new legislation and important considerations for organizations controlling personal data.
What is "personal data"?
Personal data is information related to a person (referred to as a ‘Data Subject' in GDPR), that can be used to directly or indirectly identify the person. GDPR also provides for special categories of personal data, which are considered sensitive; these include, for example, a person's racial or ethnic origin, religious beliefs and sexual orientation. GDPR places greater restrictions on the processing of special categories of personal data.
What is the difference between a data processor and a data controller?
The data controller is the entity that determines the purposes, conditions and means of the processing of personal data (e.g. employers), while the processor is an entity which processes personal data on behalf of the controller (e.g. solution providers).
Saba's role is as the processor for its customers, who act as the controller.
What is Saba Responsible for Under GDPR?
As a global technology provider, and "data processor" under GDPR, we have carefully reviewed these new rules to ensure that, through our software design and our procedures in both our Saba and Halogen software products, we can help our customers be compliant in a timely manner.
Data processors must meet specific GDPR requirements regardless of their location. As a data processor, Saba has a robust set of practices in place by design that support our responsibilities under GDPR, as well as several other privacy and security regulatory requirements.
Dedicated security and compliance organization
Our dedicated Saba Security team is made up of industry leaders and certified experts in security best practices, emerging data protection, compliance and data privacy requirements. Saba's Security Organization works alongside our IT, Cloud Operations and Product Development teams to ensure that our products and services are designed with security from a customer's perspective. With our dedicated security and privacy expertise and a collaborative approach, we partner with customers to ensure a trusted environment for their business.
Comprehensive Security & Compliance
Saba maintains a best-in-class architecture with the highest compliance and uptime standards and accommodating the most stringent global data protection requirements.
The Saba Security Program review process focuses on meeting and exceeding industry-accepted practices. In addition to embedding security throughout the development lifecycle, Saba adheres to global privacy requirements, provides appropriate controls, and addresses secure data handling, retention and deletion, and transference of personally identifiable information (PII) in accordance with customer privacy requirements.
Global Data Centers
Saba's data centers in North America and EMEA are SSAE-16/AT101 Type 2 and/or SOC 2 Type 2 audited, and ISO 27001 certified. Additional capabilities are available to meet strict regulatory requirements.
System and Data Access Control
Saba's security model restricts access to both systems and data according to defined separation of duties, operational roles and responsibilities (RACI), and "need to know." Logical access to our systems is restricted by security policies and procedures, two-factor authentication (2FA) with unique usernames/passwords, and restrictive localhost permissions. Direct access to system administration accounts is prohibited. Data classification standards require that customer data may only be accessed using Saba-authorized systems.
Data Retention, Transfers & Deletion
The GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA.
Saba helps customers comply with this through our contractual agreements, US Privacy Shield certification, Swiss Privacy Shield certification, as well as offering a Data Processing Agreement and the Model Clauses approved by the European Commission.
Saba stores customer information in our data centers for the duration of a customer's contract. If a customer terminates their contract with Saba, we delete all of the customer data after 30 days unless otherwise requested by the customer.
A commitment to independent assurance
Not surprisingly, our customers expect validation from independent third parties that the measures we take at Saba meet security standards and controls, work effectively, and support specific data privacy requirements. Saba customers have access to independent assessments and evaluations of our security controls and overall security effectiveness. Third-party evaluations, including AICPA SOC 2 Type 2 audit reports, web application vulnerability reports, and network and host vulnerability scanning results are available upon request.
Cross-Border Data Controls
Controlling the location of your data is a critical element of data privacy and compliance, and Saba has data centers across North America, EMEA and Asia Pacific. Data centers in North America and Europe are SSAE-16/AT101 Type 2 and/or SOC 2 Type 2 audited, and ISO 27001 certified, and are capable of meeting many additional regulatory requirements. To ensure that privacy regulations are met, customer data is hosted only within primary and secondary data centers within each region.
What is an Employer or Data Controller Responsible for?
We've covered a lot of ground on Saba's responsibilities, controls and approach to data privacy under GDPR. It's important to understand the obligations and responsibilities of employers, or Data Controllers as well.
As a controller, an organization needs to have formalized, published business processes that allow a data subject (and in the case of our customers, primarily their employees or end users) to request several different activities related to their personal information. The rights of a data subject include:
- Right to access: Data subjects are entitled to access their personal data.
- Right to rectification: Data subjects are entitled to require a controller to rectify any errors in their personal data.
- Right to erasure: In certain circumstances, data subjects may be entitled to require a controller to delete their personal data.
- Right to data portability: In certain circumstances, data subjects have the right to obtain and reuse their personal data.
- Right to restriction of processing: In certain circumstances, the data subject may be entitled to require a processor to limit the processing of their personal data.
- Right not to be the subject of automated decision-making: The GDPR restricts the making of solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.
That's quite a bit to consider
Ultimately, the obligation for compliance and the appropriate use of systems and tools to manage personal data must be met by employers individually in their application of their solutions.
With this in mind, these organizations need to define, implement and communicate the business processes to receive these requests from data subjects. Saba's Professional Services team is available to provide custom consulting services to any customers requiring assistance in creating these business processes.
Preparedness is critical
Saba has been working on GDPR readiness for some time and is ready to ensure our customers can be compliant with the requirements. Saba's customers have access to a variety of specific solution resources on GDPR readiness in our customer community. As each customer may have different GDPR requirements we encourage you to consult with your own Legal, Privacy and Compliance subject matter experts.
If you're interested in additional considerations and ideas on preparing for GDPR's impact on your talent management programs, download our latest white paper on this topic.