How do you assure compliance with GDPR?
BrightHR currently operates two products, a legacy system, HROnline which is not under active development, and a new offering, BrightHR. Both systems are within the scope of GDPR and are ready for GDPR.
When you subscribe to BrightHR we become the data processor and you remain the data controller. BrightHR will process the data in a way that is compliant with the guidance in GDPR, and other data protection guidance. We will always store data local to the company that is using it, and we use encryption to protect it. We use secure protocols for transporting the data, and when asked to delete the data we delete it permanently from the system. As a controller of the data you have a responsibility to act on individual's rights. You will need to act on their right to see what information you hold or right to erasure, so you could choose whether you retain the lawful right to hold that data or you need to remove it. If you choose to remove one of your user's data we would honour that and completely and permanently remove that data from the system.
We have a full time Data Protection Officer, based in our offices in Manchester.
You retain the responsibilities of the data controller, BrightHR is the data processor. To be clear about our responsibilities we provide a Data Processor Template.
We conform to the ICO guidelines for breaches (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/), so we would inform you without undue delay. As the data controller you would need to inform the ICO within 72 hours of becoming aware of a breach.
We only process your data in the way that we state in our terms www.brighthr.com/terms. We ensure that our staff and any subcontractors only process personal data in the way agreed by ensuring that the data cannot be accessed by our staff except for the purposes agreed. We also use customer data to create aggregate statistics that do not allow identification of a customer or an employee. The aggregate data is used to develop new features as part of the service, provide information for us to plan and operate the service and for marketing purposes.
How do you manage data and systems security?
Yes we have separate policies for data and information security.
Yes they are based in our offices in Manchester.
Yes we are ISO27001 accredited, registered with the ICO and are PCI compliant.
The computers used in our offices are patched automatically following assessment by our information security team. The computing infrastructure in our live estate is on Microsoft's Azure platform as a service so is managed and patched by Microsoft. We use external third party tooling to assess when any application libraries are found to have vulnerabilities.
We use standard authentication mechanisms to identify a user and we restrict or allow access, to data based on a users role and need to access the data, in order to provide the service.
We implement password complexity rules to assure user passwords are strong.
Yes all access to remote services are secured and their use monitored.
Users are forced to change their passwords regularly. Changes to administrator accounts are monitored to warn against unexpected password changes.
Our system is deployed in Microsoft's Azure platform and is deployed in a way that we have separation of data and service. We take advantage of their inbuilt protection and have various controls that control access to our systems and data. We have monitoring and intruder detection software to assure that access to data is appropriate. We run regular internal vulnerability tests and address any issues found. Data is transmitted using secure TLS encryption.
All access to the corporate network is authenticated using standard authentication mechanisms. We utilise content filtering to prevent malicious content being introduced and we use detection software to identify unusual patterns of inbound or outbound access.
How do you assure staff security?
- We screen staff prior to employment
- Our Employment terms and conditions include responsibilities for data and information security
- Staff Induction includes a section on information and data security
We have an internal process for managing and reporting security incidents.
Staff access to systems is revoked immediately when an employee leaves the business.
We have tooling to identify attempts to compromise staff credentials and train staff to recognise common attacks.
We have access control on all of the doors that lead from communal areas. Access to the building is controlled through electronic passes on door locks and access gates. There is a reception at the main entrance which is staffed 24 hours a day with specialist security present. CCTV is present throughout the building. Additional security measures are present in areas containing access to data processing facilities.
How can I expect to access the system?
We host multiple instances of the application in multiple data centres, and use traffic management technology to direct traffic to the fastest responding service. We are able to deploy changes to the system without making the service unavailable so we expect to have very high availability.
We back up data through replication on to hard disks into separate data centres within the same country as the customer, so customers data is well protected from loss because of failure in our infrastructure. Consumers would not therefore need to take additional backups. The backups are secured using the same mechanism as the live data.
You can choose to allow users to use personal devices to access our systems, however, you should make clear in a data and systems policy what responsibilities they have. If you choose not to allow use of personal devices you will need to enforce this through a policy. BrightHR can be used from anywhere on any device and will require the user to log in with their user name and password. You need to ensure that your users are aware of the risk this poses and how to minimise that risk. If, for example, a user used BrightHR on their own computer or mobile device, left their account logged in, and did not lock their computer or device then someone you have not authorised to use the system could gain access. This is the same as any software as a service you allow a user to access from their own devices.
We have a business continuity plan and a business continuity location separate from our main offices. We practice attendance and operation from that site regularly.