GDPR

GDPR POLICY

COMPANY INFORMATION

 
GDPR Responsible ContactChris Hyde
Company NameHeadhunter Group Limited
AddressLancaster House
 Amy Johnson Way
 Blackpool FY4 2RP
Policy Date04/04/18
Policy Revision1.0
Policy review date04/10/18

This GDPR policy covers the following:

  1. Identified Areas of Sensitive Data table
    1a. Notes relating to the sensitive data
  2. Security considerations
    2a. Comms and Broadband
    2b. AntiVirus
    2c. Password Policies
    2d. Cyber Essentials
  3. Right to delete and retention
  4. Staff and training
  5. Breach conditions and procedure

1.    IDENTIFIED AREAS OF SENSITIVE DATA

 
DataLocationRiskAccessProtectionRight 2 Delete
Sage DataLocal SageLowClaire Davies(accounts)Physical + EncyptionNo
Customer informationWeb based Recruit so SimpleLow

Limited access for staff

Chris Hyde Administrator

Password & 6 monthly changeYes, unless contracted
Candidate informationWeb based Recruit so SimpleHigh

Limited access for staff

Chris Hyde Administrator

Password & 6 monthly changeYes, unless contracted
EmailCloud basedMediumIndividual access or associated groupsEncryption + separate to logon passwordsYes
Online BackupsCloud basedLowConvene IT LtdEncryptionNo
Physical FilesLocalLowVery limited physical filesPhysicalNo

 

1A. NOTES RELATING TO ABOVE TABLE

 
Sage DataCompany accounts information, no personal information held
Customer informationBusiness to Business details only, contacts relate to company, work contact details
Candidate informationCV’s and associated data, right to delete unless placed by headhunter
EmailSensitive emails sent via recruit so simple audit trail can be found there
Online BackupsEncrypted online backups, keys held with Convene
Physical FilesFew physical files shredder in place when required

 

2.    SECURITY

 

2A BROADBAND/COMMUNICATIONS

 
Broadband ConnectionLeased Line, provided by business first
Router/FirewallSupplied by business first
Open PortsConvene have remote access for support reasons
  

2B ANTIVIRUS

 
Server AntivirusEset Endpoint protection
Client AntivirusEset Endpoint Protection & USB Lockdown
  

2C PASSWORD POLICIES

 
User Passwords6 monthly prompt to change
Email Passwords6 monthly prompt to change
  

2D CYBER ESSENTIALS

QualificationCyber Essentials has been looked into and will be reviewed

 

3.    RIGHT TO DELETE AND DATA RETENTION

 

TYPES OF DATA HEADHUNTER GROUP HOLDS

RETENTION PERIOD

Candidate address, email data, phone & CVCandidate data is held for as long as individuals are happy for us to do so. This for the sole purpose of keeping them alerted to new job opportunities. Every 6 months our whole database will be emailed asking if they wish to remain on our database. If they choose to stay on the database we will action this. All of our email correspondence also offers the option to unsubscribe from receiving emails from us. We can also delete any individual from our system at their direct request.
Customer informationCustomer data is held while we work with the customer
Staff Payroll informationGaffney’s accountants run payroll

INFORMATION REQUEST

 
Candidate address, email data, phone & CVAnyone can request information we hold at any time
Customer informationAnyone can request information we hold at any time
Staff Payroll informationAnyone can request information we hold at any time

 

4.    STAFF TRAINING

 

AREAS OF RISK

TRAINING PROVIDED

Handling of sensitive informationIn house training provided to staff, explaining importance of how we work with data and how we keep this data secure
Information we are allowed to keepThere is only data relevant to the candidate or client helping with recruitment. We also purge this data frequently to ensure we are only holding relevant information
Staff understandingWe ask the staff to speak with Line managers if they are not sure of any areas

 

5.    BREACH CONDITIONS AND REPORTING

 

BREACH CONDITIONS

REPORTING

External data hackIn the unlikely event of a data breach, Headhunter Group has strict procedures in place to report this to customers, and the ICO within 72 hours of discovery.
Internal data breachIf any data breach was caused by a staff member again we would report within 30 days and also find ways of limiting this type of breach again
Customer breach which would affect Head Hunter GroupIf we find any of our customers have experienced a data protection issue we would check if this has any impact on the data we hold for them or with them

This Policy aims to comply with GDPR and we will be reviewing this policy in 6 months’ time or if any of these conditions/areas of risk change

We are always looking at ways to secure data and limit any risk of exposure

 

I Confirm that all the details provided above are true and we constantly strive to improve and move forward with compliance.