We’re committed to helping Covey customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). You can make a GDPR data request by filling out the form here.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive EU data privacy and protection legal framework for EU member states and countries in the European Economic Area (“EEA”). The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It was approved by the European Commission in 2016 to replace the 1995 EU Data Protection Directive, and went into effect on May 25, 2018.
Why is the GDPR important?
The GDPR regulates how businesses can process, collect, use, share, and store personal data; builds upon current documentation and reporting requirements to increase accountability; and authorizes hefty fines on businesses who fail to meet its requirements. At Covey, we support initiatives that improve and prioritize the security, protection, and privacy of customer personal data, and want you to feel confident using our services in light of GDPR requirements.
Helpful definitions of GDPR roles and terms:
Here is how Covey views the role of data controller or data processor that organizations are assigned (note that many companies qualify as both depending on data processing activities and relationship of the parties): Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller. Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly. Customer Data: Data produced and stored in the day-to-day operations of running your business.
A summary of key GDPR requirements:
- Companies that process personal data are asked to process the personal data in a lawful, fair and transparent manner.
- Companies are expected to limit the processing, collect only that data which is necessary, and not keep personal data once the processing purpose is completed.
- Data subjects have been assigned the right to ask the company what information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
- A clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw his consent at any moment.
- The organisations must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.
- Companies should incorporate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.
- The controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected, even if processing is being done by a third party.
- When there is significant processing of personal data in an organisation, the organisation should assign a Data Protection Officer. When assigned, the Data Protection Officer would have the responsibility of advising the company about compliance with EU GDPR requirements.
- Organisations must create awareness among employees about key GDPR requirements, and conduct regular trainings to ensure that employees remain aware of their responsibilities.
Covey’s services to help address customer obligations under data protection laws like GDPR include:
- A strong commitment to both technical and organizational security measures.
- Features that support the ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing access and modification to any personal data Covey maintains. For individuals who would like to request deletion of their personal data, both our customers and end users can fill out this form.
- A Data Processing Agreement (DPA) in accordance with the GDPR’s privacy and security requirements for our customers who process personal data for candidates located in the EEA.
- Policies and timeframes for breach notifications based on severity can be found in our MSA and meet industry standards.