At Volcanic we have always taken data protection and cyber security very seriously.
Our GDPR journey started more than 12 months ago, when our extensive research revealed the wide reaching implications the new regulations would have on the recruitment industry.
We understood early on that, while focusing on the compliance of our own platform and ensuring that we, as a vendor partner, are GDPR ready, we have a responsibility to all our clients to support their compliance too.
Following a full data protection impact assessment (DPIA) of our platform that followed the requirements of the GDPR, we took our platform back to design and development to produce new compliance modules built with the principles of privacy by design and privacy by default at the core.
We are committed to supporting the recruitment industry’s GDPR compliance.
The Data Protection Bill updates data protection laws in the UK, supplementing the General Data Protection Regulation (EU) 2016/679 (GDPR), implementing the EU Law Enforcement Directive, and extending data protection laws to areas which are not covered by the GDPR. It is intended to provide a comprehensive package to protect personal data.
The GDPR will replace the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data and creating a uniform data protection law across Europe.
The Data Protection Bill seeks to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data.
Volcanic is a data processor for its clients under the GDPR. We are committed to address EU data protection requirements and will comply with applicable GDPR regulations as a data processor when they take effect on 25th May 2018.
The data processed via the Volcanic platform belongs to our clients. We will support all our clients in meeting their GDPR obligations.
As part of this commitment towards our clients and our own business, Volcanic has provided fully documented staff training on data privacy and the GDPR. This applies to every member of staff across the Volcanic business.
Third party audits
Volcanic is ISO 9001 accredited and has the distinction of being on track to achieve ISO 27001 accreditation in March 2018, the first recruitment technology supplier to do so. All ISO 27001 accredited businesses comply with the terms of the GDPR.
The audit covers internal governance, production operations, change management, data backups, and software development processes. It evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
Volcanic has conducted a data protection impact assessment (DPIA) across all areas of potential risk across the business, following extensive research into the terms, articles and recitals of the GDPR.
Volcanic has worked extensively with the Information Commissioner’s Office (ICO) to verify that our compliance and processes contain appropriate provisions for risk management in the personal data we store, and outline the risks and responsibilities between data controllers and data processors.
The ISO standard offers independent verification that our security practices offer a recognised standard. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. Our procedures span the organisation, teams or functions that provide service or support to our clients on our platform:
Corporate governance: how we provide oversight of our business and people
Change management: how we make sure changes are tracked and properly reviewed
Access control and management: who has access to our platform operations and how this access is managed
Data redundancy and backup: how data is kept safe and stored in the event of adversity.
What should you do?
You need to prepare for the GDPR as a data controller.
Audit your data and processes for data capture.
Review your process documentation.
Ensure you have a lawful basis for processing the data.
Take legal advice for guidance applicable to you and review the GDPR guidance on the ICO website.