QX is proud to be the first recruitment process outsourcing company in India to be GDPR compliant. Our delivery centers met with the requirements of GDPR on 26 April 2018 via the British Standards Institution’s 10012:2017 framework.
What is BS10012:2017 Personal Information Management System?
BS 10012:2017 is the British standard which sets out the requirements for a personal information management system. It aligns with the principles of the European General Data Protection Regulation (EU GDPR), outlining the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals.
Why is a GDPR compliant outsourcing partner important for you?
GDPR impacts data controllers and data processors alike, making it imperative for outsourcing companies to ensure that their data processing activities are carried out in accordance with the data protection principles set out in the GDPR. Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances.
GDPR article 28 “Requirements of a Data Processor” mandates that a data controller shall use only those processors that provide sufficient guarantees to implement appropriate technical and organisational measures.
Being one of the UK’s leading suppliers of recruitment processes, payroll and accounting services, we were committed to implementing the GDPR by 25 May 2018. Our team had been working hard to ensure that our clients and our businesses are prepared for GDPR before the deadline and getting the BS 10012:2017 compliance framework validates the measures we have taken to enable security, confidentiality, and availability of our customer data.
QX was audited by British Standards Institute (BSI), a service organisation that produces standards across a wide variety of industry sectors. And we are incredibly proud to have cleared the audit on 26 April 2018, a month before the deadline! The certificate is valid for 3 years.
Post the audit, BSI auditors remarked “At this stage where most of the companies have just started their GDPR journey, such a mature and well drafted framework at QX is a proof of how ahead you are in the game. We had a difficult time finding a flaw in your system. The level of competency of people, the detailing of documentation and the involvement of people is commendable. It was a learning experience for us too and we wish you all the best for the future”.
How did we become GDPR compliant?
We built incrementally on our existing internal security processes and procedures (ISO 27001) to ensure we meet the accountability principles under the GDPR requirements. We periodically assessed and analysed our systems and processes to ensure rock-solid data security.
- We appointed a DPO and formed a cross-functional team of data protection specialists across QX to specifically analyse and address the new requirements of GDPR.
- We set up an official 72-hour breach response plan that adhered with GDPR and put DPIA (Data Protection Impact Analysis) policies in place to assess and mitigate any existing risks. Our internal audit program ensured that QXRS was in compliance with GDPR.
- We offered all our clients a data processing addendum in our business contracts which allowed them to continue to work with QX without interruption. We have been very closely with our clients and have our Data Protection Agreements (DPA) with them based on the ICO (Information Commissioner’s Office) guidelines. This includes:
- We have adequate levels of data protection controls in place for the transfer and processing of data
- We only process personal data on documented instructions from our clients
- We have a process which anonymises and encrypts data
- We securely delete data after the required retention period
- We have processes in place for notifying the supervisory authority in case of a data breach
- We have conducted numerous GDPR awareness workshops so all of our new and existing employees know how to handle personal data here at QX. All senior level staff has now undergone training to ensure they maintain a DPIA at the early stages of any project that involves personal data.
As the first GDPR compliant, recruitment outsourcing company in India, we want our clients to be confident in knowing that we’ve taken all the necessary steps to not only keep their data secure but to only collect and hold what is required.