In my capacity as the Kobas Data Protection Officer (DPO), I’m pleased to provide an update on our preparations for the EU GDPR enforcement deadline coming this May. We’ve recently tightened our data retention policies and will be implementing improvements over the coming weeks, so please read on to ensure your organisation is also prepared for the coming changes.
The executive summary is that by using Kobas for Staff Recruitment, Time & Attendance and HR, and using the Kobas Customer Loyalty and Email Marketing systems, your hospitality business will be fully GDPR compliant in these areas.
Kobas is registered with the ICO with reference ZA092346, and has always taken a keen interest in data protection, privacy and security assurance. All Kobas customer loyalty and staff recruitment web portal interactions require mandatory SSL HTTPS encryption, which we now provide free of charge in association with Let’s Encrypt. Sensitive HR record information, such as pay and bank details, is stored encrypted at rest in our databases.
All data exchanges with Kobas Cloud and the Kobas API also require HTTPS. The Kobas customer loyalty portals require a confirmed email opt-in consent loop before data may be used for marketing purposes, and our email marketing partner, Sign-Up.to, is a permission marketing only platform, which is also fully compliant.
The forthcoming General Data Protection Regulation (GDPR) requirements will require some additional improvements to the Kobas Cloud HR and Customer Loyalty sections in order to comply with principle GDPR principle 5 “Storage Limitations”.
We have now defined our interpretation of “Personal Data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. During February and March 2018 we shall implement the following changes which we expect will satisfy our clients’ compliance commitments. Should additional changes we required before the compliance deadline of 28th May 2018, a further update announcement will be made.
Data Retention Changes 2018 Q1
On a daily basis, Kobas will automatically review Job Applicant and Former Staff records, and take the following actions:
- Any job applicant whose application process has received no notes or progression for in excess of 1 year will have their application automatically rejected and all sensitive personal information deleted.
- Personal information pertaining to staff who departed over 7 years ago has been automatically deleted.
In order to comply with the Right To Erasure (Right to be forgotten), we will add manual controls so that Kobas Cloud Administrators can delete job applicant and former staff records upon request.
Please be reassured that whenever we delete personal information like this, we will retain non-sensitive business information to ensure that historic reports and analysis are still useful. This means that metric information such as recruitment funnel analysis or historic operational profit comparisons will still be valid.
Data Access Changes 2018 Q1 – Kobas Cloud
In accordance with the rights to access and rectification, Kobas Cloud users will be able to see the personal data we hold on them. This would include information such as address and next of kin. Where sensible, we will offer the ability for an individual to maintain their own details. Additionally, Kobas Cloud users will be able to access their holiday, sickness, lateness and any other absence logs held about them.
Data Access Changes 2018 Q1 – Kobas Customer Loyalty
With its confirmed opt-in loop, transparency of data held, and per-venue email opt-in checkbox list, the Kobas Customer Loyalty Portal has always been compliant, with rights to access and rectify are built in. In order to comply with the right of erasure, it will become possible for a customer to close their account, at which point Kobas will destroy or anonymise their data as appropriate.