As you know, a new EU-wide General Data Protection Regulation (EU GDPR) will come into force on 25th of May 2018. We have already written about its impact on HR (German only) on our blog and in our guideline (German only) on data protection in human resources.
Naturally, as software provider that processes highly sensitive employee data, the EU GDPR has further consequences for us. Since we have defined data protection as an integral part of our product strategy right from the start, we see the new regulation not so much as a restriction but rather as an opportunity to further expand this core competence. For this reason, we have been working for over a year to prepare Personio for the new regulation in technical, procedural and organizational terms.
In October we already gave an outlook on our measures in preparation for the EU GDPR on our blog. Today, I would like to take the opportunity to give you a detailed overview on the most important changes and corresponding examples:
Technical measures with the aim of “Privacy by default and design”
We have reviewed all our functions with regard to current data protection requirements and made various changes to make (pre-)settings more data protection friendly. These include, for example, a whitelisting of attributes submitted via our API, default private calendar invites for interviews and feedback talks, the possibility to centrally deactivate all reminder emails for your account, and the automated anonymization of applicant data.
Furthermore, we are implementing end-to-end encryption of particularly sensitive data and server-side encryption of your data and documents.
Increased data security in collaboration with experts
By integrating the services of Myra Security (according to the announcement of 22.12.2017), which also secures the servers of the German government, we protect your data against DDoS attacks (Distributed Denial of Service) and ensure high availability even in case of external attacks.
We are currently conducting a penetration test with the help of the experienced, BSI-certified provider Secuvera GmbH to examine our application and infrastructure for vulnerabilities and to close potential gaps for external attacks.
Improvement of availability – Relocation of our server infrastructure to AWS in Frankfurt
As part of the preparation for the EU GDPR, we also reviewed all subcontractors and questioned to what extent these partnerships enable a technically scalable and data protection-compliant setup in the long term. As you have surely noticed, there have been increasing server problems in recent months due to our strong growth, which have resulted in extended loading times and temporary unavailability of the system.
In order to ensure a stable provision of our service in the future with further growth and at the same time to better implement the requirements regarding data protection and IT security, we have decided to move our infrastructure to Amazon Web Services (AWS). Since the topic “Data Protection made in Germany” is very important to us, our server location remains in Frankfurt, despite the change of the hosting provider. More information about the future infrastructure is available here (English only).
Process improvements in customer service
In order to make customer service more data protection friendly, we take measures to prevent social engineering. In this process, you will be able to define employees entitled to receive support in Personio. These employees each receive a telephone PIN, which we ask for when calling support to ensure that your data is not passed on to unauthorized third parties.
You will be able to limit the access rights to your Personio account by our customer service.
All our employees who are in touch with customer data receive regular internal data protection training in order to be constantly sensitized to the subject of data protection.
As mentioned at the beginning, the issue of data protection is not only important for us due to the new EU GDPR, but has always been a core focus. Therefore, we will implement an Information Security Management System beyond the requirements of the EU GDPR and have it certified according to the globally recognized standard ISO/IEC 27001. We are preparing this in parallel to the preparations for the EU GDPR and plan to carry out the corresponding certification with TÜV Rheinland. Please find further information on the subject of data protection at Personio at www.personio.de/ueber-uns/datenschutz/ (German only).
I hope I have given you a detailed overview. We will contact you in the coming weeks regarding further steps such as the conclusion of our updated contract for data processing as well as the technical and organizational measures.
CEO / Co-Founder