GDPR Frequently Asked Questions

GDPR approach

What are Security Watchdog doing to prepare for GDPR?

Because of the sensitivity of the data that Security Watchdog control and our adherence to the Data Protection laws in the EEA, Security Watchdog are already very well versed in the requirements of the GDPR and its associated controls. However Security Watchdog have taken a very serious approach to the GDPR and have assigned dedicated resources to ensuring our compliance, and to ensure that all systems maintain the highest level of adherence to the controls dictated by the GDPR.

Our aim is to ensure the Candidate data and their Rights over that data is protected.

- Security Watchdog have updated and detailed our data maps and information  centrally across all systems we maintain.
- Security Watchdog have engaged third party suppliers to ensure their adherence to the GDPR
- Security Watchdog are developing systems to become less manual in our processing of Subject Access Request
- Security Watchdog are minimising the amount and type of data we collect where possible to ‘shrink the data footprint’


Operational Information

Are all Security Watchdog staff trained in relation to Data Protection and Information Security and specifically the requirements of GDPR?

Yes, Security Watchdog Staff are intensively trained in Data Protection when joining Security Watchdog, and are required to pass mandatory training every year to maintain Security Watchdog's high standards. As of February 2018 all Staff have been trained in GDPR, and have attained the same high standard of pass grading. Security Watchdog will be enhancing existing support resources for all staff to further cement their understanding.

Has Security Watchdog Senior Management been involved in the implementation of GDPR?

Yes, the Security Watchdog Management team have contributed directly to the GDPR project in conjunction with the Capita Board, and are regularly updated, consulted, and involved in the GDPR project.

Have you designated a Data Protection Officer for your organisation, and how can we contact them?

Yes, Security Watchdog have a nominated DPO Jenny Coombs, jenny.coombs@capita.co.uk

Have you considered the impact of compensation claims as a result of GDPR related issues?

Yes, this has been incorporated into Security Watchdog's risk appetite and provisions have been made to ensure that claims can be financed.

Do Security Watchdog regularly review and update previously completed DPIA's?

Yes, DPIA's for all systems have been reviewed and are refreshed upon any significant change to the relevant system.

Does Security Watchdog have a Breach Notification process?

Yes, this forms a core part of Security Watchdog Incident management and is trained to all staff to follow.


Collection and transparency

With Security Watchdog acting as our data processor, do Security Watchdog maintain written records of processing for the Data Subjects?

Yes, Security Watchdog maintain documents indicating the processing activities that will be carried out per Data Subject, we can inform which checks have been carried out, and with whom those have been carried out by.

Do Security Watchdog use third parties to complete any processing activities? Who authorizes these processing activities?

Yes, part of the core Security Watchdog process is to verify Candidate information along.

Do Security Watchdog engage with other Data Processors without written consent from the data Controller?

No, Security Watchdog will only ever send information to Third parties with prior consent from the Data controller, either agreed at the start of the Client and our business relationship in contractual terms, or as and when data may be transferred overseas for the purpose of International checks.

Are these Third parties subject to the GDPR?

Yes, any data Security Watchdog do export to third parties is protected by contractual terms between Security Watchdog and the Third party which hold them to EU DPA as a Processor, after the 25th May these contractual terms will be extended to include the GDPR terms relevant to them as a processor as well.

Do Security Watchdog perform transfers of personal data across borders? If so, what processes are in place to restrict this data footprint?

Yes, with explicit Candidate consent and Client permission, specific Candidate data can be exported to be processed in the United States, China, Hong Kong, Malaysia, Singapore, and Australia where International Checking services are provided. The data transferred is specific to the request and is for the exclusive purpose of performing International checks on Candidates within said International areas.

 


Data Subject rights

Right to be Informed; Can Security Watchdog identify all of the processing activities that require explicit consent as the legal basis for processing the data subject’s personal data?

Yes, Candidate data is only collected from the Candidate using their explicitly granted Consent, and for the purposes of Pre-employment screening. The information relating to how, and who will process this data is provided within the Privacy statement, and within the Candidate Zones.

Right to Access; Can Security Watchdog provide Data Subjects with access to their personal data and supplementary information, and verify the lawfulness of the processing?

Yes, Data Subjects are able to a grant and control access to all relevant personal data that Security Watchdog hold through the Subject Access Request process. This process is tracked centrally within Security Watchdog Compliance teams, to adhere to the sensitive timelines dictated by the GDPR.

Right of Rectification, Restriction, or Erasure; Can Security Watchdog identify all of a Data subject's information within our systems, and then allow rectification, or removal of the said personal data?

Yes, Security Watchdog have Data dictionaries which map the locations where Candidate Personal data is stored, and have functions in place to allow this information to be rectified, or processing restricted, or removed, as required by the Data Subject (subject to Legislation restrictions)

Right of Data portability; Are Security Watchdog able to provide the Data Subjects personal data in a structured, commonly used and machine readable form?

Yes, Security Watchdog systems manage information transfer in common data formats (EXCEL/PDF/WORD). Security Watchdog also have a number of Encrypted transport mechanisms to secure data in transit.

Right to Object; Can Data subjects enact their Right to Object to be subject to Direct Marketing, for Research purposes?

Not applicable, Security Watchdog never process data for the purposes of Direct Marketing, or Research purposes.

Right to Object; Can data subjects request halting data processing where a legal task is required by Security Watchdog, but there are grounds relating to the Data subjects particular position?

Yes, through the SAR process we will manage these objections to ensure they are in line with the GDPR, we inform individuals of their right to object in our privacy notices. This is shown to the Candidate upon first engagement.

Rights related to automated decision making and profiling; Do Security Watchdog provide decisions made by automated processing?

No, this does not apply as Security Watchdog do not use automated processing decisions

Can Security Watchdog satisfy a Subject access request within 30 days of receipt?

Yes, Security Watchdog ensure that we satisfy our requirements for a GDP Subject Access Request within the timeframes dictated by the ICO.


Legal basis for processing and scope

Are Security Watchdog a processor or controller of data?

Security Watchdog is listed as a Processor for our clients.

What personal data do Security Watchdog process?

Depending on the requirements of the Data Controller (the Client) Security Watchdog as Processor may collect the following data types during vetting; Personal Contact information (including NI, Passport numbers), Personal Address information, Personal employment information, Personal Financial information, Personal Criminality Information, Personal Qualifications, Sanction History, Visa and Immigration statuses. Candidate data is mapped using a data dictionary per system, which allows visibility, edit, correction, withdrawal of consent and erasure.

Do Security Watchdog manage any “special category data” (known as  “sensitive personal data” or medical/health data, ethnic origin, etc.)?

No, Security Watchdog do not process "Special Category data".