What about GDPR?
The latest European legislation on data protection will come into force on May 25, 2018. Understandably, there are quite a few questions about how this affects your work with OPP. Our Data Protection Officer, Betsy Kendall, addresses some key points below.
I am a practitioner. How will you ensure my clients and colleagues are protected by GDPR?
We will be entering into Data Processing Agreements (DPAs) or Data Processing terms via our standard Terms of Business (Terms) with registered practitioners. In these, we set out our responsibilities as data processors to our customers as data controllers, and we confirm that we are compliant with the General Data Protection Regulation (GDPR). The DPA and/or Terms also provide information on our organizational and technical measures, transfers to third parties and ex- European Economic Area (EEA) transfers. If you wish to receive a DPA from us and have not done so by May 18, 2018, please email firstname.lastname@example.org and we will ensure one is emailed to you. Otherwise, the Terms will apply through our standard Terms of Business.
You generate reports that contain a lot of personal information. What do you do with those?
OPP holds a respondent’s data on OPPasessment for 18 months once you generate a report for that person, after which their data are fully anonymised. This has been our policy for many years and it reflects the general “shelf life” of psychometric data. Once anonymised, the information no longer contains personally identifiable data, and as such is outside the scope of the GDPR. Should you need to retain respondent data for longer than 18 months, you should download the reports and store them in your own secure files.
OPP uses anonymised respondent data for research purposes, such as to check the reliability and validity of its assessments. As part of the process of taking assessments, respondents are invited to complete a number of purely optional biographical questions, such as age, employment status, and level in their organisation. These data allow further analyses/research to be conducted. Within these optional biographical questions, we also ask about the ethnicity of the respondent. Ethnicity is special category data, and GDPR requires that we obtain explicit consent to collect and process this data, which we do. There is no impact on respondents choosing not to complete this question or the other biographical questions, and this is made clear to them within the Privacy Notice presented prior to them taking the assessment.
OPP sends respondent data to its parent company (CPP, Inc.) for scoring and report generation. CPP is located in the USA. To comply with GDPR, OPP and CPP have signed Standard Contractual Clauses (model contract) to protect personal data. CPP is also certified under the US/EU Privacy Shield certification programme.
I’m a practitioner, what are my responsibilities under GDPR?
As a data controller/processor yourself (whether you are a sole trader or employed by an organisation), you should ensure you are compliant under GDPR. If you or your organisation are not already registered with the ICO (the Information Commissioner’s Office, the UK data protection supervisory authority) you should ensure the ICO self-assessment questionnaire is completed to see whether registration is needed. You should have your own data protection policies and procedures and must also set your own data retention policy and/or adhere to the retention periods set by the client organizations you work with, or the organisation that employs you.
As a practitioner you should ensure that you have sufficient knowledge of GDPR to ensure your use of our assessments is compliant. The Information Commissioner’s Office website is a great source of information, including recorded webinars that will get you on the right track.
How will you help practitioners ensure they are GDPR compliant?
As a data processor to you, OPP will assist practitioners (who will often be the data controllers) to meet the legitimate requests of their data subjects under GDPR. For instance, we can delete subject data (right of erasure/right to be forgotten), and we can provide access to the data we hold on respondents (subject access request).
If you want to find out more about OPP and GDPR, join our webinar on May 24 at 1.15pm.
OPP takes data protection and privacy matters seriously and we are committed to complying with the GDPR. Please see our Data Protection Statement for more information on the actions we are currently taking.