Connecting linkedin

Privacy Policy

Data Protection Policies – Native Gravity

GDPR Procedure Manual

This plan aims to outline how Native Gravity Recruitment LTD aim to;

  • Adhere to GDPR legislation
  • Audit GDPR legislation
  • Maintain compliance with legislation

The procedure manual aims to cover all aspects of how GDPR will impact Native Gravity Recruitment LTD and how Native Gravity Recruitment LTD aim to:

  • Obtain data on subject matters
  • Control access to data on subject matters
  • Store data on subject matters
  • Delete access on subject matters

About Native Gravity

Native Gravity Recruitment LTD is a recruitment company which specialises in offering support and recruitment related services. They are located in Central London and have international reach.

Native Gravity Recruitment LTD was founded in 2017 (April 2017). It is also a private limited company (LTD) which indicates that Native Gravity Recruitment Ltd is an independent company which does not share or trade on stock exchange. The company registration number is 10660641.

Key Terms

Data Subject

This is the subject who has data stored on them and can include candidates, clients and employees. This data will involve identifying factors such as name, date of birth and email for example.

Data processor

The data processor is the person, group or system which collects and processes data, often storing it.

 Data Controller

The data controller is the person, group or system which controls access to data. This can include limiting or restricting certain data to other groups, individuals or the public.

IR35

IR35 is tax legislation that is designed to combat tax avoidance by workers supplying their services to clients via an intermediary, such as a limited company, but who would be an employee if the intermediary was not used. Such workers are called 'disguised employ


GDPR

GDPR stands for the General Data Protection Regulation imposed by the European Union as a means to give greater autonomy for people in regards to data on them, with the need for consent and the ability to be forgotten. To further this it is a measure to impose on businesses to ensure their systems which collect and store data is secure.

Native Gravity Recruitment LTD aims to comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers it will comply when the GDPR legislation takes effect on 25th May 2018.

Native Gravity Recruitment LTD uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, data subject refers to the person or entity submitting data and can include employees, candidates, clients and other individuals or organisations that Native Gravity Recruitment LTD work with.

Data Collection

Native Gravity Recruitment LTD advertise opportunities and placements publicly and people submit their information freely. Data collection and processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. The Contract a data subject enters will entail Native Gravity Recruitment LTD Terms and Conditions which is made available to them in both the signed contract, on the website and by request. The Company also have a disclaimer on all job advertisements that data submitted can be used for both current and future opportunities. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, email and mobile number. This data is necessary to ensure the data subject is suitable for engagement including but not limited to, placements Native Gravity Recruitment LTD advertise, business opportunities with Native Gravity Recruitment LTD  and other reasons for communication. Native Gravity Recruitment LTD reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.

Data Retention

Native Gravity Recruitment LTD would keep data on file for a period of 10 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on them in a portable format. Data subjects must request their data by phone, email or letter stipulating what data they would like to access to, and this will be processed within 1 week. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.

Data Deletion & Destruction

Native Gravity Recruitment LTD aims to keep data on file for a period of 10 years unless otherwise stipulated. Data would be hard erased after this time unless the subject of the data requests otherwise or has been engaged with during this time and data on them is necessary for archiving purposes in the public interest. Subjects of data have the right to be forgotten and erased from records upon request. Subjects must request their data by phone, email or letter stipulating what data they would like erased and this will be processed within 1 week. We would send confirmation of this either by email or letter.  Data would be destroyed securely and confidentially.

Data Portability

GDPR pertains to certain requirements on data controllers for the portability of personal data. The data stored on our ATS and database is controlled by the Company. Native Gravity Recruitment LTD permit the portability of data on mobile devices like mobiles or laptops, as well as advocating home working, under restriction and/ or limitations. This is also for the benefit of data subjects.  Access to this data can be terminated or limited as and when necessary to prevent data breaches or leaks. Every reasonable step is taken to ensure that Native Gravity Recruitment LTD data accessed outside the network is secure.

Data Protection Principles

Principle 1

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Upon employment with Native Gravity Recruitment LTD you will be notified where your data is stored and how Employees can access this. This is stipulated within the Employee Handbook.

As part of the Contract of Employment and contained within the Hand book are a number of references to data confidentiality, privacy and security. These are read and signed by Employees upon induction. This is to protect data integrity and security.

Processing is managed and maintained by a select group of users and the Employee themselves. Data submitted is accessible by the Employee, while they also have the ability to amend this where necessary. Data processing is necessary for new or leaving staff internally, as well as business function in recruitment.

Consent is required to process personal data and Native Gravity Recruitment LTD will be unable to assist without such. Internally Employees will need to submit personal data regarding their name, address, email and banking details. This is in order to ensure our records are up to date, we can maintain communication and in order to credit Employees with their wage.

Externally applicants will need to consent to having their data logged on Native Gravity Recruitment LTD database and this is necessary to find them a position or to satisfy a role. Personal data such as name, email, phone number and address are intrinsic to the employment process and to maintain communication. Personal data will be processed and stored for future reference as well even if the candidate doesn’t meet the requirements of the role or is not suited to it, and this is to ensure they can be placed at other roles or placements.

Data withheld at any process may implicate Native Gravity Recruitment LTD ability to maintain data integrity and relevancy. In reference to external candidates, it may implicate the ability for them to be found for roles in the database and their job search. Data subjects need to request for their data to be withdrawn if they do not want it kept on the database  

Principle 2

Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal data is used for business function, including internally with regards to new users and leavers of the business, as well as externally and the main business function of recruitment.

Internally personal data obtained is necessary for communication regarding employment, including letters and bank payments. It would also contain medical information or information on disabilities in order to ensure Native Gravity Recruitment LTD can accommodate its staff without risk posed to them. Internal information is only used for these purposes and not passed to Third Parties unless consent is provided (such as in the case of joining Native Gravity Recruitment LTD Insurance Scheme)

Externally and in the Recruitment Process (see below) than information is required to ascertain the candidate name, current job, salary expectations and work history to determine their suitability for the role. Native Gravity Recruitment LTD would also obtain the candidates address in order to see whether they are proximate to their job posting and again to ascertain their suitability for the role. This data is not passed to Third Parties without consent, such as CVs will not be submitted unless the candidate has agreed beforehand.

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data is used for business function, including internally with regards to new users and leavers of the business, as well as externally and the main business function of recruitment.

Internally the personal data collected is pertinent to their employment and health and wellbeing. This includes data on their address, banking information and absence within the company. Native Gravity Recruitment LTD would not consider this excessive is it is necessary for an Employees contract and in order to maintain their wellbeing. Data such as religion or sexual orientation otherwise considered excessive is not required.

Externally, personal data collected is required for employment and placement opportunities. Data on the candidates and clients including salary, location and work history is very important. Data collected is not excessive for the purpose of employment and necessary for compliance, such as VISA or passports, or IR35 legislation.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

The onus of ensuring data is kept up to date is put on the Employee. They have access to an online portal where they can amend their personal details on themselves, including bank details and address. They are responsible for ensuring this is up to date and relevant, they also have the ability to not populate information.

Employees are also responsible as part of their job and training to update data on the system and discriminate data where possible, such as what is necessary and what is not. Any data that has not been used or no longer needed will be deleted and this is to ensure data is accurate and secure.

Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.

Native Gravity Recruitment LTD will aim to keep data no longer than ten years (often for financial records). Anything beyond this point will be deleted unless otherwise stipulated by the data subject. This data is kept for the purpose of financial or legal records, but as soon as it is no longer required, it will be hard deleted from the system.

Native Gravity Recruitment LTD Employees have the ability to amend and delete their data to a degree, and they can request for data to be deleted (right to be forgotten) before this point provided it is not needed.

In regards to the business model, personal data is processed in order to seek employment for candidates and fill placements for clients. With this in mind data is kept for the purpose of filling these positions and in order to keep records of previous placements and fees. This is important for Native Gravity Recruitment LTD business function and records.

Principle 6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

In order to ensure data will be processed in accordance with legislation and the rights of data subjects, Native Gravity Recruitment LTD has stringent controls over personal data.

Internally, access to personal information is limited to directors and the Human Resources Department (including Accounts). The data subject (Employee) can access data on themselves via their own online portal. Access to this portal can be limited based on the needs of Native Gravity Recruitment LTD

Externally, data processed by Employees in reference to candidates or client data is also processed in accordance with the rights of the data subject. Where possible data is obtained from candidate CV’s and data obligingly over the phone or email. This is documented on the database and is auditable.

Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Anchor

Systems and Software

Native Gravity Recruitment LTD use IT and software for its core business function including communication, marketing and cash flow. This data is stored on independent systems which have been audited and reviewed upon GDPR legislation.

Emails

Part

Responsibility and Details

Hosting Provider

Microsoft Exchange Server

Who manages this?

Keybridge IT Solutions

In house or hosted

In house

What is it stored on

In house server

Where is this stored?

Stored on the in-house server in London Office.

Is this backed up? If so how regularly

Yes, every night

Where is this backed up?

This is backed up in the cloud, this back up is based in the UK

Who has access to back up?

Native Gravity Recruitment LTD can request access to this. Keybridge IT Solutions manage this.

Is it secure and encrypted?

Yes

Who has access to this and what do they have access too?

Employees have access to their own email accounts which they manage. Managers and directors may have emails from their employees or people who have left.

How is data controlled?

Access to emails is determined by Native Gravity Recruitment LTD and executed by Keybridge IT Solutions who administer the email solution.

How do you terminate or prevent access?

Native Gravity Recruitment LTD advise if access needs to be limited or revoked. Keybridge IT Solutions manage this and will terminate access when requested.

Database

Bullhorn are our Recruitment Database (ATS) System.  It is hosted and accessible online. It is responsible for holding sensitive information on contracts, candidates and clients.

Supplier DetailsAnchor

Hosting Provider

Bullhorn, hosted by Salesforce

Who manages this?

Bullhorn

Who has access to this?

Bullhorn Employees. Only a few Bullhorn employees are authorized to access customer data, and they only can do so through a limited access point bridging the platform and infrastructure layers.

In house or hosted

Hosted online, based on in house servers based in the UK. 

What is it stored on?

Stored on in house servers part of Sales Force.

Where is this stored?

Hosted online, based on in house servers in the UK. Their servers are housed in purpose built, multi-million-pound data centers in the U.K. These are specifically UK only data centers and provide full redundancy across two geographically separate sites. Bullhorn uses three geographically separate colocation data centers. CenturyLink facilities are located in Boston (Waltham), Massachusetts and Slough, United Kingdom. The Switch SUPERNAP facility is located in Las Vegas, Nevada. Their data center partners cover the physical security procedures including network provider redundancy, power/electrical redundancy and failover, HVAC, fire suppression, and physical access control. Our facilities have accredited certifications and operate at or above industry standards.

Is this backed up? If so how regularly

Should the primary database server fail, the backup database server takes over as the primary and assumes all traffic. Once the failed server is brought back online, it becomes the backup database server.

Differential backups are taken nightly, transaction-log backups are taken every 30 minutes, and full-tape database backups are taken weekly, encrypted, and stored at a secure offsite facility

Where is this backed up?

Backup to Server.

Bullhorn partners with CenturyLink and Switch, who together provide a network of state of-the-art data centers in the U.S. and UK that are SSAE16 compliant. 

Who has access to back up?

Bullhorn Employees. They do not download or store any client data on their internal infrastructure, all data is held on Bullhorn’s servers located at their data centre. Data is encrypted at rest.

Printed confidential information of which there is little to none is disposed of in secure Shred-It bins for disposal through a third party organisation.

No client data is transported from their offices. If data needs to be migrated away than this is stored on a secured drive and encrypted.

Is it secure and encrypted?

Bullhorn provides exceptional levels of protection against hackers, beginning with firewalls that prevent unauthorized outside access. To protect customer data and communications traveling across the internet, Bullhorn leverages the strongest encryption products available today, including 128-bit Geotrust Transport Security Layer (TSL) Certification and 1024-Bit RSA public keys.

To access Bullhorn, users must have a valid username and password combination. During transmission, username and password combinations are encrypted with TSL protocols, and an encrypted session ID cookie is used to uniquely identify each user.

The server facility is physically protected 24 x 7 by on-site security guards. Only authorized data-centre staff have physical access to the data halls and servers.

Can you do a hard delete of records (disappear from the system AND backups?)


Do you train your employees and staff on GDPR and compliance?

Yes they train staff on data quality and management.

Certifications

SSAE 16 audit

Privacy Shield Framework


Internal Processing

Who has access to this and what do they have access too?

Employees have access to their own login accounts which they manage, as well as access to the database in order to source candidates. They would have access to all data put on Bullhorn. Directors may have admin level in order to do more on the system. 

Bullhorn provides all the tools, processes, and access control level (ACL) capabilities needed to allow, restrict, and deny employee access to specific data and functions.

How is data controlled?

Access to Bullhorn is determined by management and executed by Native Gravity Recruitment LTD who administer Bullhorn. Data can be controlled by IP or by day.

How do you terminate or prevent access?

Management advise if access needs to be limited or revoked. Keybridge IT Solutions can revoke email access and Native Gravity Recruitment LTD manage Bullhorn access, and will terminate access when requested.


Telephony and VOIP

Native Gravity Recruitment LTD use CloudCall for telephony and VOIP, which is not a physical handset or in-house phone system. CloudCall uses the internet line to make and receive calls. Calls are recorded via CloudCall and put onto Bullhorn. CloudCall can be used on the mobile via the CloudCall app. Access to CloudCall and the app is conditionals and based on correct passwords.

There is a disclaimer before calls to the company that calls may be recorded for training and quality management. The retention period for these calls is 12 months.

The recorded calls are stored on CloudCall servers

 Auditing Data

Native Gravity Recruitment Ltd use IT and telecommunications as a core function of the business, including internet or web-based applications.

Consent

Native Gravity Recruitment Ltd use a VOIP system called CloudCall which will use softphone applications on the PC.

CRM / Database

Native Gravity Recruitment Ltd use a CRM system called Bullhorn for all recruitment purposes. Deals and engagements are logged on this system and this is how behavior and work is monitored and tracked.

Internal Policies

Native Gravity Recruitment LTD take data privacy and breaches very seriously which is why it is engrained in their induction, culture and training. Employees are subject to Terms and Conditions upon employment and this means they are bound by data privacy laws and regulations, including but not limited to data privacy, data confidentiality and more.

Data Privacy and Confidentiality

The Native Gravity recruitment team will focus on mid to senior level roles, supporting the Directors. They will focus on building networks and intelligence. They will often view things from the candidate viewpoint.

The Research team will also train users on Bullhorn upon induction to ensure they make the most out of Bullhorn and use it accordingly. They might teach some tricks or shortcuts to improve efficiency.

Non Discolosure

Employees sign a non-disclosure agreement.

Accuracy Policy

Employees are responsible for updating personal data on themselves as and when circumstances change. They are liable if data is incorrect.

Data on employees is stored on the shared drive under HR > Staff File.

Data on New Users

When someone is hired the following needs to be collected from them:

  • References
  • CV
  • Offer letter
  • Contract of employment
  • Personal data form
  • Passport
  • VISA
  • Health declaration
  • Remuneration

Further information on their personal file will be

  • Changes to address
  • Performance reviews
  • Pay reviews

What they can see

Employees can see records on their employment at Native Gravity Recruitment LTD including Contract of Employment, Offer Letters, Pay Reviews and more. All details on their employment are accessible from the HR folder.

Directors will be able to go into other records on their employees, including the same as above. Access is limited to permissions on the system. No one can view another person’s personal file unless they are director level (super admin).

Data Accuracy

Data is accurate and is the responsibility of the Employee to update this. They can easily do this by logging into the HR folder and amending the details where they see fit.  Employees can see records on their employment at Native Gravity Recruitment LTD including Contract of Employment, Offer Letters, Pay Reviews, etc.

Security of Data

Data can only be viewed by employees who have permission to do so, but they have access to data on themselves.

Leavers

When someone has left the business, the following is carried out:

  • Bullhorn login revoked
  • Cancel Linkedin Subscription
  • Keybridge IT will terminate emails
  • Get keys and fob


Marketing Process

The marketing process is comprised of all aspects of advertising, sales and website. The consultants work on this process in order to post jobs, however the website, SEO and campaigns are worked on by the Digital Marketing Manager. 

Obtaining Consent

Volcanic

Volcanic is our website provider and has multi-posting technology software which integrates into Bullhorn. It permits CV parsing into Bullhorn.

To post a job on our website the consultant first needs to make the advert on Bullhorn.  They should ensure the detail is correct including job role, salary and location. The would obtain this information from the client, alongside job roles and responsibilities.

Maintaining or Changing Consent

Once a job post has been submitted on you cannot change this. In order to amend you need to go to the backend website to change details. To do this go to the website and login with the admin credentials.