It's all about People & Privacy
Thalento® has always been involved in providing a safe and secure data environment. That's why it was only a logical and minor step to become GDPR compliant.
Today Thalento® is committed to assist all partners, customers & users in making their Thalento® data compliant with the upcoming European GDPR legislation from May 25th.
The main objective of GDPR (General Data Protection Regulation) is the compliant treatment for personal data and the safe and secure management and processing of all data as it is entered and stored on Thalento® Cloud.
We will take you through our already existing protection efforts, introduce to our current GDPR implementation and offer you a preview of the future upgrades.
Right away from the beginning in 2011 Thalento® took privacy very seriously with several protection measures. We assure you that Thalento® highly values the protection of your data and that merely complying to the upcoming European legislation is not enough for us.
We are committed to implement a series of additional security measures over the following months.
What already existed before GDPR?
Thalento® has always taken a variety of technical and security measures that guarantees the protection of your personal data, including:
- HTTPS :
The standard use of HTTPS has always been set up for a secured connection between your device(s) and Thalento® Cloud. Any and all connections and interactions with the Thalento® Cloud have always been globally secured.
- User rights :
We have installed several types of users to safeguard the authorised use of personal data, thus eliminating the risk that somebody within a company without the appropriate rights has access to all or specific personal data.
- Data security :
On data security we installed a series of additional security layers :
- Secured hosting environment : Thalento® has a long and trusted relationship with the largest hosting partner in Belgium, one of the best in Europe. Frequent tests and security assessments are performed by Thalento® and occasionally our clients.
- Password policy : We apply a complex password policy that includes the creation by generator.
- Protection of our server : The protection of our server has been enhanced by means of securing or closing all (not used) portals and deleting all features that are not needed for our services. We only install and operate the features required for our services.
- NDAs :
All partners, co-workers, contractors and advisors are required to subscribe to Non-Disclosure Agreements prohibiting them from disclosing or leaking any data or confidential information that was made available to them.
- Handling personal data by Thalento® employees :
We have procedures in place for all employees that handle any potential personal data, on how to deal with and process personal data.
- Data minimalisation :
We only request data which are strictly necessary for the correct and validated execution of core business (personality & motivation assessments).
Which actions were added to be GDPR Compliant?
To be GDPR compliant we needed to develop and install a number of additional tools, technologies and features, such as :
- Updated privacy policies :
We needed to review and revise ALL existing privacy policies in ALL languages in order to make them fully compliant with GDPR. We have integrated a dynamic feature. This allows us to align our GDPR compliant privacy policies with any and all company or country specific additional requirements.
We have implemented the features to register and store these company or country specific privacy policies.
This was implemented for:
- The Thalento® Cloud : because we collect, use and store data in function of a variety of detailed assessments.(personality, motivation, abilities and skills)
- The Thalento® website : because we collect, use and store data in terms of marketing
- Data Processing Agreements :
We have integrated detailed agreements with everybody that has access to data and uses data with detailed procedures on how to process and handle personal data.
- Additional data security measures :
A series of additional data security measures have been implemented:
- Extra data encryption in underlying dataset : As a result of this measure no personal data is visible in any underlying dataset, but they are coded by means of an additional algorithm.
- Security by design : For all future developments on the Thalento® Cloud and our assessments new and additional protection measures are implemented.
- Data Breach Plan : A detailed plan encompassing procedures and communication plan for dealing breaches is installed. This comes into effect in the event of a data leak. This includes, amongst others, which steps are taken, who gets contacted, which communications are released,..etc
- All exports checked for personal data : A new and improved security process for any and all data at rest and data in transit has been installed. f.e. only the necessary data is added in an export for marketing purposes (data at rest). Internal sharing of the approved data will be secured through SharePoint instead email (data in transit).
- Extra user & participant management features :
Thalento® Cloud users and participants (candidates & employees) will have the possibility to completely delete their data from our underlying dataset. They will also have the opportunity/ability to attach a specific period (time) on keeping their personal data inhouse.
- Consent management :
In order to process certain data (f.e. health data or photo material for marketing purposes) explicit permissions of the data owners is required. The data owners will also have the possibility to withdraw their permission at any time.
- Access and handling of personal data by Thalento® staff & partners :
We have documented the process on how to handle and process personal data. Thalento® already used a strict policy for anybody involved with data but this implicit procedure has now been formalised in a written procedure.
- Assigning a Data Protection Officer (DPO) :
We have appointed a DPO who is of service to all our stakeholders and will gladly help you out with all your privacy (GDPR) questions or specific requests. Please contact our DPO on firstname.lastname@example.org.
What will Thalento® add over the coming months?
Being GDPR Compliant is not enough for us! We are committed to integrate additional steps in order to make our Thalento® Cloud as secure as possible over the upcoming months. Here’s what we have lined up for you in the future.
- Even more data security measures :
- State-of-the-art password policy : We will implement a 2-Factor authentication (2FA). When creating a new account the login details will be send using different channels thus reducing the risk of potential security breach. f.e. the username send via email and the password through text message.
- No personal data in mailings : An automated mail will tell you there are new results available or a participant has completed an assessment in Thalento® Cloud. This instead of the current procedure where we inform you that, person X or Y has filled in questionnaire A, B or C. This way NO personal data will be shared via email.
- External audits : We already had installed the policy of periodic external audits and Thalento® passed those with relative comfort and ease. We will however upgrade the procedure and the frequency to enhance our performance and increase the opportunity to reach optimal security.
- Participant zone :
We are in the process of creating a dedicated Participant (Applicant/Employee) zone in Thalento® Cloud. This will enable all participants to access and verify their personal data at any time.
Fulfilling our Commitments to Protect your Data is important to us and we are glad to assist you to align and optimise all needed changes required to bring your Thalento® Cloud towards GDPR Compliance.
If you have any additional questions about how we collect, manage and store your company specific personal data within the Thalento® Cloud, do not hesitate to contact us. We are at your service to assist you.
The Thalento® Team