At Highwire, the success of our partners and the protection of their personal data is our top priority. With customers in countries all over the world, Highwire takes a truly international approach to data privacy. Highwire is regularly audited by third parties against the most exacting criteria and we have been globally certified by the International Organization for Standardization under ISO 27001 since 2016.
In 2018, the European Union began enforcing a groundbreaking legal framework called the General Data Protection Regulation (GDPR) to empower individuals and enhance their privacy rights by imposing strict obligations on companies that handle their data. Highwire’s early commitment to ISO 27001 put us in a strong position to quickly and effectively review and enhance the Highwire application and our internal processes, policies, and controls to ensure compliance with the GDPR.
Below, we will introduce the critical components of the GDPR and discuss how Highwire has made GDPR compliance intrinsic to our platform and our processes.
Data Subject Rights
The primary purpose of the GDPR is to give individuals greater control over the use of their personal data and to standardize data protection regulations for businesses operating within the European Union. Under the GDPR, individuals whose data is being processed are defined as “data subjects”. At Highwire, they are called hiring partner (HP) users and contracting partner (CP) users. Regardless of the label, they have several fundamental rights under the GDPR, including the following:
- Right to access: Data subjects can request access to their personal data held by an organization.
- Right to rectification: Individuals can request corrections to inaccurate or incomplete data.
- Right to erasure (right to be forgotten): Data subjects can request the deletion of their personal data under certain circumstances.
- Right to restriction of processing: In some cases, individuals can request the restriction of data processing.
- Right to data portability: Data subjects can request their data in a machine-readable format for transfer to another controller.
- Right to object: Individuals can object to data processing for specific purposes, such as direct marketing.
Data Controller vs. Data Processor
Before defining Highwire’s specific GDPR approach, another key concept to understand is the distinction between a data controller and a data processor. Generally speaking, the following definitions apply under the GDPR:
- Data controller: The entity that determines the purposes and means of processing personal data. Controllers must ensure that processors follow their instructions.
- Data processor: The entity that processes personal data on behalf of the data controller. Processors must only process data as defined by the controller and must take appropriate measures to ensure data security.
In the Highwire model, hiring partners and contracting partners act as the data controller to the extent that they provide limited personal data to Highwire, including full name, business title, and business email address in order to establish an account in the Highwire system. In addition, contracting partners provide business information to Highwire in order to be evaluated using Highwire’s proprietary safety and financial algorithms.
Highwire then acts as the data processor to the extent that we process personal data on behalf of and under the direction of our users. Highwire is limited to only using personal data as directed by our users and in a way that ensures that their privacy rights are upheld.
So how does Highwire prove to our users that we are processing personal data using the appropriate measures to ensure data security and privacy? Let’s look at our robust approach.
Highwire’s Approach to GDPR Compliance
Privacy Policy
One of the core requirements of the GDPR is the need for transparent and easily understandable privacy policies. Privacy policies must provide clear information about how data is collected, processed, and stored, as well as how data subjects can exercise their rights. The Highwire Privacy Policy is made publicly available on our website and is supplemented by a specific EEA Privacy Notice for users in the European Economic Area, Great Britain, or Switzerland.
To ensure that our Privacy Policy meets the strict requirements of the GDPR, Highwire completes an annual audit as part of the United States Department of Commerce PrivacyShield program. You can visit the PrivacyShield website for more information and to verify Highwire’s certification.
Contractual Clauses and Data Processing Addendum
As dictated by the GDPR, Highwire details our specific responsibilities, security measures, and compliance requirements regarding data processing as part of our contractual agreements with all hiring partners and contracting partners. We do this by explicitly referencing the Highwire Privacy Policy and the Highwire Data Processing Addendum in our Terms. To ensure the efficacy of Highwire’s Data Processing Addendum, our contractual language is based on the Standard Contractual Clauses (SCCs) issued by the European Commission, which were specifically designed for the transfer of personal data from within the EEA to countries outside the EEA. SCCs are an essential tool for ensuring that data transfers outside of the EEA comply with the requirements of the GDPR.
Subprocessors
As detailed in both the Highwire Privacy Policy and our Terms, Highwire contracts with Amazon Web Services (AWS) for cloud services. Under the GDPR, this partnership makes AWS a sub-processor of Highwire Data.
Highwire performs a full audit of AWS at least annually to ensure their compliance with the GDPR. In addition, as part of our contractual agreement with AWS, Highwire is a party to their Data Processing Addendum (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the GDPR and the EU-US and SWISS-US Privacy Shield Frameworks. Highwire’s DPA with AWS provides us with assurance on important data security requirements, including the following:
- AWS processes customer data only in accordance with customer instructions;
- AWS implements and maintains robust technical and organizational measures for the AWS network;
- AWS notifies its customers of a security incident without undue delay after becoming aware of the security incident.
You can learn more about AWS’ approach to GDPR compliance at the AWS GDPR Center.
Unsubscribe Mechanisms
The GDPR mandates that organizations provide clear and easily accessible unsubscribe mechanisms, particularly for marketing communications. Highwire users can access clear opt-out links in the footer of all Highwire emails.
Data Deletion
Highwire retains user data only for as long as we have an ongoing, legitimate need to do so and are working under a current hiring partner or contracting partner agreement. Specific user accounts and personallyiIdentifiable information (PII) are deleted immediately upon account deletion (either directly by a hiring partner administrative user or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and back-up systems.
As detailed in our Terms, Highwire may de-identify and aggregate information submitted by our contracting partners. Highwire owns all aggregated information and may use it for any purpose since aggregated data is completely anonymous and is no longer personal data subject to data protection laws or regulations, including the GDPR.
Breach Notification
Highwire will notify all users immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include the following:
- the nature and description of the breach including the number of users who are affected;
- analysis and root cause of the failure;
- immediate corrective action to address the breach and mitigate the adverse effects; and,
- other corrective actions proposed or taken to prevent any future breaches of the same nature and type.
Conclusion
The EU General Data Protection Regulation (GDPR) is a comprehensive framework designed to protect individuals’ personal data and provide them with greater control over how it’s processed. Highwire makes it a top priority to understand and comply with the GDPR’s provisions in order to build trust with our customers and to contribute to a global culture of data protection and privacy.