At Highwire, the success of our partners and the protection of their personal data is our top priority. With customers in countries all over the world, Highwire takes a truly international approach to data privacy. Highwire is regularly audited by third parties against the most exacting criteria and we have been globally certified by the International Organization for Standardization under ISO 27001 since 2016.
In 2018, the European Union began enforcing a groundbreaking legal framework called the General Data Protection Regulation (GDPR) to empower individuals and enhance their privacy rights by imposing strict obligations on companies that handle their data. Highwire’s early commitment to ISO 27001 put us in a strong position to quickly and effectively review and enhance the Highwire application and our internal processes, policies, and controls to ensure compliance with the GDPR.
Below, we will introduce the critical components of the GDPR and discuss how Highwire has made GDPR compliance intrinsic to our platform and our processes.
Data Subject Rights
The primary purpose of the GDPR is to give individuals greater control over the use of their personal data and to standardize data protection regulations for businesses operating within the European Union. Under the GDPR, individuals whose data is being processed are defined as “data subjects”. At Highwire, they are called hiring partner (HP) users and contracting partner (CP) users. Regardless of the label, they have several fundamental rights under the GDPR, including the following:
Right to access: Data subjects can request access to their personal data held by an organization.
Right to rectification: Individuals can request corrections to inaccurate or incomplete data.
Right to erasure (right to be forgotten): Data subjects can request the deletion of their personal data under certain circumstances.
Right to restriction of processing: In some cases, individuals can request the restriction of data processing.
Right to data portability: Data subjects can request their data in a machine-readable format for transfer to another controller.
- Right to object: Individuals can object to data processing for specific purposes, such as direct marketing.
Data Controller vs. Data Processor
Before defining Highwire’s specific GDPR approach, another key concept to understand is the distinction between a data controller and a data processor. Generally speaking, the following definitions apply under the GDPR:
- Data controller: The entity that determines the purposes and means of processing personal data. Controllers must ensure that processors follow their instructions.
- Data processor: The entity that processes personal data on behalf of the data controller. Processors must only process data as defined by the controller and must take appropriate measures to ensure data security.
In the Highwire model, hiring partners and contracting partners act as the data controller to the extent that they provide limited personal data to Highwire, including full name, business title, and business email address in order to establish an account in the Highwire system. In addition, contracting partners provide business information to Highwire in order to be evaluated using Highwire’s proprietary safety and financial algorithms.
Highwire then acts as the data processor to the extent that we process personal data on behalf of and under the direction of our users. Highwire is limited to only using personal data as directed by our users and in a way that ensures that their privacy rights are upheld.
So how does Highwire prove to our users that we are processing personal data using the appropriate measures to ensure data security and privacy? Let’s look at our robust approach.
Highwire’s Approach to GDPR Compliance
Contractual Clauses and Data Processing Addendum
Highwire performs a full audit of AWS at least annually to ensure their compliance with the GDPR. In addition, as part of our contractual agreement with AWS, Highwire is a party to their Data Processing Addendum (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the GDPR and the EU-US and SWISS-US Privacy Shield Frameworks. Highwire’s DPA with AWS provides us with assurance on important data security requirements, including the following:
AWS processes customer data only in accordance with customer instructions;
AWS implements and maintains robust technical and organizational measures for the AWS network;
AWS notifies its customers of a security incident without undue delay after becoming aware of the security incident.
You can learn more about AWS’ approach to GDPR compliance at the AWS GDPR Center.
The GDPR mandates that organizations provide clear and easily accessible unsubscribe mechanisms, particularly for marketing communications. Highwire users can access clear opt-out links in the footer of all Highwire emails.
Highwire retains user data only for as long as we have an ongoing, legitimate need to do so and are working under a current hiring partner or contracting partner agreement. Specific user accounts and personallyiIdentifiable information (PII) are deleted immediately upon account deletion (either directly by a hiring partner administrative user or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and back-up systems.
As detailed in our Terms, Highwire may de-identify and aggregate information submitted by our contracting partners. Highwire owns all aggregated information and may use it for any purpose since aggregated data is completely anonymous and is no longer personal data subject to data protection laws or regulations, including the GDPR.
Highwire will notify all users immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include the following:
the nature and description of the breach including the number of users who are affected;
analysis and root cause of the failure;
immediate corrective action to address the breach and mitigate the adverse effects; and,
other corrective actions proposed or taken to prevent any future breaches of the same nature and type.
The EU General Data Protection Regulation (GDPR) is a comprehensive framework designed to protect individuals’ personal data and provide them with greater control over how it’s processed. Highwire makes it a top priority to understand and comply with the GDPR’s provisions in order to build trust with our customers and to contribute to a global culture of data protection and privacy.