Our services are hosted by Microsoft who were the first company to adopt and achieve the stringent ISO 27018 standard for GDPR. This is the standard for government organisations and suppliers to government organisations such as NHS trusts. Microsoft cloud services will include commitments to maintain GDPR compliance when enforcement begins.
Your “people” data comes into two categories.
- People you have employed: in which case you have a duty to retain all relevant employment data for six years or possibly more.
- Those whom you have not yet employed or will, for whatever reason, not employ: in which case you should obtain a limited agreement via your own terms and conditions to retain their application for a reasonable period in case they wish to reconsider. You must also delete all their data on their explicit request. You can (and probably should for transparency) publish these on an employee T&Cs page on your own web site listing the data you will retain (for example Name, Address, email, phone, dob, NI, date of application etc.) and that it can be explicitly deleted on request.
We are providing hosting for such information. As long as there is a valid agreement between us, we will maintain your data, backed up every 5 minutes (via Microsoft services) with what is acknowledged as the highest level of security available and reasonably achievable.
We are legally obliged to delete any Microsoft hosted data once such agreement is terminated by you. Microsoft requires that their services are paid in advance. It is therefore essential that your customer account is always fully up to date. Ceasing licence payments implies you have actively terminated your contract. If for any reason your account is not up to date (for example your bank is experiencing technical difficulties), you need to contact us immediately. Especially if you are a start-up we will do our best to help. We can only maintain your data as long as you are a current valid customer. This is a direct consequence of GDPR.
You can and should use the reports available to maintain copies of employment data.
How secure is your data? Here are links to Microsoft's extensive compliance with GDPR
Microsoft and Compliance with ISO/IEC 27018 personal data protection
Trusted cloud: more certifications than any other cloud provider
Microsoft compliance ISO/IEC 27001 Information Security Management Standards