The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. GDPR is an EU citizen rights law and affects any organization that employs or recruits EU citizens, you can learn more about GDPR here.

Different companies may have their own preferences on how they want to comply with the General Data Protection Regulation (GDPR). Sapling enables:

  • Team Members to export the data that they have provided
  • Admins to anonymize or delete  personal data once it is no longer required

By default, all employees in Sapling have the ability to export the data that they have provided on their “Info” page. This is a global standard that Sapling has adopted to align itself with GDPR standards.

For help determining which anonymizing/ deleting configuration settings are best for your organization, it is best to consult your legal counsel. If the GDPR does not apply to you, then there’s no need to set anything up! 

Configuration

You can configure your company’s GDPR preferences in one place. 

To get started, navigate to the “Company Settings” page and click on the "GDPR" tab.

To support GDPR compliance, Sapling allows you to set your data retention timeframe and remove personal identifiable information once your legitimate interest of the team member (i.e. data subject) has expired.  This data can either be anonymized or deleted.

What does this look like within the platform?

  • Anonymization in Sapling allows you to retain data for reporting purposes by removing personal information from your Sapling data. Please note that this option will result  in the information being removed with fields removed and replaced with Anonymized or the user id. 
  • Deletion removes the data completely.

This represents the amount of time after a team member becomes inactive (i.e. leaves the company). Once this period expires, Sapling will then anonymize or delete their data.

Lastly, you’ll need to specify which team members to apply GDPR protections for by using the ‘Apply to’ locations. 

For GDPR purposes, Sapling uses your ‘Location’ field to apply your GDPR settings accordingly. If no location is detected, they’ll fall into the “Unknown locations” category and no GDPR settings will be applied.

What data is anonymized/deleted?

When a team members data is anonymized/deleted, the following will be anonymized/deleted from the profile:

  • Profile Photo
  • First name
  • Preferred name
  • Last name
  • Personal email
  • Company email
  • SSN field
  • All address fields
  • All phone number fields
  • All emergency contact information

How does the anonymization work?

First we set GDPR properties in Sapling to identify if the user should get deleted or anonymized. This is if user lies within properties (location, department and employment status) of GDPR.

  • If GDPR properties are applicable and GDPR is of deletion type, then this will delete the user record after GDPR span.
  • If GDPR properties are applicable and GDPR is of anonymized type, then it will anonymize user data after GDPR span i.e:

Please note the following will be used as the display for specific fields and the following actions will take place:

  • First Name will be replace with Anonymized.
  • Last Name will be 5 digits number.
  • Email will be anonymized@{6 digits number}.
  • Personal Email will be anonymized@{7 digits number}.
  • Preferred Name will be Anonymized.
  • State will be inactive.
  • All the integration will be removed from that users.
  • All the Address values will be replaced with-Line 1, Line 2, 123 City Street, San Francisco, California, CAM, 94100.
  • All the Phone Numbers will be replaced with 000-000000.
  • All the Social Security Numbers will be replaced with 0000000.
  • Emergency Contact Name will be replaced with Anonymized.
  • Emergency Contact Email will be replaced with anonymized@contact.

For the data management practices and procedures that Sapling follows outside of the GDPR framework, please visit our Privacy Policy.

Did this answer your question?