Discus and GDPR

From 25 May 2018, the EU implemented a new set of data protection rules known as the General Data Protection Regulation or GDPR. Discus has always been designed to maximize personal data security, but we've made a few changes to ensure full compliance with the new regulations.

Keeping Data Secure

We take every possible step to ensure the security of client and candidate data alike. All Discus data is held on Google's cloud database servers, and is maintained with two layers of encryption: once by Discus itself, and once by Google's own data systems. Our server architecture is maintained daily to ensure that latest updates and security patches are always in place as soon as they are released. This all means that data held by Discus is held in an environment that's as safe and secure as possible.

Candidate Privacy in Discus

One of the cornerstones of the GDPR is the idea of informed consent. Candidates should have a clear idea of what their personal data will be used for, and they should give unambiguous consent for that use.

To comply with this requirement, the Discus questionnaire process always requests explicit consent. Before a candidate starts a profile questionnaire, they are given an explanation of its purpose, and asked to consent to its storage and use. Without this consent, Discus will not store or process any candidate details.

The GDPR also requires that individuals have a right to demand deletion of their personal details. To help users comply with this requirement when necessary, Discus includes full and permanent deletion facilities. A periodic deletion facility is also provided so that users can ensure that their candidate database is kept recent and up-to-date, and does not maintain unnecessary candidate data.

Client Responsibilities

Discus collects minimal information about canddates, but a certain amount of detail is required in order for clients to identify or contact the individuals concerned.

Discus account holders are custodians of the personal details they collect about a candidate, and this means that they have certain responsibilities of their own, clearly spelled out in the Discus terms and conditions.

Most importantly, users have a responsibility for maintaining the privacy of their candidates and the security of those candidates' personal data. That data should not be published or shared with third parties without a legitimate purpose or interest.

Under the GDPR, candidates have a right to rectification and a right to erasure. If a candidate submits updated personal details, therefore, users have a responsibility to ensure that their records are updated with those details. Similarly, if they request that their profile data should be erased, then the user has a responsibility to delete that data from their Discus account. (Discus provides all the features needed to carry this out quickly and easily.)

Candidates also have a right to know what information is held on them: not only their personal details, but also any supplementary data, which in principle also includes their DISC results. Discus includes a report designed specifically for this purpose, the Feedback Report, which provides DISC results in a clear and understandable style ideal for providing to the user on request.

Further Information

If you have queries about any specific aspect of GDPR, or Discus data protection in general, we'll be happy to answer them for you. Just use any of the contact options shown on this page.

Further details of our and your legal obligations and duties can be found at the Information Commissioner's web site http://ico.org.uk.