RiskReduct & Client GDPR
Our GDPR Statement
RiskReduct is GDPR compliant and fully committed to our client’s privacy. We are a registered with the UK Information Commissioner’s Office (ICO), number. We may act as a controller in our own right or as a processor on behalf of our clients.
Our aim is to offer tools to help you maintain your GDPR compliance. While we cannot and do not accept responsibility for non-compliant activity on your behalf, we ensure our own internal systems are fully compliant.
We aim to provide best practise guidance and candidate journeys inside our web-based application software, where we are able to.
Frequently Asked Questions
What data is hosted or processed by RiskReduct?
We hold candidate data, typically keyed into our system via forms provided by the candidates. Data includes – name, address, date of birth, identity details, email, DVLA details, telephone number, employment history, professional qualification and education.
What is the purpose of RiskReduct and how it uses the data?
RiskReduct is a due diligence platform, allowing employers and clients perform background checks on our system. Candidate records can also be stored depending on our client retention policy. We usually store record for a maximum of 6 months depending on agreement with the client.
Explain your server security and safety features
We keep all traffic encrypted with machines hosted via Microsoft Azure platform Our servers are managed by high level system administrators with regular security checks. Internal access to tools permitting client data access is protected with access keys.
Where is your data physically stored?
Our servers are in the United Kingdom
Do you share any of our data with third parties? What is the reason and are they GDPR compliant?
Any third parties we work with must be GDPR compliant. RiskReduct will not share data with any entity who cannot demonstrate this. We also utilise the services of Veriphy (https://veriphy.com/veriphy-privacy-policy/) to allow us to provide further details about our candidates.
How can we inform you of a data subject’s ‘right to be forgotten’, and what processes are in place to comply with this request once you receive it?
RiskReduct client with ‘delete’ permission are able to delete the candidate record from inside our system. The data deletion action is processed straight away when initiated by the client.
How long do you retain candidate data?
Our standard period is 6 months after which we pseudonymise or remove the data completely. We allow clients to change this time period according to the clients own legitimate interest policy.