Keep your people data safe and your organisation protected

Ciphr acts as both a data controller and a data processor, depending on the relationship. We provide secure systems and governance to support your compliance, while you remain responsible as the data controller for your employees’ data.

We apply layered security measures, including encryption, monitoring, auditing, and regular penetration testing using both internal experts and external CREST-accredited partners.

Yes. Ciphr holds ISO 27001, Cyber Essentials Plus, ISO 9001, and ISO 14001 certifications, which support our structured approach to security and quality. 

We use role-based access controls, defined permissions, and regular governance reviews to ensure only authorised users can access sensitive data.

Ciphr has a dedicated data protection officer (DPO) who oversees data protection practices and acts as a contact for any related queries. 

We continuously review, test, and improve our systems, policies, and controls to respond to new risks and maintain strong data protection standards.

We take a controlled, transparent approach to AI. Our AI features are designed to support users, not replace decision-making, and we apply strict controls to how data is handled. Customer data is not used to train public AI models, and we continuously review and improve our governance in line with emerging risks and best practice.

The General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, is a set of standards that all organisations in the EU are required to comply with. These regulations govern how personal data is collected, processed, and stored. Any organisation that handles data belonging to a resident of the EU must adhere to the GDPR’s requirements, or face considerable fines.

HR is the keeper of significant amounts of employee personal data, but the onus for maintaining data in line with the GDPR is typically shared among HR and information security teams, and, of course, the appointed data protection officer (DPO). Employers must put in place policies and procedures to ensure employee (and applicant) data is collected, stored and processed in line with the GDPR’s requirements, and that they respond to subject access requests (SARs) within the required timeframe.

Types of employee data covered by the GDPR can include, for example, job and pay records, addresses, next-of-kin information, details of any medical conditions or disabilities, the results of background checks or right to work checks, and any other personally identifiable information. Because HR, HR managers, and HR practitioners are usually the guardians of an organisation’s employee records, they are responsible (alongside information security teams and the DPO) for compliance with the GDPR in relation to personal, sensitive employee data. HR practitioners and HR managers must ensure they have a lawful basis for collecting and storing data related to employees and job applicants, and that the data is stored only for the required and agreed period (if permissions for data have expired, consent must be captured again, or the data must be deleted or anonymised). They may also have to respond to subject access requests (SARs) from former or existing employees, who, under the GDPR, have a legal right to request a copy of all the personal data that the organisation holds about them.