PiiQ by Cornerstone is now GDPR compliant. The goal of GDPR is to ensure that organizations take the necessary measures to protect the privacy of their users' data.

At PiiQ, security and compliance have always been a top priority. We’ve taken the required steps to keep your data, and the way we handle it, compliant with the new regulation.

The General Data Protection Regulation (GDPR) is a new European privacy law that becomes enforceable on May 25, 2018.

Data protection laws govern the way that businesses collect, use, and share personal data about individuals. While the regulations are far-reaching in their scope, some of their more relevant tenets are the requirement that businesses process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (the Right to Access and Transfer, and the Right to be Forgotten), and ensure appropriate security protections are put in place to protect the personal data they process.

PiiQ acts as a data processor. When customers store personal data about their employees within our system, we are required to provide lawful access to said data, enact proper security protocols to protect such data, and delete it completely once it is required that the data be removed. The data is not collected by PiiQ, but it is stored within our service when our customers add personal information for purposes of performance management and learning.

These concepts of lawful data availability and removal are described within GDPR as the Right to Access and Transfer and the Right to Be Forgotten, respectively.

The Right to Access and Transfer is a portion of GDPR focused upon ensuring that personal data stored without our system can be retrieved and presented to the user, as it is rightfully their data. PiiQ has always respected this ideal, and offers various processes for Administrators to export employee data. Should an employee ever request that their personal data be extracted for their records, PiiQ has the features in place to allow this.

The Right to Be Forgotten requires that, should an individual request that all personal data stored about them within PiiQ be removed, it is done so permanently and thoroughly. This means that all records of a user that could be employed to identify them must be expunged, both from what is visible in the system and what is stored in our databases. As part of our dedication to customer privacy, PiiQ has improved our administrative People deletion feature to immediately and permanently remove all identifying information about a user from our systems. Administrators have access to this feature at any time to honor requests by users within their portals to remove all personal data.

At the point of deletion, data will either be deleted or anonymized depending on the user's role and the data type. Please see the below table for specific information on what will be retained.

• Anonymization - The name is obfuscated into random alphanumeric text and the user photo is removed to prevent personal identification.
• Deletion - All relevant data is removed permanently from the database.