3. What is GDPR ?
The European Union’s General Data
Protection Regulation (GPDR) will
take effect on May 25, 2018, bringing
new laws on privacy in regard to
individuals’ personal data and how
it’s processed. GDPR will
significantly strengthen the rights of
individuals and increase the
obligations on organisations even
when they operate outside of
Europe.
4. Why does this
affect my
organization ?
Most TA Tech vendors are “data
processors” — this means a natural
or legal person, public authority,
agency or other body which
processes personal data on behalf of
a “controller” who is usually your
customer.
5. Who are the
data
controllers?
A data controller is the individual or
the legal person (entity) who controls
and is responsible for the keeping
and use of personal information.
However most vendors are also
controllers of their own data for
example prospect and customer lists
6. What is meant by
‘Processing’ ?
Processing’ means any operation or
set of operations which is performed
on personal data or on sets of
personal data, whether or not by
automated means, such as
collection, recording, organisation,
structuring, storage, adaptation or
alteration, retrieval, consultation,
use, disclosure by transmission,
dissemination or otherwise making
available, alignment or combination,
restriction, erasure or destruction.
7. What is meant by
‘Personal data’ ?
This means any information relating
to an identified or identifiable natural
person (‘data subject’); an identifiable
natural person is one who can be
identified, directly or indirectly, in
particular by reference to an identifier
such as a name, an identification
number, location data, an online
identifier or to one or more factors
specific to the physical,
physiological, genetic, mental,
economic, cultural or social identity
of that natural person.
8. We are not
based in the
EU, why is this
relevant ?
The principle of “extraterritoriality” in
GDPR means that if your company
processes personal data of EU data
subjects — for recruitment purposes,
for example — then all requirements
of GDPR apply to you, even if you
don’t have a physical presence in the
EU.
9. What do we need
to do to meet the
requirements of
this regulation?
10. Do we have the
correct contracts
in place with our
customers?
Contracts need to set out the
subject-matter and duration of the
processing, the nature and purpose of
the processing, the type of personal
data and categories of data subjects
and the obligations and rights of the
controller. In some cases the easiest
approach may be to offer a
supplementary data processing
agreement to avoid contract changes.
11. Are we in danger
of becoming a
controller?
This is complex issue however as
vendors add more and more algorithmic
processing to their functionality the
answer to this is probably yes. Explicitly
calling out the types of processing in
the contract with the controller may help
mitigate this. More explicitly by
infringing this Regulation by determining
the purposes and means of processing,
the processor shall be considered to be
a controller in respect of that
processing. Enhancing candidate data
or using it for other purposes is a an
example of this.
12. Have we ensured
that people
authorised to
process the
personal data
have committed
themselves to
confidentiality?
13. Are we using any
other processors
in our service?
If you are using other data processors
as part of your service, e.g. Fullcontact
or Clearbit API’s then you need to
impose the same obligations on these
processors by way of contract or law. If
the 3rd party processor fails in it’s
obligations then you are fully liable to
the controller. As a processor you
cannot engage another processor
without prior specific or general written
authorisation of the controller and in the
case of general written authorisation,
you need to inform the controller of any
intended changes concerning the
addition or replacement of other
processors.
14. Do we need to
keep any special
records?
Yes, you will need to maintain a record
of all categories of processing activities
carried out for each controller who you
are acting on behalf of.. There is a
waiver on this for companies of less
than 250 employees except where the
processing carried out is likely to result
in a risk to the rights and freedoms of
data subjects….You could easily argue
this is any recruitment related personal
information.
15. What about data
security?
As the processor you need to
implement the appropriate technical
and organisational measures to ensure
a level of security appropriate to the risk
to the data subject.
16. What do we need
to do if we are
hacked?
As a processor you need to notify the
controller without undue delay after
becoming aware of a personal data
breach. The controller then in turn has
to notify the supervising authority within
72 hours.
17. Can a legal
action be taken
against us?
Yes, each data subject shall have the
right to an effective judicial remedy
where he or she considers that his or
her rights under this Regulation have
been infringed as a result of the
processing of his or her personal data in
non-compliance with this Regulation.
As a processor you are liable for the
damage caused by processing only
where it has not complied with
obligations of GDPR specifically
directed to processors or where you
have acted outside or contrary to lawful
instructions of the controller.
18. Other things to
think about….
As data controllers our clients have a
different set of obligations understand
them and think about how you can use
your product to help protect them from
human error.
19. The last word...
This is a new regulation and as such
there are elements that are open to
interpretation, and in the absence of
precedence it can be difficult to give a
black-and-white opinion. However, legal
interpretation is relevant and can draw
on previous experience of existing data
protection regulations. If you’re
concerned, then consult your legal
adviser on the areas you feel may be
applicable to your business.