The new EU general data protection regulation (abbreviated “GDPR”) is approaching rapidly. For most, if not all, companies, this means changes need to be made to their way of working. Because as soon as personal data are involved, any processing, transmission and/or storage must be in line with the new law. If your use of data violates the GDPR, you will be subject to heavy fines. In the event of a violation caused by recklessness, the company could be subject to a penalty in the amount of €20 million or 4% of the company’s turnover worldwide, whichever is higher. Negligence will entail a fine of €10 million or 2% of the company’s turnover.
The protection of natural persons’ personal data is central to the GDPR. These data comprise all information related to a natural person or information which identifies the person. Specifically, this refers to their name, ID numbers, location information and online usernames. Other data to be protected include a person’s physical, physiological, genetic, psychological, economic, cultural or social characteristics. If these data are to be processed, the person is to be informed in accordance with the GDPR. We’ll get to that in a bit.
Each of the three groups either has the right to the protection of their personal data or the obligation to protect such data:
Data subjects are natural persons who are entitled to protection of their personal data. In terms of recruiting, this refers to candidates who provide personal data during the application process.
The controller determines which personal data is needed and how it is to be used. This category includes recruiters and companies that determine which data is necessary for the recruiting process.
The processor processes the data according to the controller’s instructions. For example, it could be the provider of a recruiter management system, as it collects and processes the applicants’ personal data.
The GDPR is based on 5 principles which should improve the fairness and safety of using personal data.
“The challenges associated with recruiting or applicant tracking are less about a legitimate interest in data processing activities and more about ensuing a level of technological and organizational security that protects against risks.”
The GDPR does not set out specific technical or organizational measures (abbreviated “TOMs”). However, depending on the factors or purpose of data processing, it makes sense to implement the following measures, among others, to be able to ensure compliance with the GDPR:
Other measures which make you conform with the GDPR are available here: GDPR & Recruiting.
Proper planning is half the battle. In particular, it is advisable to appoint a data protection officer; it does not matter if this person is part of the company or a third party. Remember, you shouldn’t pick someone who has no idea about data protection and who will have to do a lot of reading up on the GDPR in addition to their other daily business activities. As with any project, it makes sense to create a schedule and a budget. Prioritize your goals. Then you can gather information on the status quo. It should provide valid information about, as well as answers to questions about the current status of your company’s data security. You can also draw up the necessary documents, such as contracts, forms or agreements. On the one hand, this will help you prioritize goals and, on the other hand, you will save time when the GDPR actually enters into force on May 25, 2018.