General Data Privacy Regulation, also known as GDPR, is a European privacy law, and GDPR replaces the privacy directive in the EU.
The purpose of the GDPR is to protect personal information and give persons more control over their personal data. Under the GDPR, personal information is defined as all information that is either directly or indirectly identifiable to an individual. This includes personal numbers, locational data, electronic identifications (like IP addresses), pseudonym data and genetic and biometrical data, i.e., what is defined as personal data is stricter than before the effect of the GDPR.
None of the information in this article should be considered legal advice, but a tool for the data controllers (you as a client) GDPR work. Get in touch with your legal advisor for legal advice about the GDPR.
Key demands for GDPR
Corporations that are affected by GDPR will be imposed upon to make a collection of changes to the way that they obtain and process personal information to be still GDPR-compliant.
Identification of the data controller and data processor are important components in preparing for the GDPR.
What is a data controller?
A data controller is a corporation or an organization that decides the purpose of and how to utilize personal information. Data controllers can also be data processors if, for example, you manage your systems yourself or have it locally on a PC, an intranet etc.
What is a data processor?
Data processors take the information that the data controller has compiled and process the personal information. RecMan is the data processor for everything you as a customer add to RecMan. Everything that is not in RecMan, it is not responsible for, and you need to identify who the data processor is for the information located outside of the RecMan system.
There must also be a data processor agreement in effect as a part of the customer relation between the supplier (data processor) and the customer (the data controller).
The responsibility for complying with the GDPR is heavily on the data controller when handling personal information, even if they have outsourced the processing activities to another corporation. However, the data processor is also obligated to be GDPR-compliant with regard to the law, something that RecMan is.
Rights of the individual under GDPR
GDPR gives the following key rights to personal information:
The right of Access: You, as data controller, will have to comply with requests from persons wanting access to their personal information or information on how it is used. In RecMan, both candidates and contact persons can access their own profiles, where they can view data located on the candidates. You, as a customer, also can export the candidate information in both PDF and JSON format.
Data controllers and data processors will also have to explain, in detail, how the information was obtained, how and why it is used, and who they share the information with. For the data controllers part, data sharing with subcontractors, etc., is regulated within the data processor agreement between the customer and RecMan. For the customers part, there must be constructed routines and a description of this that can be provided to contact persons and candidates.
The right to have incorrect or incomplete personal data updated or corrected: Data controller will have to comply with requests from persons wishing improvement/correction of information that the data controller has on the person.
In case candidates or contact persons have a login for their profiles, they will be able to correct and update their personal information themselves. If they do not require assistance, it can be edited from the candidate card, the customer card or the contact person card by co-workers that have access to these cards with the customer.
“The right to be forgotten”: Persons can decide that they no longer wish their personal information to be processed and/or if they wish for all information to be deleted. A process for handling such processes should be worked out. Candidates that have a profile in the system also have the option of deleting themselves. This will, in that case, be located on a deletion list in the GDPR candidate base so that you, as a data controller, have the option to ensure that the candidate information is not located in other systems. If it is found in other systems, it must be judged whether or not it should be deleted from there as well. (depending on whether or not you are required by law to keep the information or not).
Persons can also ask that a user responsible stops processing their data
Data portability: Persons can request to be given their personal information from a corporation without opposition from the data controller. This information must be in a machine-readable format. You, as the customer, have the option of exporting candidate information in both PDF and JSON format, where JSON is a machine-readable format. It is recommended that you add a PDF to the JSON file, as it is easier to read for persons than JSON.
Consent for processing data is an important focus of the GDPR.
An example of template text for getting consent can be found here.
Withdrawing consent: It also needs to be possible to withdraw consent.
Mapping of data
Overview of the personal information gathered: To be able to judge the GDPR demands for processing of data, it is important that you as data controller also map out what kinds of personal information your organization gathers, who has access to the information, what you do with the information and for how to long you store it.
Example form that can be used as a starting point for this type of mapping:
Overview of where the personal information is stored: Map out where the personal information is stored (in which systems) and how the data flows between the systems. Having an overview of how the data flows between the systems is especially important to be able to ensure that all information about a person has been deleted (when they are meant to be deleted). It is also important to note down places where the information is stored that are outside of a system – e.g., on the desktop locally, on a PC etc.
Administration of personal information
It is important to make good processes and routines for the administration of personal information that your organization gathers.
Assign or hire a data protection officer: Corporations that have gathering or processing personal information in their core company will be obligated to assign a data protection officer, DPO, who will have a thorough knowledge of data protection. If you do not have this competence available internally, you may consider hiring an external advisor with this field of competence.
Knowledge in the organization: Make sure that both the management and employees have knowledge of the guidelines of the GDPR, as well as internal processes that concern the GDPR guidelines.
Security: Implement information security as a standard and part of the system's design. Data protection must be built into products and services in the earliest development stages. This has always been a major focus point for RecMan, even before GDPR existed. Make sure that potential assisting systems and the like also focus on this. Note that this security point overlaps with the «knowledge in the organization» point since a security gap may also be gaining access to the system through an employee in your corporation (social engineering). So make sure that employees in your organization are also aware of the risks and what can be done to reduce them.
On security breaches: Individuals must be warned about a breach that affects their personal information within 72 hours.
The controlling authority must also be notified about a breach of security that induces a risk to the rights of the individuals and freedom within 72 hours. If such a situation occurs, it is important to work with RecMan (data processor) if this data is stored in RecMan.
Where should I start with the work of preparing for the GDPR?
Make a GDPR plan of action
The data controllers and data processors that handle personal information must make a GDPR plan of action that considers all the new criteria. To make a plan of action, you can take points in the checklist below.
GDPR checklist to secure criteria:
- Complete mapping to find out what information the organization gathers and how it is transferred, processed and stored.
- Identify data processor(s).
- Ensure data processing agreements with your data processors.
- Ensure that providers are GDPR compatible.
- Identify the data controller (Typically, this is yourself).
- Educate employees about data protection and GDPR criteria, such as the rights of individuals.
- Assign or hire a data protection officer (if required).
- Have processes in place for getting consent.
- Create a notification- and action plan in case of a security breach.
- Make a plan for regular reviews of your GDPR processes, and make a judgment of the efficiency and whether something can be improved. Check how your processes hold up against laws and rules that may have changed while underway. Regularly ensure that your safety measures are satisfactory as well.