[countdown date="25 May" format="dHMS" hour="18" minutes="54" event="Until GDPR"]
May 25th, the day GDPR comes into effect is fast approaching and with it a host of changes to how companies manage data.
GDPR means greater obligations for organisations when it comes to data collection and processing, and greater rights and control for consumer’s over their personal data.
Among the revised rules are a wider definition of what constitutes personal data, stricter rules around reporting breaches and a higher threshold for how consent is obtained. As a data controller, you may be liable for any breaches throughout the data processing chain.
Failure to be compliant can result in fines of up to €20 million or 4% of your annual turnover. The onus of proof lies with the company, so formal procedures and audit logs need to be implemented to show compliance.
It’s recommended to consult with a legal team to get advice on your specific requirements.
How Jobbio is ensuring we’re GDPR compliant
In preparation for the new legislation we charged a team with a full analysis of our data processing procedures including a GDPR project manager and legal department to oversee the necessary operational changes. We’ve updated our policies to ensure continued transparency when it comes to collecting, processing, storing and disposing of data, and will be fully compliant by May 25th.
Jobbio will only use personal data for it’s stated use .i.e. to assist talent on the job hunt. Any third parties which handle data on our behalf will be fully vetted to ensure they are also compliant. Our terms and conditions are being expanded so that we have full permission from candidates under legitimate interest. In Jobbio’s case this covers all marketing communications as candidates have reopted in.
In the case of HR departments, receiving CVs and applications by email is no longer a viable option. To be fully GDPR compliant talent need to opt in to the use and storage of their information. That means any CVs of prospective candidates both physical and electronic need to be securely disposed of when no longer needed or when the recruitment process has been completed. Our live applicant tracking system ensures that candidates have fully consented to the access and use of their data.
If you’re a current Jobbio customer we’ll be issuing an addendum to your company contract in the coming weeks. If you have a talent Bio on Jobbio, we’ll be updating our terms and conditions to ensure GDPR compliancy.
All data will continue to be securely stored and only retained for as long as required – there will be no retention of data indefinitely, candidates will be told for how long and for what purpose their information will be stored. All data will be encrypted in line with industry guidelines and be subject to access controls.
GDPR also states that data owners have the right to access, change and revoke their information at any time. Once such a request has been made the company have a month to fulfil it.
Jobbio has built custom tools which gives talent control over their own information. Our talent dashboard allows candidates to access, update and delete their data quickly and easily.
All data breaches need to be reported to the data owner and the Data Protection Commission within 72 hours of the incident. Under the new regulation affected parties have the right of action against both the data controller and processor. In response, Jobbio has implemented a robust reporting procedure covering internal data breaches as well as external threats.
Common misconceptions related to GDPR
You don’t need to be based within the EU or dealing with EU citizens for GDPR to apply. As a data controller you may be based outside the EU, dealing with the data of people based outside the EU but using a processor within the EU. In this case GDPR still applies.
SMEs are not exempt from needing a Data Protection Officer even if they employ less than 250 employees. If your core operation is handling or processing personal data and if you run any large scale analytics on this data, you may still need to appoint a DPO.
GDPR does not just refer to data gathered electronically. Any and all personal data stored is subject to the new regulations including customer and candidate contact information, physical CVs, etc.
The scope of legitimate interest
Legitimate interest does not automatically cover collection or use of data without the data owner’s consent. The legitimate interest exception needs to be balanced against privacy rights and doesn’t provide blanket coverage for marketing use. However, there are some cases where data may be processed without consent for example in a case of preventing fraud, human rights violations, etc.
You are not just liable for how you manage and process data but also for any third parties who process data on your behalf. If you’re a data controller you’re responsible (and may be sued for) any breach at any stage of the data processing.