GDPR Overview
General Data Privacy Regulation, also known as GDPR, is a European privacy law, and GDPR replaces the privacy directive in the EU.
The purpose of the GDPR is to protect personal information and give persons more control over their personal data. Under the GDPR, personal information is defined as all information that is either directly or indirectly identifiable to an individual. This includes personal numbers, locational data, electronic identifications (like IP addresses), pseudonym data and genetic and biometrical data, i.e., what is defined as personal data is stricter than before the effect of the GDPR.
Important
None of the information in this article should be considered legal advice, but a tool for the data controllers (you as a client) GDPR work. Get in touch with your legal advisor for legal advice about the GDPR.
Key demands for GDPR
Corporations that are affected by GDPR will be imposed upon to make a collection of changes to the way that they obtain and process personal information to be still GDPR-compliant.
Identification of the data controller and data processor are important components in preparing for the GDPR.
What is a data controller?
A data controller is a corporation or an organization that decides the purpose of and how to utilize personal information. Data controllers can also be data processors if, for example, you manage your systems yourself or have it locally on a PC, an intranet etc.
What is a data processor?
Data processors take the information that the data controller has compiled and process the personal information. RecMan is the data processor for everything you as a customer add to RecMan. Everything that is not in RecMan, it is not responsible for, and you need to identify who the data processor is for the information located outside of the RecMan system.
There must also be a data processor agreement in effect as a part of the customer relation between the supplier (data processor) and the customer (the data controller).
The responsibility for complying with the GDPR is heavily on the data controller when handling personal information, even if they have outsourced the processing activities to another corporation. However, the data processor is also obligated to be GDPR-compliant with regard to the law, something that RecMan is.
Rights of the individual under GDPR
GDPR gives the following key rights to personal information:
The right of Access: You, as data controller, will have to comply with requests from persons wanting access to their personal information or information on how it is used. In RecMan, both candidates and contact persons can access their own profiles, where they can view data located on the candidates. You, as a customer, can also export the candidate information in both PDF and JSON format.
Data controllers and data processors will also have to explain, in detail, how the information was obtained, how and why it is used, and who they share the information with. For the data controllers part, data sharing with subcontractors, etc., is regulated within the data processor agreement between the customer and RecMan. For the customers part, there must be constructed routines and a description of this that can be provided to contact persons and candidates.
Ref: Article 15 – Right of access by the data subject
The right to have incorrect or incomplete personal data updated or corrected: Data controller will have to comply with requests from persons wishing improvement/correction of information that the data controller has on the person.
In case candidates or contact persons have a login for their profiles, they will be able to correct and update their personal information themselves. If they do not require assistance, it can be edited from the candidate card, the customer card or the contact person card by co-workers who have access to these cards with the customer.
Ref: Article 16 – Right to rectification
“The right to be forgotten”: Persons can decide that they no longer wish their personal information to be processed and/or if they wish for all information to be deleted. A process for handling such processes should be worked out. Candidates that have a profile in the system also have the option of deleting themselves. This will, in that case, be located on a deletion list in the GDPR candidate base so that you, as a data controller, have the option to ensure that the candidate information is not located in other systems. If it is found in other systems, it must be judged whether or not it should be deleted from there as well. (depending on whether or not you are required by law to keep the information or not).
Persons can also ask that a user responsible stops processing their data
Ref: Article 17 – Right to erasure (‘right to be forgotten’)
Ref: Article 18 – Right to restriction of processing
Data portability: Persons can request to be given their personal information from a corporation without opposition from the data controller. This information must be in a machine-readable format. You, as the customer, have the option of exporting candidate information in both PDF and JSON format, where JSON is a machine-readable format. It is recommended that you add a PDF to the JSON file, as it is easier to read for persons than JSON.
Ref: Article 20 – Right to data portability
Consent
Consent for processing data is an important focus of the GDPR.
A clear and understandable policy: Make sure that the privacy policy is understandable and in simple language. If the text is not clear and understandable, it may result in the policy not being binding. It is also essential to explain the reason for processing personal information. RecMan comes with a preset text that can be used as a starting point for such a policy; however, it is very important that the text is tailored to your needs.
Your system administrator can also edit the text in the system by going to System Settings → Corporations → choose corporation and then pressing the button «Privacy policy.»
It is also essential to inform the persons of potential updates to the privacy policy. This information should also include which changes have been made.
Ref: Article 7.2 – Conditions for consent
Ref: Article 6 – Lawfulness of processing
Ask for consent: It is important to get consent before you start processing personal information. For this, you should have a visible link to the privacy policy on your website, as well as get consent when candidates register themselves. This consent must be provable by the data processor afterward.
Ref: Article 7 – Conditions for consent
An example of template text for getting consent can be found here.
Withdrawing consent: It also needs to be possible to withdraw consent.
Ref: Article 7.3 – Conditions for consent
Mapping of data
Overview of the personal information gathered: To be able to judge the GDPR demands for processing of data, it is important that you as data controller also map out what kinds of personal information your organization gathers, who has access to the information, what you do with the information and for how to long you store it.
Ref: Article 30 – Records of processing activities
Example form that can be used as a starting point for this type of mapping:
Overview of where the personal information is stored: Map out where the personal information is stored (in which systems) and how the data flows between the systems. Having an overview of how the data flows between the systems is especially important to be able to ensure that all information about a person has been deleted (when they are meant to be deleted). It is also important to note down places where the information is stored that are outside of a system – e.g., on the desktop locally, on a PC etc.
Ref: Article 30 – Records of processing activities
Administration of personal information
It is important to make good processes and routines for the administration of personal information that your organization gathers.
Assign or hire a data protection officer: Corporations that have gathering or processing personal information in their core company will be obligated to assign a data protection officer, DPO, who will have a thorough knowledge of data protection. If you do not have this competence available internally, you may consider hiring an external advisor with this field of competence.
Ref: Article 37 – Designation of the data protection officer
Knowledge in the organization: Make sure that both the management and employees have knowledge of the guidelines of the GDPR, as well as internal processes that concern the GDPR guidelines.
Ref: Article 25.2 – Data protection by design and by default
Security: Implement information security as a standard and part of the system's design. Data protection must be built into products and services in the earliest development stages. This has always been a major focus point for RecMan, even before GDPR existed. Make sure that potential assisting systems and the like also focus on this. Note that this security point overlaps with the «knowledge in the organization» point since a security gap may also be gaining access to the system through an employee in your corporation (social engineering). So, make sure that employees in your organization are also aware of the risks and what can be done to reduce them.
Ref: Article 25 – Data protection by design and by default
On security breaches: Individuals must be warned about a breach that affects their personal information within 72 hours.
The controlling authority must also be notified about a breach of security that induces a risk to the rights of the individuals and freedom within 72 hours. If such a situation occurs, it is important to work with RecMan (data processor) if this data is stored in RecMan.
Ref: Article 33 – Notification of a personal data breach to the supervisory authority
Ref: Article 34 – Communication of a personal data breach to the data subject
Where should I start with the work of preparing for the GDPR?
Make a GDPR plan of action
The data controllers and data processors that handle personal information must make a GDPR plan of action that considers all the new criteria. To make a plan of action, you can take points in the checklist below.
GDPR checklist to secure criteria:
- Complete mapping to find out what information the organization gathers and how it is transferred, processed and stored.
- Identify data processor(s).
- Ensure data processing agreements with your data processors.
- Ensure that providers are GDPR compatible.
- Identify the data controller (Typically, this is yourself).
- Educate employees about data protection and GDPR criteria, such as the rights of individuals.
- Assign or hire a data protection officer (if required).
- Have processes in place for getting consent.
- Inform individuals stored in your system(s) about their rights under the GDPR, and ensure that you have an updated privacy policy.
- Create a notification- and action plan in case of a security breach.
- Make a plan for regular reviews of your GDPR processes, and make a judgment of the efficiency and whether something can be improved. Check how your processes hold up against laws and rules that may have changed while underway. Regularly ensure that your safety measures are satisfactory as well.