Soon, in May 2018 the General Data Protection Regulation (GDPR) will become active. For recruiters it will change a lot. In general it is probably impossible for recruiters to keep the regulation to keep completely, if only because the regulation is simply not clear. On the other side the fines are very clear and the power of own data is clearly moving to the candidates.


Recruiters are struggling with the GDPR
and nobody can make clear what will happen.

On the other side the focus is quiet clear:

Offer value to the user (candidate) and communicate it open in clear language.
User eXperience (UX) was and will be even more the key


In-house Recruitment Network invited Robert de Souza, a laywer, to explain the GDPR in relation with recruitment.

Based on own feedback and compared with the presentation of Robert de Souza, the main approach for recruiters

  • The key is to make the user satisfied with the User eXperience (UX) he or she will get in return of using his or her data
  • As long as the user is not complaining, the risk to be fined will be much lower
  • In case of complaining users, proof (logging’s) is required that GDPR is kept
  • And probably less important but it need to be mentioned, as it can also be fined, take very well care about permission storage of user data

Below a summary of the the presentation of Robert de Souza.

The GDPR Overview

The GDPR is 2 Regulation NOT a Directive. There are over 100 Articles In The GDPR

The GDPR will become legislation in May 2018 replacing the Data Protection Act 1998

The government has confirmed that the UK’s decision to leave the EU WILL NOT effect the commencement of The GDPR in the UK

GDPR applies to controllers and processors

the controller says how and why personal data is processed

the processor acts on the controller’s behalf

It you are a controller, The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR

If you are a processor, The GDPR places specific legal obligations on you, you are required to maintain records of personal data and processing activities

The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU

The GDPR does not apply to certain activities including data processing covered by the Law Enforcement Directive

The GDPR complies with Article 8 of the European Convention on Human Rights….the right to respect for private and family life, home and correspondence

The fine for a data breach is €20M or 4% of the gross annual turnover of the company whichever is the greater

The GDPR is based on the foundation of international principles ISO/IEC 27001, 27010, 38500, 27004

What information does the GDPR apply to?

  • Personal data
  • sensitive personal data
  • Pseudonymous data

Definition of Regulated Personal Data (Article 4)

“Personal Data”:
Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person

Definition of Regulated Sensitive Personal Data (Article 4)

“Sensitive Personal Data”:
The GDPR to sensitive personal data as “special categories of personal data” (Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.

For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (Article 10).

Definition of Regulated Pseudonymous Data (Article 4)

“Pseudonymous data”:
Personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution.

The GDPR Includes provisions on:

clear and affirmative consent: to the processing of private data by the person concerned, so as to give consumers more control over their private data

kids on social media: children will need to get their parents’ permission (“parental consent”) to open an account on social media such as Facebook, Instagram or Snapchat, as is already the case in most EU countries today

right to be forgotten: Consumers will thus have the “right to be forgotten” or erased from the databases of companies holding their personal data, provided there are no legitimate grounds for retaining it

the right to know when your data has hacked: companies and organisations will be required to notify the national supervisory authority of serious data breaches within 72hrs of the breach. If the deadline is missed a report and explanation must be submitted

plain language: all new rules must put an end to “small print” privacy policies. Information should be given in clear language before the data is collected

fines: of up to 4% of companies’ total worldwide annual turnover should constitute a real deterrent to breaking the rules

firms will have to appoint data protection officer: lf they are handling significant amounts of sensitive data or monitoring the behaviour of consumers. Firms whose core business activity is not data processing will be exempt from this obligation.

One stop shop for cpmplaints and enforcement: National Data Protection Authorities (DPAs) will be enhanced to become a first instance body where citizens can complain about data breaches. Cooperation among the DPAs will also be significantly strengthened to ensure consistency and oversight.

The GDPR Core Principles (Article 5)

Principle 1
Personal data must be processed lawfully (Article 6), fairly and transparantly

Principle 2
Personal data can only be collected for specific explicit and legitimate purposes

Principle 3
Personal data must be adequate, relevant and limited to what is absolutely necessary for processing

Principle 4
Personal data must wholly accurate and kept completely uo to date

Principle 5
Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing

Principle 6
Personal data must processed in manner that ensures it security

GDPR include provisions

Accountability and Governance

You are expected to put into place comprehensive but proportionate govemence measures

The new accountability principle In Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility:

You must:

Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies

Maintain relevant documentation on processing activities

Where appropriate, appoint a data protection officer who will be ‘independent’ and responsible for data protection and compliance. This is considered a senior role within the business

Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:

  • Data minimization;
  • Transparency;
  • Allowing individuals to monitor processing; and
  • Creating and improving security features on an ongoing basis

Use Data Protection impact Assessments (DPlA’s). This Is now mandatory under the GDPR

‘Design by detail” “Design by default”

The Data Controller ls fully responsible and accountable tor ensuring that Article 5 is met

Leave a Reply

Your email address will not be published.