GDPR: where do you start?
Your brand new data protection officer took office.
You have data processing agreements in place for partnerships with external parties.
You have a data protection policy and codes of conduct related to personal data.
Data breach procedures are in place and are followed up on.
Data protection impact assessments are done when new projects are started.
And still, new GDPR questions are rising every day...
Did you read or introductionto GDPR in an HR Technology context? In this article we take it a step further as we attempt to solve frequently asked GDPR questions, by having the right mindset. GDPR started out with some basic principles but a lot of complexity was added along the way to make it a controllable framework. What if you would strip away all required procedures, documents, approvals, registers,...?
What does GDPR and your bike have in common?
Let's take a closer look at one of the major GDPR principles: “Put the data-subject in control of his/her own data.”
The ultimate goal is to give you, as a person, maximum control over your own data. Your personal data belongs to you, it's yours, just like your favorite bike is...
Your neighbor wants to ride your bike, so (s)he asks you for your permission in advance. As you are concerned about your bike you ask him why he wants use it? What is the reason for using your bike and what would he use it for? If he has a valid reason, you ask him not to use it for anything else or let anybody else ride it as you don’t want your bike to get lost or broken. If he would park the bike, he needs to use a decent bike chain. If he would store the bike, he needs to store it in a place that is considered safe. If you would want to ride it in the meantime, if you would want to verify the state of the bike, if you would want to you have the bike returned… How can you reach him?
The thinking of a GDPR data-subject is similar to the thinking of the bike-owner. Making the comparison can help you tackle some of the most frequently asked GDPR questions.
Let's get practical: how to handle your recruitment database?
Questions are rising about the use of recruitment databases, or other databases containing personal information that are directly linked to your organization (eg. direct marketing databases):
• Can this database still be used under GDPR?
• For how long can the personal data be stored?
• What do potential candidates need to know about the data?
Let's go back to our 'bike' example, it will help you to think/act as the data subject:
• The reason to use the bike (~ Determine the lawful processing grounds):
- Depending on the reason, you need to provide specific information (~ Act in accordance with the determined lawful processing ground)
- Don’t use the bike for any other goal (~ No processing allowed outside the specified goals)
• Inform the person about where the bike is stored, how it can be accessed etc. (~ Guarantee the 8 individual rights of the data subject):
- Inform the bike owner, grant access, rectification of the state of the bike, have the bike removed, withdraw from the agreement, restrict usage, … (data portability and automated decision making / profiling is harder to apply to the bike example)
- Provide the required tools/procedures to allow the bike owner to enforce his rights
What's the lawful processing ground in case of personal data used for recruitment purposes?
I'm no legal advisor but keeping the GDPR basics in mind, the lawful processing ground is 'Consent' or 'Legitimate interest'.
Contractual, legal, vital or public interests do not seem to make any sense.
Consent is the prior lawful ground, all other grounds could be considered as necessary exceptions to create a workable framework. In this case consent is no other than consent in the bike example. It needs to be given freely and by using an opt-in question (active informed consent of the data subject. This is in contrast with opt-out, where the person’s data are processed by default unless the person objects).
On the other hand we have legitimate interest. Most data is kept for a reason, but calling all those reasons legitimate interests sounds too easy. And most of all, this does not put the data subject in real control of his or her own data.
What about legitimate interest?
When processing of data is necessary for the purpose of the legitimate interests pursued by the controller, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject:
- If the data is essential to the activity of a recruiter and it does not override the interests or rights of the data subject, legitimate interest can be used as a lawful processing ground.
Using legitimate interest still requires you to comply with the individual rights of the data subject, but no active informed consent (opt in) is needed:
- The person needs to be informed of the specific processing operations and has the possibility to opt out.
Guarantee individual rights
These individual rights are not new, but you need to make sure necessary tools and procedures are in place to be able to deliver when needed.
What's the solution for your recruitment database?
Can you keep using your database?
- Yes, but data subjects need to be informed of the specific processing operations and of their rights (possibility to opt out).
- The required internal procedures need to be put in place and recruiters need to be trained to be able to respond to the data subject rights.
For how long can you store the data?
- For as long as the legitimate interest is valid, processing operations can be continued. However, two years is often suggested as an appropriate time span. Older data, needs a refresh to be considered as 'good' recruitment data.
- When the processing ground is no longer valid (change in processing operations, objection of data subject), personal data can no longer be stored and needs to be destroyed.
Do your potential candidates need to know their personal data is stored?
- Yes, the data subjects need to be informed of the specific processing operations and of their rights (including to opt out)
Want to know more on how Emeritis can support you in your GDPR journey and which tools we provide to do so? Join our 40-min webinar on February 20th! How to register? Send an email to firstname.lastname@example.org. Talk to you soon!
Joeri Vander Vaet, SAP HCM Consultant
Emeritis is not engaged in rendering legal advice. As such, Emeritis cannot be used as a substitute for legal consultation.
Emeritis provides advice on HR Technology, perform change management & HR consulting to aid customers in adopting measures that the customer deems appropriate to achieve GDPR compliancy.
January 5 2015
SAP middleware - SAP AIF
In our last blog post about SAP middleware we discussed the problems that complex mappings in PI can create. In this blog post we will discuss the SAP Application Interface Framework as one o...read more
May 2 2015
Fiori Leave Request at Pidpa
The objective of the project was to replace the legacy leave request application and to allow the population on any device (desktop, tablets and mobile phones). The following features were i...read more