What you need to know about GDPR
Hint
If you can, the best way to understand GDPR is to Read the Official text.
It’s a bit long (99 articles over 88 pages), but quite readable for non experts.
It is an EU Regulation, that aims to harmonize and modernize existing privacy legislation, such as the EU Data Privacy Directive that it replaces. It lays down rules for the protection of natural persons with regard to the processing of their personal data and the free flow of personal data within Europe.
It is a Regulation, not a Directive, therefore applicable immediately in all EU member states, without requiring transposition into the domestic law of each country. EU countries have a limited margin of interpretation for the finer points, but fundamental rules will be the same for everyone, everywhere in the EU.
GDPR also brings the legislation to the next millennium, taking into account social media, cloud computing, cybercrime, and the major challenges that they cause in terms of personal data privacy and security.
In a nutshell: Don’t panic!
GDPR is not a world-breaking new legislation, and it is fundamentally a good thing for citizens and businesses.
It’s Positive!
We want to emphasize that GDPR can be great for you and your customers. Complying with the GDPR may initially represent a lot of work, but there are upsides to the new rules:
- Increased trust from your customers and users
- Simplification: The same rules are applied in all countries across the EU
- Rationalization and centralization of your organizational processes
The purpose of GDPR is to give individuals more oversight over their personal data. If your company puts in place the correct strategies and systems, it will be easier to manage, more secure, and safer for the years to come.
New privacy laws and best practices with RecruitGenius
Since May 25th, 2018, the General Data Protection Regulation (GDPR) is into effect, opening a new era of data protection and privacy for everyone. While you’ve certainly heard and read a lot of information about GDPR, it can be difficult to understand exactly what it means for your business, in practical terms, and what you should do to be compliant with the new rules.
At RecruitGenius, we are committed to following best practices in terms of security and privacy. We strive to provide the same level of protection to all users and customers, without distinction on their location or citizenship. And we apply those best practices for all data, not just personal data.
So RecruitGenius.ai is compliant withGDPR as a Data Controller and Data Processor
Key principles of GDPR
Scope
The regulation applies to any processing of personal data by any organization:
- If the controlling or processing organization is located in the EU
- If the organization is not located in the EU, but the processing involves personal data of data subjects located in the EU, and is related to commercial offerings or behavior monitoring.
The scope therefore includes non-EU companies, which was not the case with older legislation.
Roles
The regulation distinguishes two main types of entities:
- Data controller: any entity who determines the purposes and means of the processing of personal data, alone or jointly. As a general rule, every organization is a controller for its own data.
- Data processor: any entity who processes data on behalf of a data controller.
For example, if your company owns an account with workspaces hosted on the RecruitGenius.ai app, you are the controller for the data input in the workspaces and RecruitGenius.ai acts as the data processor to provide service.
Personal Data
GDPR gives a broad definition of personal data: any information relating to an identified or identifiable natural person. An identifiable person is one that can be identified, directly or indirectly, by means of their names, emails, phone numbers, biometric information, location data, financial data, etc. Online identifiers (IP addresses, device IDs, …) are also in scope.
This applies in business contexts too: hello@recruitgenius is not considered personal, but john.doe@recruitgenius.ai is, because it can be used to identify a physical person within a company.
GDPR also requires a higher level of protection for sensitive data, which includes specific categories of personal data such as health, genetic, racial, or religion information.
Data Processing Principles
In order to be compliant, processing activities must observe the following rules:
(as listed in Article 5 of GDPR)
- Lawfulness, fairness, and transparency: to collect data, you must have a legal basis, a clear purpose, and you must inform the subject about it.
- Have a simple and clear Privacy Policy, and refer to it everywhere you collect data
- Verify the legal basis for each of your data processing activities
- Purpose limitation: once collected for a purpose, request permission if you want to use it for a different purpose.e.g. – You can’t decide to sell your customer data if it was not collected for that purpose.
- Minimisation: you must only collect the data necessary for your purpose
- Accuracy: reasonable steps should be taken to make sure that data is kept updated, with regard to the purpose e.g. – Be sure to handle bounced emails, and correct or delete the addresses.
- Storage limitation: personal data should only be kept for the duration needed to fulfill its primary purpose. Define time limits for erasure or review of the personal data you process, depending on their purpose.
(RecruitGenius specifically has a policy of deleting candidate interview videos after 3 months.) - Integrity and Confidentiality: data processors must implement appropriate access control, security and data loss prevention measures, in accordance with the types and extents of data being processed.e.g. – Make sure your backup system is working, have proper security controls in place, use encryption to protect sensitive data such as passwords, …
- Accountability: data controllers are responsible for, and must be able to demonstrate compliance with all the above processing principles.
- Establish and maintain a data mapping reference for your organization, describing the compliance of your processing activities
- Inform your customers via a clear Privacy Policy
Legal Basis
In order to be lawful under GDPR (first principle), processing of personal data must be based on one of six possible legal bases, as listed in Article 6 (1):
- Consent. Valid when the data subject has explicitly and freely given consent after being properly informed, including a clearly stated and specific purpose. The burden of proof for all of this lies on the controller.
- Necessary for the performance of a contract, or to fulfill requests from the data subject, in preparation for a contract.
- Compliance with a legal obligation that is imposed on the controller.
- Protecting a vital interest. When the processing is necessary to save a life.
- Public interest or official authority.
- Legitimate interest. Applicable when the controller has a legitimate interest that is not overridden by the interests and fundamental rights of the data subject.
One major change brought by GDPR over previous data privacy regulations is the stricter requirements for obtaining valid consent.
Data Subject Rights
Existing data privacy rights for individuals are further expanded by the GDPR. Organizations must be prepared to handle requests from data subjects in a timely manner (within 1 month), free of charge:
- Right to Access – Individuals have the right to know what and how their personal data is being processed, in full transparency;
- Right to Rectification – Individuals have the right to obtain correction or completion of their personal data;
- Right to Erasure – Individuals have the right to obtain deletion of their personal data for legitimate reasons (consent withdrawn, no longer necessary for the purpose, etc.);
- Right to Restriction – Individuals can request that the controller stops processing their personal data, if they do not want or cannot request full deletion;
- Right to Object – Individuals have the right to object to certain processing of their personal data at any time, for example for direct marketing purposes;
- Data Portability – Individuals have the right to request that personal data held by a controller be provided to them, or to another controller.
Our GDPR Roles
Our responsibilities in terms of personal data protection depend on our various data processing activities:
Our Roles | Data Processing | Kind of data |
---|---|---|
Data Controller & Processor | On RecruitGenius.ai | Personal data provided to us by our all direct users of RecruitGenius.ai (1. Data Collection) |