From 25 May 2018, the EU’s General Data Protection Regulation or GDPR came into force. What does that mean for our database of talent working in the field of digital communications? And how does the new rule affect how we, as recruiters in this field, process your data?
What is the GDPR?
Essentially, the new data regulation is here because previous legal frameworks are no longer fit for the digital age. GDPR aims to protect the fundamental rights of EU citizens and enhance the digital economy through better data protection practices. As recruiters in the European digital communications field and data subjects using digital services like anyone else, we are all for this.
Who does it apply to?
It applies to anyone processing the personal data of EU citizens, even if that organisation is located outside of the EU. The UK has also adopted it ahead of Brexit in March 2019 and the big tech corporations of Silicon Valley are also scrabbling to adapt their systems, as shown by the inbox flood of email marketing consent updates and corporate notifications of terms of services. GDPR is also big news because of the huge penalties for non-compliance.
What counts as personal data?
‘Personal data’ is any information relating to an identified or identifiable natural person: name, gender, occupation, location, biometric data, email address or other types of data, held in any format (text, graphic, etc) in any form (on paper, CD, or electronic). The GDPR applies to any actions taken with this data – collecting it, storing it, structuring or organising it, distributing it, and so on.
What are your data protection rights?
GDPR infers certain rights on EU citizens, such as:
- Right of access – including the purpose of the processing and recipients of the data.
- Right of rectification – we must update any inaccurate personal data.
- Right to object – for example, if we use your data for a different purpose than stated, you can object.
- Right to restriction of processing – for example, if processing is unlawful in some way and you ask for processing to be restricted.
- Right to erasure (also known as the ‘right to be forgotten’)– we must remove data without undue delay except in certain circumstances.
- Right to data portability – you can ask for your data to be received in a structured, commonly used, machine readable format, for transmitting to other data controllers.
What are our responsibilities?
GDPR updates the roles and responsibilities of data controllers and processors to ensure that we are accountable for complying with the six basic data protection principles:
- transparency, fairness and lawfulness
- purpose limitation
- data minimisation
- storage limitation
This means we must be clear about what data we collect and why we are collecting it, how it is processed and if any third parties are involved in the processing, how long we keep the data for, not to collect more than is required for our business purposes and, of course, ensure a high level of security. Email marketing requires its own separate explicit consent – you can sign up to our newsletter here.
Firehead and GDPR
CJ Walker, founder of Firehead, says: “Recruitment is an especially important area for data protection because we hold so much of your life detail in your CV. As digital recruiters, we take our obligations seriously and always hold any information supplied to us in the most respectful security.
“To ensure we understand the new regulation, we have undertaken an online university course outlining the main provisions of the GDPR, including key concepts, principles and data protection roles, rights and responsibilities.
As a result, we are in the process of updating our processes as a data controller and settings in any data processors we use (web analytics and email services, for example).
“We also never change the information you supply in your CV – we only change the contact details to Firehead when we forward your CVs to potential employers.”
Image: (CC) Mohamed_hassan/Pixabay