With the GDPR dominating every recruitment conversation across Europe as agencies scramble to comply before the 25 May 2018 deadline, Jordan Betteridge advises Australian recruitment agencies to sit up and take notice too.
Data double whammy
In Australia, we’re being hit with the double whammy of our new data breach notification requirements and Europe’s new data protection regime - and I believe that, in general, Australian recruitment firms are lagging behind where they need to be.
Fortunately, the Australian Privacy Act of 1998 shares common ground with the GDPR, but there are certain exceptions to the rule, notably the new rights of individuals that we suggest the recruitment industry becomes familiar with.
Here, we're answering some of the most frequently asked questions to help every Australian recruiter understand what the GDPR will mean to them.
So what is the GDPR?
The European Union General Data Protection Regulation is a new set of data protection laws that introduce clear, uniform data protection. They set out to build legal certainty for businesses while enhancing consumer trust in online services.
Will the GDPR apply to me?
If you’re a business with a office in the EU, you offer goods or services in the EU or you monitor the behaviour of individuals in the EU then, yes, the GDPR applies to you and you will need to comply.
What information does the GDPR apply to?
The GDPR applies to personal data - which is any information relating to an identified or identifiable natural person. A wide range of identifiers can be ‘personal data’ including a name, an identification number, location data or an online identifier specific to that natural person.
What are some of the new requirements under the GDPR?
While many of the terms under the GDPR are covered in the Australian Privacy Act, there are some new requirements, listed below:
Accountability and governance
The GDPR expands on accountability and governance requirements and data controllers must
demonstrate that they comply with all the principles relating to processing personal data
implement appropriate technical and organisational measures, including data protection policies - referred to as ‘data protection by design and by default’
minimise processing personal data, be sure to pseudonymise personal data and be transparent over the use and processing of personal data.
When developing, designing or using a product, service or application that processes personal data, data controllers must:
in certain circumstances, appoint a data protection officer
undertake a compulsory data protection impact assessment (DPIA)
keep records of processing activities
draw up codes of conduct.
Personal data may only be processed under the GDPR, if one of the ‘conditions for processing’ applies. This could be that the individual ‘has given consent to the processing of his or her personal data for one or more specific purposes.’
The GDPR includes a new definition of consent, which states that it must be freely given, specific, informed and an unambiguous indication of agreement to the processing.
And, critically, the data controller must be able to demonstrate that the individual has consented to the processing. Consent is not freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent at any time. Businesses also need to make withdrawing consent as easy as giving it.
So, for example, pre-ticked boxes are not considered consent - which is a key difference from the Australian Privacy Act.
Data breach notification
Data controllers must advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals in which case it’s without ‘undue delay.’
Data controllers must give individuals certain information about the processing of their personal data, which must be concise, transparent and use plain language.
Expanded rights for individuals
The GDPR includes a range of new and enhanced rights for individuals:
Right to erasure
The right to erasure (which encompasses the ‘right to be forgotten’) gives individuals the right to have their data deleted if the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
Right to object
Another enhanced right for individuals in the GDPR is the right to object at any time to the processing of their data (including profiling).
Right to data portability
The right to receive personal data in a ‘structured, commonly used, machine-readable format’ and to transmit that data to another controller.
Right to restrict processing
Where processing is restricted, personal data may only be processed under certain limited circumstances including with the individual’s consent. For example, if an individual contests the accuracy of their personal data, there may be a temporary restriction on processing.
Overseas transfers of personal data
Under the GDPR, personal data may be transferred outside the EU to countries or international organisations that provide an adequate level of data protection and on condition that individual’s enforceable rights and effective remedies are available and, where appropriate, safeguards are in place.
The GDPR gives supervisory authorities the power to impose administrative fines for contraventions by controllers or processors - up to €20 million or 4 percent of annual worldwide turnover, whichever is higher. The GDPR also requires the EU Commission and supervisory authorities to cooperate, engage and provide mutual assistance in the enforcement of data protection laws with privacy authorities outside of the EU.
The long and short of it is that the GDPR is likely to affect many Australian recruiters in some way.
At Volcanic, we’re a long way ahead of the curve. Our web platform that will help all our clients comply with their GDPR obligations is undergoing a phased roll-out across all our client websites, all as part of our all-inclusive software as a service.
Get in touch to learn how we can support your GDPR compliance.