Over the past weeks we have been looking at GDPR and some of the effects it will have on recruiters. Many of you have had questions surrounding the new legislation. To address this we have held a Webinar specifically to address these concerns. Below are some of the more common questions with what we hope will be useful answers.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
What is the difference between a data processor and a data controller?
A controller is an entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
GDPR and Marketing for Recruiters
Can I still market to my existing customers?
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.
Does the GDPR apply to cold calling?
Yes! If customers haven’t opted-in to your communication, it’s a breach of GDPR.
What is the “right to be forgotten”?
This is the right of the individual to have their personal data deleted “without undue delay”, for example where data is no longer necessary for the purposes it was initially collected or processed.