Privacy by design – what you need to know

The business world is talking about the importance of the General Data Protection Regulation (or the GDPR), but few companies really understand the implications of non-compliance. We believe it's our role to help educate organisations about the actions they need to take to ensure they are GDPR compliant.

To help recruiters understand the challenges of GDPR compliance, we are releasing a series of short articles to simplify the requirements, address some of the myths and offer potential solutions.

This third article goes into more depth about ‘privacy by design’, one of the three core principles of the GDPR.

What is privacy by design?

According to the Information Commissioner's Office (ICO), ‘Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start’. This approach has been championed by the ICO for many years, but the GDPR is much more explicit about the requirements and the penalties for not complying. Organisations have a general obligation to implement technical and organisational measures that show they have considered and integrated data protection into their processing activities.

At a practical level, this means your compliance team will almost certainly be working through audits of processing activities and reviews of policies. They will also be able to help with supplier contracts which will all need to be updated to reflect the new regulations and responsibilities. If you have not had guidance on these, you can download legal guidelines from the Hollaroo GDPR website.

With time running out, this process could be brutal – the starting point will be that anything non-compliant needs to stop because the financial (and reputational) risk is too great. You need to, therefore, get ahead of the curve by having a clear understanding of what the requirements are and what changes need to be made. The areas to review are contracts and documentation, automated processing, accessibility and international transfers.

Contracts and documentation

With each supplier, you need to agree what you are processing and why. Your GDPR compliance team should have templates you can use, but this is a good opportunity to run through how your suppliers collect data, how long they keep it for and how they will allow users access to it.

For every single process, you need documentation to cover the purpose of the processing, what you are processing and how long you plan to retain the data. Your compliance team will have an opinion on how specific a process needs to be – as a minimum, you will need to separate out processes where there is a different legal basis, e.g. processing applicants and recruitment marketing.

Automated data processing

The GDPR has specific requirements with respect to automated processing, so any tools you have that do this need to be reviewed carefully. There is a specific case of profiling individuals for ‘performance at work’ which will cover selection processes.

For each automated profiling process, you will need to conduct a data protection impact assessment (PIA) and also understand how you will manage the rights of individuals to not be subject to a decision based on automated profiling. For more information on PIAs, we recommend the ICO guide to data protection impact assessments.

Access control and audit

Any place where you store and process personal information needs to be secure and you need to have granular control over who has access to it. You also need to be able to keep a record of who has accessed and/or changed personal information. If personal data is accidentally lost, altered or destroyed, you must to be able to recover it.

This sort of security is only typically available in a dedicated system. The days of spreadsheets, bulk printouts and emailing of data are over.

International data transfers

If you, or your suppliers, store or process personal data outside the European Union then further restrictions apply. You need to make it clear that this will happen to the individual whose data you are processing. Generally, organisations will not be able to assess the adequacy of protection provided by their suppliers but will, instead, need to demonstrate that appropriate safeguards have been recognised by public authorities or bodies.

This is very restrictive and will be one of the fundamental questions asked by your compliance team of your suppliers – so you may want to find out beforehand.

Further reading

Hollaroo maintains a dedicated, constantly updated set of resources on the GDPR at http://www.hollaroo.com/gdpr.html