The General Data Protection Regulation (GDPR) is bringing a great wave of change to companies worldwide. With stricter rules around data privacy, security, and accountability – effective May 25, 2018 – companies in and outside the EU are making data protection a top priority.
GDPR will reach far beyond the EU (where the law is taking effect), as its regulations apply to all companies that process personal data of European citizens. That could mean a candidate applying to your company, or an existing employee residing in the EU, even if you’re a US-based employer.
HR handles huge amounts of personal data, so the race is on to identify potential GDPR compliance issues. It’s likely that your HR organization is (or will be) completing business process inventories and making changes in the way you address the rights of data subjects, data retention rules, and more.
And here’s another important consideration: Not only must you comply with GDPR, you must also ensure that all HR tech or SaaS vendors you work with are in compliance as well. Last year, OutMatch began working with TrustArc, a leading privacy compliance and risk assessment company, to assess our readiness for GDPR. This has helped us, as a Data Processor, to identify operational enhancements that should be made before the new regulations take effect.
Here are a few keys things that you, the Data Controller – and by extension your Data Processors – will be held accountable for when it comes to GDPR. (There are more considerations than this, but these will help get you thinking about the right questions to ask when evaluating your vendors).
1. Lawful Basis for Processing Data
To collect and process data of EU residents, you must have a legal basis for doing so. Under GDPR, you can do this by obtaining consent from Data Subjects, or by processing data for the purposes of legitimate interests pursued by the Data Controller. You’ll see consent is a common approach in scenarios such as marketing, but it’s not our recommendation for HR data. While you should always check with your company’s data protection officers and legal counsel, we expect most of our clients to use pursuit of legitimate interests (hiring and developing great employees!) as their legal basis for processing data.
2. Cross-Border Data Transfers
According to GDPR, you must have a lawful basis for transferring personal data from the European Economic Area (EEA) to countries such as the US. There are a few ways to do this. At OutMatch we use Standard Contractual Clauses (also referred to as Model Clauses), which describe the data we collect and transfer on behalf of our clients, how we protect it, etc. We append this to our agreements with clients who request it, and this provides the lawful basis for transferring data. Soon, OutMatch will add support for the Privacy Shield Framework, which will provide a second means of transfer, without the need for a contractual addendum.
3. Rights of Data Subjects
This involves the right of Data Subjects to be notified of the purposes for which their personal data will be processed, the right to access and change their personal data, and the “right to be forgotten,” along with several other rights. At OutMatch, we have internal processes set up and ready to help you handle these rights management requests when you receive them.
4. Data Security
5. Records of Processing Activities
This states that you must keep records of processing activities that involve personal data. As one of your Data Processors, we’ve mapped all of our processes involving your candidates’ and employees’ personal data into ready-to-use templates, which you can use as part of your business process inventories, or in your privacy and/or data protection impact assessments.
The Bottom Line
When it comes to the considerations above, or anything related to GDPR, OutMatch has you covered. If you’d like to learn more about data processing and GDPR, please contact us. We’re happy to answer any questions you have.