The GDPR is a “regulation”, rather than a “directive”, which is what the current Norwegian Personal Data Act is based on. This means that the GDPR will become current law in all member states, in the same way as laws that have been passed separately in member states. Whereas an EU directive provides guidelines and recommendations regarding what national laws must or should include and regulate, there will now be identical legislation for all member states – simultaneously.
REASONS FOR THE GDPR
There are two main reasons why the GDPR has been adopted:
Personal data has become both a commodity and a big business, including across national borders
Current directives and national legislation have become outdated and increasingly out of sync with each other as the breadth of online services has massively expanded
The storage and processing of data touches on two of the EU’s four fundamental freedoms: the free movement of goods and services. It is therefore vital to regulate this in the GDPR, so that suppliers in all member states can compete under similar conditions across national borders. Furthermore, it is extremely important that citizens feel equally secure in terms of the storage of their data and their right to access it.
WHAT THIS MEANS FOR WEBCRUITER
As a supplier of online services, Webcruiter is referred to as a “data processor”. (The owner of the data, i.e. the customer, is known as the “data controller”.)
The first thing to note is that recruitment solutions do not process or store information that would normally be described as “sensitive personal data”, such as information about ethnicity, religion, criminal offences, political leanings, membership of trade unions, or sexual preferences.
Rather, what we store is referred to as “personal data” – typically name, address, photos, CV and date of birth. In addition, we store the recruitment history of individual job applicants: what positions they have applied for, records of interviews, rejection letters and so on.
For us, as a supplier of recruitment solutions, the most important changes are as follows:
The supplier has a duty to document that they are capable of complying with the requirements of the regulation
Stricter enforcement of the rules provides for new possible penalties – fines of up to 4 per cent of revenue
Joint responsibility between data processor and data controller
A Data Protection Officer must be appointed
All parties must provide clear and easy-to-understand information about how personal data is processed
Suppliers should cooperate to ensure data portability
Stricter regulations to cover non-conformance management and notifications
Risk assessments must be carried out
WHAT DOES THE GDPR MEAN FOR ME AS A CUSTOMER?
Most Webcruiter customers have many other systems or solutions that process personal data: customer and sales management systems, file servers, intranet, salary and personnel systems, etc. All these systems store and process personal data in one way or another. Therefore, a recruitment solution is normally just one of many solutions that each organisation must consider when ensuring that they comply with the GDPR.
Larger organisations will no doubt hire in services from suppliers such as EVRY or PWC to evaluate all their suppliers, sub-suppliers and systems and to ensure compliance with the coming regulations. Typically, questionnaires are prepared that sub-suppliers (i.e. data processors) must complete in order to identify any non-conformances. Both the data processor and the data controller have a duty to carry out risk assessments.
Nevertheless, Webcruiter must, for its part, take responsibility for its recruitment solutions, in which data is stored and processed “in the cloud”. As a consequence, we must therefore revise our data processor agreement with each customer, so that these agreements are in line with the new regulations.
With the new regulations, job applicants can choose to apply to either the data processor or the data controller in the event of breach or suspected breach of GDPR regulations.
WHAT DOES THE GDPR MEAN FOR JOB APPLICANTS?
For private individuals, there are a number of major changes that affect your rights relating to your own data:
The “right to be forgotten” and the right to demand the deletion of data
All private individuals will have the right to retrieve all the data they have registered in a so-called machine-readable format, often referred to as data portability
Individuals have the right to information about how their data is processed, in an easy-to-understand form
Individuals have the right to information about security breaches
Private individuals can choose to apply to either the data processor or the data controller in the event of breach of GDPR regulations
WHAT IS WEBCRUITER DOING?
Webcruiter has identified the changes entailed in the introduction of the GDPR and is working actively to be compliant well before May 2018 – in other words, to ensure that our solution, our organisation and our procedures are ready to comply with the regulations in the best way possible.
This involves considering the option of becoming certified by means of an impartial third party reviewing our organisation in the light of the requirements in the GDPR.
It is vital for us that all customers and job applicants who use our services are safe and secure in the knowledge that we are complying with the new regulations in the best way possible and to a high standard.