Only a few months remain until the European Union’s General Data Protection Regulation (“GDPR”) starts being enforced. Many organizations have May 25, 2018 circled in red ink on their calendars and have a concrete plan in place to become GDPR-compliant. Not being GDPR-compliant by this date could cost you up to 4% of your global annual revenue.
The primary objective of GDPR is to give more control to EU citizens and residents over their personal data and to simplify and unify data regulations within the EU. The implications for organizations that collect, process, store, and share personal data online for people in the EU are massive.
If you’re looking for good summary of GDPR, check out this quick guide.
4 Things to Keep in Mind
In terms of the personal data your company handles and stores, here are the four main things you need to think about:
- Where is your data is located
- What data do you have
- How long do you keep it
- How do you react to requests about your data
If you already have answers to these questions and processes in place to address them, you’re off to a good start.
But how can you further prepare for GDPR?
Data Storage Tips
GDPR requires that companies store the personal data of EU citizens in the EU. However, you aren’t required to do so for data stored by a provider that contractually guarantees sufficient provisions, like Amazon Web Services (“AWS”) per its Data Processing Agreement.
If you don’t use a service like AWS that has this special exemption from GDPR, you should move to EU-based servers. In some cases it might make more sense to keep some data in the US and only move the data you need to move to the EU, especially if you want lower latency for US customers. But this will pose problems if breaking down your storage strategy requires big architectural changes. Do your due diligence with your current vendor to see if you’re exempt or if you should consider switching.
But where do you start in the first place? Start with an information audit. Do a deep dive into what kinds of information you have, how it’s collected, and where it ends up. Then you can determine how long it’s used and how long it’s stored. You might find you’re collecting certain information without having a good reason to do so.
How businesses prepare themselves ultimately depends on their specific business needs and processes, and what their customers value the most. Organizations will find the most success if they partner with their customers on how to approach GDPR-compliance.
Let’s review some GDPR terminology in the scope of HR Technology companies and their customers:
Data Controller = The company doing the hiring
The company doing the recruiting is the data controller because they decide the purposes for collecting candidate data and how they collect it.
Data Processor = Codility, and all other software vendors used in the hiring process
HR Tech companies process data on behalf of their customers, making them a data processor.
Here’s an example of this in action: After GDPR hits, hiring companies are responsible for deleting candidate data and reacting to requests regarding data. And as HR Tech vendors, we need to make sure we can delete it for them, and react quickly and appropriately to other requests. If an EU-based candidate messages a hiring team they’ve been communicating with that they want some or all of their data erased, that hiring team will rely on its vendors to delete that information.
What can be helpful is listing out all the pieces of information your customers will care about. For instance, these are the most important personally identifiable information that we collect about candidates on behalf of our customers:
- Email address
- Profiles (LinkedIn, Facebook, Online Portfolios, etc.)
Another consideration many companies have is whether to hire a Data Protection Officer (“DPO”). Even though hiring a DPO is mainly a priority for larger enterprises than Codility, we still plan to add one to our ranks. Codility processes significant amounts of person data—we’re talking thousands of candidates every month. We want our clients to feel like they’re in good hands, and our having a DPO, whose main responsibility is to ensure compliance with data laws, further backs up our statement that we’re committed to delivering premium products and services for companies looking to bolster their tech hiring. Hiring a DPO is a great way to turn GDPR from a daunting challenge into an opportunity to differentiate your offering.
Organizations that touch personal data of citizens and residents in the EU need to know the in’s and out’s of GDPR. Thinking long-term, GDPR might only be the start of an increasing trend of data compliance laws. There’s no telling if GDPR will add requirements in the EU or if a similar regulation will make its way outside the EU. This only means it’s critically important to get compliant now. And with proper preparation and process, you can make the most of the situation and turn GDPR into a competitive advantage.