As more employers engage with candidates online and through email, being compliant with data privacy laws is more important than ever. If your company sources candidates living or working in the EU, GDPR applies to you. The EU General Data Protection Regulation, or GDPR, requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
The regulation requires privacy by design, which means that a data system needs to include data protection from the start, rather than as an addition. Organizations must only hold and process the data that is absolutely necessary, and limit access to that data to those who need to process it.
The GDPR also requires consent and provides the people whose data is collected with the right to confirmation as to whether or not their personal information is being processed, where it is being processed and for what purpose. If the person requests, the organization also needs to provide a copy of the personal data, free of charge, in an electronic format. The person has the right to give that data to another organization.
Additionally, the GDPR includes the right to be forgotten, also known as data erasure, which entitles the person whose data was collected to have the organization erase the data, cease any dissemination of the data and potentially halt a third party’s processing of that data.
The regulation requires organizations to notify the people whose data they collect within 72 hours of first becoming aware of a data break that is likely to “result in a risk for the rights and freedoms of individuals.”
In the past, organizations that collected data had to notify local data protection advisors about their data processing activities. Under the GDPR, data collecting organizations will not be required to submit those notifications or registrations, but they will need to meet internal recordkeeping requirements, and some organizations will need to appoint data protection officers.