Embedded Files
Let's hear Anita's explanation about whether Harrison is complying with the GDPR when he is interviewing and what he can do differently.
Let's consider some more scenarios
Let's consider some more scenarios
Example 1
Example 1
You're talking to a candidate and asking them about their previous roles. They tell you about their achievements, how long they held each role and why they left.
What can you record?
A. Their Achievements
B. Your opinions of their character
C. Their reason for leaving
D. None of above
View Answer
View Answer
Actually, these are all fine.
You can record any of these, but you need to be careful when you are recording anything subjective like your opinions of a candidate. They could ask to see anything you record about them. So make sure there's nothing embarrassing or offensive.
Example 2
Example 2
You're short-listing for an interview and the client has asked you to provide more information about each candidate.
Which information will require explicit consent from each candidate?
A. Ethnicity
B. Health
C. Gender
D. None of above
View Answer
View Answer
Health and ethnicity data are both classed as Special
Category data. Anything that you record about health like a medical condition or an operation will require consent.
Under DPA18 there is a special exemption to hold data on ethnicity at the early stages of the recruitment process where there is a diversity requirement for that specific role. The role needs to be at senior management or board level. However, it is always advisable to gain consent to hold ethnicity data at the earliest opportunity.
Age and gender do not require consent. However, be aware that using age-related data could create risks for you and your business under age discrimination laws.
Here's a complete list of the different types of special category data:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership • Genetic or biometric data
Health
Sex life
Sexual orientation
Criminal convictions information
Example 3
Example 3
In a conversation with a client, he tells you the names and ages of his two children.
What can you record?
A. The names
B. The ages
C. The fact that he has two children
D. None of above
View Answer
View Answer
The fact that he has two children
This is better than recording the names and ages of the children as you are reducing the risks to the family.
Consider whether you really need to record data about other people's children. Unless you are helping a family relocate, it's highly unlikely that you have a legitimate reason to record this data.
By law, you must have parental consent to record data about children under the age of 13. If they are over 13 you must still inform them you are processing their data.
Transparency
Transparency
If people don't know who has their data, or what data is held about them, how can they exercise the rights that the GDPR gives them?
How can we be more transparent?
How can we be more transparent?
Transparency is a fundamental part of GDPR. There are different steps you and your business can take to be transparent. Everyone whose data you hold should be informed within one month of you obtaining their data that you are holding their data and they should be sent a link to your privacy policy
Privacy Policy
Privacy Policy
A link to your company Privacy Policy in your email footer is one of the simplest ways to notify people about how you handle data and what they can do to find out more.
LinkedIn
LinkedIn
When you send InMail to people on LinkedIn always send them a link to the privacy policy as well. It helps transparency and creates a record that can be audited in the future.
Meetings
Meetings
If someone gives you their business card, tell them you'll be in contact. Don't just assume they've given you the green light to marketing spam for the rest of their lives.
Your business has created policies and processes to make sure this happens. You need to understand them. If you don't, ask your manager now.
What would you do?
What would you do?
Let's look at a typical scenario to show how simple everyday decisions can get you in trouble if you don't remember the principles.
Jane has been asked by her client to thoroughly map the market for several key roles. They want to know who are the rising stars at their key competitors who could be considered for succession planning.
The client does not want the candidates to know they are appearing on a market map. However, they do want Jane to share the candidate contact details with them. Many of these prospective candidates are already on the company database.
View Answer
View Answer
Produce the information, but only share publicly sourced information with the client and ensure that everyone on the market map is aware of your privacy policy.
This is difficult because market mapping and longlisting are activities that create challenges when complying with the GDPR. If you share personal data with your client before informing the individuals that you are holding their data, then you are potentially in breach of the GDPR. It is a fine balance and your company will have decided how best to handle this so check on your company policy.
The safest way is to ensure that you have tried to inform everyone on your list that you are processing their data and share your privacy policy with them.
If it's a very large market map and you have not informed people whose data you have sourced from public sources, be aware that relying on the argument that it was too much effort to contact them all (which is called disproportionate effort under the GDPR) has been challenged by the regulators.
Page updated
Google Sites
Report abuse