Data Privacy Laws and How They Might Affect You
June 26, 2018 – Last month, the European Union’s General Data Protection Regulation (GDPR) went into effect. While certain issues are still being resolved, the law will have a tremendous impact on how companies, government agencies and, yes, executive search firms across the E.U. – including the U.K. – handle personal data. GDPR also affects U.S. recruiting firms and others that collect and process information about individuals living in the E.U., no matter where they are located. For many in the search industry these are uncertain days, with two-thirds of executive recruiting firms concerned they could be exposed to heavy fines under GDPR, according to research released by executive search software platform Invenias.
The law, which was passed two years ago, is designed to protect individuals from threats to privacy in this still emerging digital age. GDPR, in a nutshell, brings greater transparency to data privacy and personal information storage through explicit consent. And it allows E.U. citizens access to their personal data that is being held by organizations and, if they wish, opt out. Under the new law, personal data is defined as “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.” That information might be bank details, medical information, a computer IP address, and more.
Ezayo is now posting 250 new HR jobs daily! Discover outstanding opportunities at Nike, Facebook, Apple, Coca-Cola, Estee Lauder, Adidas, Nestle, Amazon and hundreds of other leading brands around the world. We now have more than 6,000 open HR positions live. Search today and come back daily to see what’s new.
While the U.K. and the European Union continue to work on the details of Brexit, how GDPR ultimately plays out in the U.K. remains an open question. It is in effect there now, however, and is likely to continue in one form or another after the formal separation, scheduled for March. Among the requirements of the law: Individuals must consent before organizations can maintain or make use of someone’s personal information; cyber breaches must be reported within 72 hours; and people have the right to have their information deleted and stop it from being made available to others.
One company that is helping its clients – executive recruitment firms, venture capital and private equity organizations, and in-house recruiters – navigate and comply with GDPR is Philadelphia-based Thrive, which develops software for recruiters and talent executives. Playing an integral part in the firm’s efforts is its director of product management, Andrew Trksak, who recently spoke with Hunt Scanlon Media about the law and its implications for talent professionals and others. In the following interview, he discusses the impact GDPR is likely to have, the consequences of Brexit for GDPR in the U.K., how his company is helping its customers navigate the law, and how the law has contributed to greater privacy awareness.
Empowering Personal Data
In this brand new episode of ‘Talent Talks,’ we delve into the recent developments of the GDPR with our host Andrew Mitchell and Reed Flesher, founder & president of Thrive TRM. “The focus of the legislation is to give greater control to the individual; to manage his or her data,” said Mr. Flesher. “The end result should empower the individual to understand who has their data, how is it being used, and or have the ability to deleted it from a database.” Listen now!
At Thrive, Mr. Trksak oversees product development, the product roadmap and user experience. He aligns the firm’s team with the organization’s strategic goals and shapes all aspects of the user experience, including interactions and user flows. He is responsible for seeing that client customizations are consistently delivered on time and with high quality. Mr. Trksak establishes best practices for product development, agile delivery and quality engineering to support the software and product development teams. He also reviews usability tests and analyzes user trends to identify new opportunities for growth.
Related: Top 5 HR Trends to Watch
Before joining Thrive early last year, Mr. Trksak was with London-based Barclaycard, a credit card company and division of Barclays bank, where he was assistant vice president, digital platforms lead product owner, and before that, website experience and optimization manager. Previously, he worked for the Berlitz Corp., where he was manager of online solutions development, among other roles.
———————————————————————
Andrew, how will GDPR impact people?
I would reinforce the fact that the focus of the legislation is to give greater control to the individual to manage her or his data. The changes should provide greater protection to individuals within the E.U. against having their data used in ways without their knowledge and also provide means by which they can request to remove data that they no longer wish to maintain. The end result should empower the individual to understand who has their data, how it is being used and provide ways by which they can request the data being held and/or have it deleted. I think we should also call out that the enforcement of GDPR and the ramifications of the changes across various industries are still being figured out following its effective date last month. For example, there were a few small sites that already popped up providing ways to simplify the data request/ deletion process with several large sites, such as Google or Facebook. It will be interesting to see how companies continue to adjust to how the regulations are enforced and also what types of new companies or applications may be created as a result.
“I think the biggest impact from GDPR is the general awareness of privacy options and data in general. It ties into the broader discussion regarding Facebook and how data has been managed there, but privacy and privacy awareness are certainly much higher with the GDPR taking effect last month.”
What can individuals do to prepare for this new regulation?
For the most part, individuals don’t need to do anything. I think we should recommend that each person review carefully the privacy policy updates that were sent to them in May by the majority of the applications that hold their data as these will inform the user of the ways their information is being used. The changes in GDPR also emphasize making this information easier to understand, so each privacy policy should be more readable, even if they are still long and detailed. There was an article a few weeks back from the Wall Street Journal that went into the privacy policy updates a bit and discussed how people should review them carefully. Perhaps this can be referenced as a recommendation for people to take action to understand who has their data and how it is being used, as well as options that they may have to manage it.
Related: Another Look at the Impact and Implications of Pay History Legislation
What effect will Brexit have on GDPR?
Most anticipate the U.K. enacting similar GDPR-type legislation once the process is complete. I’m not sure if we have further details available on this as of yet, however. There was also a recent article in the New York Times pointing to the fact that other countries – such as Japan or Brazil – are starting to consider similar legislation of their own. Another point is that many companies are taking a global response to GDPR as they are taking this as an opportunity to afford similar protection to all of their users. One example is Apple, which started with the E.U. first, but plans on rolling out similar data request initiatives throughout the rest of the world this year. Others are following similar approaches to rolling out protections or options to users, while some may choose to focus solely on those in the E.U. The opposite side of this is, of course, those organizations that choose to restrict access following GDPR to those under its protection. One example of this is Instapaper, which chose to block E.U. users after May 25 while it works to get things in line on their side
Dillistone Launches Service to Assist With E.U. Data Protection Rules
Dillistone Group, a provider of technology solutions for the recruitment industry, recently launched GatedTalent, a service designed to help executive recruiters comply with European Union data protection rule.
How has Thrive prepared for GDPR?
Thrive has prepared for GDPR by making sure that our clients have the tools necessary for them to maintain compliance under the GDPR. The first set of GDPR-related features launched in May and provided Thrive administrators with more powerful tools to manage their existing database. The first step to achieving compliance for every firm is to review what data you currently have and confirm the legal basis for maintaining access to the information. Each company will likely want to remove records no longer relevant or permissible to maintain. With this in mind, Thrive was updated in May to provide a new bulk delete functionality. Thrive admins can now remove up to 100 records at a time, increasing productivity and providing the resources needed to achieve compliance. In addition to managing data, Thrive users now have a way to track the legal basis that they have to keep personal information. Under the GDPR, organizations must claim a legitimate interest to maintain data on an individual or provide the individual with a way to consent to the storing of the information. Each contact in Thrive can now be tracked by the legal basis the organization is claiming, providing quick filters to view those records that you may no longer be allowed to maintain. In addition to the updates above, Thrive is also preparing a new candidate collaboration experience called Thrive Circles. The service is intended to build stronger candidate relationships and satisfy GDPR compliance with a private, invite-only talent network. It will also invite candidates via legitimate interest or request consent, capture key candidate job preferences and keep candidate records up to date with automatic data syncs.
Thus far what impact have you seen now that GDPR is in effect?
I think the biggest impact from GDPR is the general awareness of privacy options and data in general. It ties into the broader discussion regarding Facebook and how data has been managed there, but privacy and privacy awareness are certainly much higher with the GDPR taking effect last month. The news regarding its implementation took a while to reach international attention, but have certainly been felt in the past two months. The dozens of privacy policy update notices and the updates that Apple, Google and Facebook (among others) have been making to their applications all tie into and help to highlight this awareness. While we have yet to see how the GDPR will be regulated, I believe it has helped to push forward the general cultural change regarding data management. Because most organizations are global, the changes in GDPR will impact product design going forward (i.e. privacy built by design), building new experiences that give users the option to determine how/what date will be used, so we’re just at the beginning stages of understanding its ultimate impact.
Related: Recruiting Industry Game Changer On the Horizon
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media