Why You Should Care About GDPR Compliance
When people give their personal information out, they’re expecting the receiving party to treat it with respect. This is ultimately what GDPR (General Data Protection Regulation) is all about – it was enacted in May 2016 with an enforcement date of May 25th 2018 to provide residents of the European Union data privacy rights no matter where the data would be processed. With the easy flow of data, it’s critical for all companies handling personal data to proceed with caution. Here’s a quick breakdown of what GDPR requires, and why it’s so critical for companies to be aware of.
First, a few definitions:
- Personal Data – any information that can be used to identify a person (name, email, phone, ID number, location, or other information in context)
- Data Subject – This is the EU resident, or person in question who has data to offer and who Consents to their data being acted upon.
- Data Controller – The company or person who receives & stores the data provided by a Data Subject for its own use.
- Data Processor – A third-party who receives or transacts upon data provided by a Data Controller.
- Consent – one of the most important concepts here, a Data Subject has to provide a “clear affirmative action, signifying agreement to the processing of personal data relating to him or her” – that means they should know what they’re signing up for – no hidden terms, no small fonts, no pre-checked boxes and no fine print
GDPR requirements in a nutshell:
In addition, Data Subjects now have the right to update or request their information be deleted from company records. Users typically could unsubscribe to lists, but rarely would they have the control to view all the data a company has about you, export it, modify it and to request complete deletion of personal information. Data Controllers now must remove this data to avoid fines. Data Processors, who act upon requests from Data Controllers and Data Subjects must be able to process those requests from both parties.
Why you should care:
According to GDPR, as a Data Subject, you should know exactly how your data will be used, have control over that data (it’s your information after all), and expect companies (Data Controllers) to respect your information and treat it with care. Though this may not be a novel concept to many, the fact is that there are now regulations supporting it, and financial consequences for Data Controllers that don’t follow it is a big step in supporting personal data privacy.
Here at Mya, we began our GDPR compliance program in 2017 and have worked with our internal compliance team and outside professionals to ensure that we have met all the GDPR requirements. We have updated over a dozen policies – ranging from breach notifications, to data subject requests, to pseudonymization (the GDPR term for anonymization), just to name a few. And more than just paperwork, we have implemented new procedures to ensure we meet the high standards required by GDPR.
For example, we follow Privacy by Design principles which mean we’re committed to maintaining the highest standard across all of our data practices and security measures. We proactively address potential security and privacy issues at the start of development around a project – being thoughtful about how data enters and exits our system. We respect the privacy and rights of Data Subjects (candidates & applicants in our world), and have built in the ability to handle data subject requests as needed. As a Data Processor, candidates provide information, sometimes highly personal, to Mya that is then used by companies trying to hire them for open jobs.
We are in the business of building trusting relationships between candidates and companies, and as a part of that, we believe everyone, regardless of whether they are a EU resident or not, should be allowed to have the same rights when it comes to the privacy of their data.