General Data Protection Regulation
Catch-up with Lucy Ashenhurst, CEO of craftd.sg, and André Low
Q. What is GDPR and why does it exist?
The EU GDPR came into force in May 2018. It strengthens and homogenises existing EU member states’ disparate data protection rules, under one unified set of European regulations by introducing new obligations for organisations and rights for individuals.
The GDPR applies to businesses outside of the EU but continues to provide services to individuals within the EU
Q. We keep hearing terms like 'confidential information' and 'personal information' but what is the difference?
Confidential information can encompass a whole host of information, not all of which may be personal data.
An easy example of something that is confidential but not personal data is sensitive commercial or financial information that may be subject to contractual confidentiality obligations—e.g. a discounted rate that you have negotiated with a supplier for certain items, which they may not want to be common knowledge.
Personal data, on the other hand, is information that relates to natural persons who may be identified directly from the information, or indirectly from the information in combination with other information. This ranges from blindingly obvious examples like a passport number or name, to less overtly personal data like IP addresses or location data, which someone with the appropriate expertise would be able to use to identify an individual.
Under the GDPR, not all personal data is created equal. Certain sensitive types of personal data (which the GDPR calls “special category” data) are subject to much stricter rules and protection.
Crucially for recruiters and HR professionals, much of the data you may collect fall under the umbrella of “special category” data which includes race, ethnicity, religion, health, political affiliation, sexual orientation, and membership of trade unions. This means you should be extra careful to only ever use the data for the purposes it was collected for, never share the data unnecessarily, seek explicit consent for the collection to use wherever possible (with the data subject's express knowledge as to what purpose the data is being collected for). Last but not least, ensure that you delete the data at the earliest opportunity once its purpose has been served.
Q. What are the key differences between GDPR and PDPA?
A major difference is in the way consent operates.
The GDPR always requires explicit, clear and informed consent that is freely given. The PDPA on the other hand permits “deemed consent” in many contexts, whereby an individual can be deemed to have given consent to the collection and use of personal data without actually having done so—if the individual voluntarily provides personal data to an organisation.
The PDPA also contains a broad and extensive list of exemptions to consent that in many ways reduces the personal data protections found in the act. While the GDPR contains other “lawful bases” for the collection and use of personal data beyond consent, which in some ways resemble the PDPA’s exemptions to consent, the GDPR’s lawful bases are much tighter and much less open to circumvention or abuse.
Data minimisation is a principle that is unique to the GDPR, and not present in the PDPA. This obliges you to minimise the collection of personal data wherever possible. That means, only collect the data that you need for a specified purpose, and nothing more.
The GDPR also gives data subjects many more express rights to their data than the PDPA. This includes the right to access, correct, block and erase their data. The PDPA, by comparison, only provides for a very limited right to correct data. The GDPR mandates that personal data collected must be accurate and kept up to date. Such obligations are completely absent in the PDPA.
Q. What are the top 5 things that everyone in this industry should be aware of?
1. Every new candidate should be made aware of your agency’s intentions and purpose for storing their data. Allow them to understand and agree to your agency's data guidelines at the point of candidate registration - or at the point of application from your website into your database.
2. You either need candidate consent or be able to demonstrate a legitimate interest before you can collect, store and use their data or pass this information to a third party (your clients).
3. You should always maintain a registry, and keep auditable proof, of all consents obtained from a data subject, including consents to use and sharing of data your candidates’ agreement to share their details with a third party.
4. Data minimisation is key. Ask only for the personal data that you need. You should not process irrelevant data (e.g. religious information) for recruiting purposes.
5. Any candidate can request to be forgotten or removed. Personal data should be deleted once the legitimate purpose for which it was collected is fulfilled.