What is the GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The full text of the GDPR can be found here.
Does the GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
How does it work?
The GDPR sets out obligations on Data Controllers, or those that determine the purpose and means of the processing of personal data of EU residents, and Data Processors, or those that process personal data of EU residents on behalf of Data Controllers.
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller.
Your company/organization is a joint controller when together with one or more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.
Opening.io and GDPR
At Opening.io we are reviewing our systems, processes, policies and documentation and updating them where necessary. Under the General Data Protection Regulation (GDPR), Opening.io is a Data Processor.
Opening.io processes the personal data on behalf of its customers, the Data Controllers of said data. As a Data Processor, Opening.io does not process said data except on instructions from the Data Controller. Processing resumes and other relevant information is a "legitimate interest" of a company ("controller") who is trying to evaluate candidates for employment per Article 6; Opening.io does not need to obtain consent from job applicants to screen and rank their resume data. Opening.io has features to allow for the correction or deletion of personal data at predetermined time intervals as well as on-demand from our own systems per Article 17.
Opening.io adheres to privacy by design principles.
Privacy by design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built into a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard. GDPR changes that. Opening.io has defaulted to privacy by design principles since its foundation, in 2015.