When Does GDPR Start And How Scary Will It Be?
We enlisted SmartRecruiters’ Head of Legal, Valerie Bertrand, to give us a primer on the implementation of what is, depending on who you ask, either a bold step forward for data protection, or, if you’ve been sleeping on it, a harbinger of doom.
If you’re a European business or a business with EU employees, a business with activities in the EU – or even looking to hire EU citizens from outside the EU – May 25th is already circled in thick bright red on your 2018 calendar. It’s not? Oh dear.
That’s when the European Union’s new rules for personal data collection come online – so to speak – and if you’ve been procrastinating, you’re not going to be very pleased by the consequences for having done so. Failure to comply will cost you up to €20 million or 4% of your yearly gross worldwide, whichever is higher.
For Berlin-based Valerie Bertrand, when she took the gig as SmartRecruiters’ head of legal six months ago, she also took over the helm of SmartRecruiters’ compliance efforts.
“I knew GDPR would be my first big priority,” she says, “as well as my first big opportunity.”
The watershed regulations took four years of negotiations to pass, and for all her hard work making sure SmartRecruiters will be GDPR-compliant come the end of May, there are plenty of companies out there wanting to hear what advice she can share with them.
“We had more than 200 attendees on our German language webinar,” says Valerie. “For the UK around 50 or 60, and France, around 60-70.”
For the citizenry, the basics aren’t hard to grasp, and they sound pretty good: companies are not allowed to sell-on your personal information to third parties without your consent, they are not allowed to keep your information stored indefinitely, and if you suddenly decide you don’t want e-commerce sites you’ve used to store your email or keep a list of what you bought to sell you again in the sidebar of your online newspaper, they are obliged to let you be digitally forgotten, and erase you.
“It’s the same thing as when you give your phone number to someone,” explains Valerie, “you don’t necessarily want that person giving your number out to just anyone.” Especially anyone capable of sending you unblockable spam texts.
For companies, Valerie says the essentials are “identifying and mapping your processes from the beginning to make sure individuals can control their individual rights. Make sure you are in control of your data, know exactly where your data is, and who your processors are.”
“Processors” is a specific choice of words. Because under GDPR, there are data processors and data controllers.
“Our customers, who give us access to their data for the purposes of hiring,” Valerie says, “are controllers, SmartRecruiters is the processor,” which means when your business is based on processing personal information on behalf of companies, things can get tricky. Valerie says in Europe – especially Germany, a huge supporter of GDPR – personal privacy has always been taken more seriously than anywhere else. Which would be fine if GDPR compliance was limited to companies operating from within the EU, but it covers any company who employs even one EU citizen, which opens things up immensely, and not all companies outside of Europe may be taking GDPR as seriously as they should.
“The fines are a good way to make sure companies are doing something about it,” says Valerie, “and because of the fines, now when you talk about online privacy at this level in the US, they understand, whereas before, not so much.”
Given the great degree of SmartRecruiters’ business Stateside, that’s good news, but leaves one question: an organization coasting along without a forward-thinking head of legal could be leaving their business open to massive fines, that for small to medium-sizers, could possibly put them under: If 20 million euros is higher than 4 percent of annual gross, especially if it’s much higher, well, you know, that’s bad.
On the other hand, after taking this long to implement on so many high levels of government, those responsible for administering the first rounds of post-May fines aren’t going to go after someone from, say, Italy, manufacturing broom handles in West Africa, or a car company in India with a French consultant on the books.
“You go for Apple, you go for Google,” says Valerie. “You target the companies with money,” because everyone will be watching, placing bets on which global juggernaut will be hit hard, and hit first.
Valerie is confident her company will be watching calmly from the sidelines, because more than being made an example of by the European Commission, “SmartRecruiters is a subcontractor, so we have to be compliant. That’s why people will continue to work with us. Otherwise no one will choose to work with us. We still don’t really know what things will look like after May 25th, but if you get caught for something, your image will suffer greatly.”