Recruitment Companies treat CVs like Gollum treated the ring. They’re a precious commodity even when, as I discovered recently, some are so old the candidate has subsequently died. So do they need a DPO?
This blog isn’t going to go through how CVs are obtained or any of the many other issues around data retention, security, consent etc etc etc etc.
All we’re going to focus on is if a small recruitment company with say 150,000 CVs needs a DPO. That’s it. Nothing else.
Who should have a Data Protection Officer?
Article 37 outlines who need to appoint a Data Protection Officer:
A. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
B. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large-scale; or
C. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10
So in the case of recruitment companies in the private sector, we can ignore point 1. How about the other two? Well, we first need to establish a few things first about the data being held.
What is in the Data being held?
We need to ask a few questions first.
1) Does data held cover special categories of data as covered in Article 9 para 1 such as ethnicity or racial origin, union membership etc or recital 35 regarding health and mental well being.
Most recruitment businesses are switched on enough not to hold this sort of data in their CRM systems but do the CVs and covering letters? Some may.
2) Does data held cover Article 10 relating to personal data regarding criminal convictions?
3) Is the data being automatically processed (ie search criteria) (Article 22)
4) Does the data contain relational information gathering (ie social media)
This is an interesting one because of the ability to scrape data from Facebook, Instagram, Twitter, er….MySpace (?) is possible and has been marketed. This has a whole heap of other implications so let’s just leave this one for the time being.
What is “processing on a large scale”?
Assuming the answer is no to the questions above we go back to article 37 and in particular, the thorny issue of para 1 C. Could, in the case of 150,000 records being kept be viewed as “processing on a large scale”?
Firstly we need some context. Although the size of the controllers organisation is no longer a factor we should perhaps consider that businesses of more than 250 employees were the original target in early drafts. Article 30 para 5 still demonstrates the responsibilities for recording data processing (para 1 and 2) still largely apply only to these sort of organisations.
Secondly, we need to consider that the GDPR is designed for organisations that hold millions of records as well as relatively few. Everything is relative so other factors need considering.
Is the Data valuable?
I would be asking more about what is in those 150,000 records. I realise that recruitment agencies see value in numbers of CVs held (this really needs to change guys as it is Grade A bonkers) but then it is likely that less than 40,000 records are “active”. I’m being optimistic.
I know I promised not to talk about anything else but it’s much more likely that the client above is breaching one of the many other GDPR articles than needing to worry about needing a DPO. If you’re not looking to exit why not be a lean, mean machine and ditch the ones that you are never really going to convert?
Okay back on track….
What does the DPO do?
In the UK we don’t have the strict rules around DPO assignment that say Germany and Belgium have. In fact, we have a much more liberal approach to data privacy than our more informed friends.
However, the role of the DPO is clearly stated in Article 39. They make a great deal of sense and I would suggest that any organisation would have some sort of role specified that encompasses these tasks as part of the organisations data governance framework.
The DPO role also carries legal responsibilities so I wouldn’t consider that a DPO is required in the example above. (got there in the end eh?). But I will caveats that by saying “it depends” because every company is different. Just approach the question logically and carry out decent analysis before jumping to a conclusion.
What do the ICO expect?
The ICO is mainly looking for the rationale behind decisions because at least it shows that it has been thought about. If the client in the example added the above to their GDPR documentation (with a bit of editing) it wouldn’t go amiss.
In addition, it wouldn’t be a bad idea to contact the ICO if you remain unsure of your decision. They are pretty friendly and are trying to help businesses as much as possible.