Main Sequence’s guiding principles in regards to EU Data Protection Laws are to:
- Remain continuously informed about the status of actual legislation, current recommended best practices as presented by the EU government, data protection authorities, and pertinent private industry exemplars, and accomplish technical requirements associated with compliance.
- Ensure that customers are offered the longest practicable lead time to make required changes and minimize business disruption, including any ongoing obligations to Main Sequence, associated with Main Sequence’s compliance, or non-compliance, with relevant EU Data Protection laws.
The Genesis of GDPR
The pertinent law, scheduled for full-effect 25 May, 2018, is EU Directive 016/679, headed “General Data Protection Regulation”. The now-standard acronym is “GDPR”. The GDPR law is presented as lengthy assembly of principles related to nearly every aspect of handling information.
The GDPR is structured around detailed and defined roles for the various parties involved with handling information. The persons that are the subjects of information (candidates, clients) are called Data Subjects. The parties that process data (recruiters) are called Data Processors, and the parties that collect and use the data (such as Main Sequence) are Data Controllers.
The GDPR rule developed in light of the previous rule, and from a political process that unfolded over the previous decade. The political sticking points involved with international data protection are inescapable when subjecting firms with varying interests, assets, and exposures to various sovereigns, and arriving at dispute enforcement mechanisms that are actually compelling of good behavior.
So far, these structures have taken the form of quasi-treaties. One that was heavily relied on by Data Processors was known as “Safe Harbor”. Safe Harbor was built around a memo of understanding between vendors and US government agencies that the vendors would reasonably respond to EU data protection authority demands.
Eventually, the EU judiciary did not find that protection to be adequate, and in ruling C-362/14, the EU Court of Justice determined that Safe Harbor would no longer suffice for compliance with EU Data Authority rules.
This decision created immediate disruption and uncertainty for hundreds of cloud vendors and thousands of customers. In response to that pressure, the EU executive body (EU Commission) issued COM 566 (November 2015), stating that Data Exporters who had executed contracts with Data Importers containing unmodified EU provided standard Model Contract Terms (and appropriate appendices) would be compliant until further notice. These contract terms are explicit and comprehensive, although enforcement remains situational.
Main Sequence’s Status as Data Controller
Main Sequence interprets section (106) of Directive 016/79 (“The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organization, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.”) as authorizing us to continue offering EU Model Contract Terms until at least 25 May 2018 or such time as the EU Commission no longer recognizes the Model Contract Terms as sufficient safeguards under Directive 016/679.
Along with GDPR, a successor to Safe Harbor was created. It’s called Privacy Shield. Main Sequence is a certified participant in Privacy Shield as of 20 November, 2017. That certification may be found here.
In EU Commission COM(2017) 611 (final), the Commission states that: “In its Decision of 12 July 2016 (“the adequacy decision”), the Commission found that the EU-U.S. Privacy Shield (“Privacy Shield”) ensures an adequate level of protection for personal data that has been transferred from the European Union to organisations in the U.S.”
Main Sequence is satisfied that Data Controllers may use our services in the reasonable expectation that they will be found adequate under GDPR.
A key open question of enforcement for Data Processors appears to be the question of where data must be hosted. On 16 October, 2017, The United States Supreme Court granted certiorari in the case United States v. Microsoft, which turns on the question presented to the court:
Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.
On 23 March, 2018, The Clarifying Lawful Overseas Use of Data Act, commonly known as the CLOUD Act, was signed into law. The CLOUD act contains a provision that requires email service providers to disclose emails within their “possession, custody, or control,” even when those emails are located outside the United States. This law rendered moot United States v. Microsoft, which was dismissed by the Supreme Court on 17 April, 2018.
This development removes a significant potential incentive for the EU to demand in-region hosting services.
In addition to the model contract terms, Main Sequence notes the following in regard to compliance with Directive 016/679:
- PCRecruiter security settings will be set to high by default
- Consent management tools already exist in PCRecruiter for opt-in and opt-in renewal + status notation. These tools are being streamlined and extended for GDPR, and GDPR specific training/consulting/configuration will be available to our customers prior to 25 May, 2018.
- Data portability tools already exist in PCRecruiter to download individual data records as report objects. As with consent management, these tools will be streamlined and ready for use when the law comes into effect. The data portability requirements of the GDPR, in particular, are likely to be developed by enforcement practice subsequent to the 25 May, 2018 effective date of the regulation.
- Main Sequence will provide complete database return to customers upon request.
- Main Sequence will report to a customer any data breach within 72 hours of discovery.
- Search and sort tools to facilitate removal of no-longer pertinent data at appropriate intervals already exist in PCRecruiter.
- Main Sequence will perform all minimum legal requirements for EU Data Processors, and in the event of a default by Main Sequence of any EU Data Processor requirement, Main Sequence will release any EU Data Controller customer from any future contractual obligations and /or waive any early termination fees associated with closing a PCRecruiter account prior to contract expiry.
- Main Sequence will actively monitor compliance responsibilities for EU Data Processors operating in the United States and processing EU Personal Data.
- Pseudonymisation is not a required technique, but may lower exposure to notification requirements in the event of a security incident. It is unlikely that PCRecruiter records can be fully pseudonymised because direct identifiers (data that can be used to identify by cross-linking through other information that is in the public domain) such as addresses, phone numbers, etc. are essential recruitment information. Pseudonymisation features may be expanded in PCRecruiter (for example, “blinded” C/V’s) or coded candidate submissions which could work to limit further interrelationships between recruitment firms and their customers as pertaining to the GDPR
- Main Sequence has no role in selecting a Data Protection Officer for customers, or in acting as one on behalf of customers.
- Main Sequence recognizes that our customers may require support to configure PCRecruiter for essential tasks associated with their role as Data Controllers. Important steps for Data Controllers include, but are not limited to:
- Documenting Security of Processing
- Evaluation Pseudonymisation/Encryption
- Assessment of Compliance
- Data Breach Notification Planning
- Estimating Data Protection Impact
- Identifying Data Protection Officer
- Design Data Acquisition and Maintenance for Minimum Impact
- Review/Update Processor Contracts
- Audit Record of Processing Activities
- For customers requiring certification for PCRecruiter as a Data Processor, please refer to our Privacy Shield certification. For customers seeking information/training/configuration of Data Controller tools within PCRecruiter, please contact your Main Sequence sales consultant or submit a request to our online support system to schedule services.
GDPR Compliance Features
The following capabilities will be available upon request in the first week of May, 2018:
GDPR Data Fields
A GDPR tab on all name records, which contains new fields for tracking the Consent Date and Consent Purposes.
Consent Status Highlighting
Records with Consent Purpose set to Awaiting Consent or Revoked Consent are flagged in orange and are automatically opted out of all list-based email. Names that exist in the database at the time of activation will be automatically set to Awaiting Consent.
Consent Form Letters
Consent Form Letters are generated, which include ‘Insert Field’ merge tags leading the recipient to affirm or revoke consent. Selecting Deny sets the Consent Purpose field on the name to Requested Deletion.
Job Board Consent Requirement
A configurable consent agreement is added to the PCR Job Board so that all online applicants are prompted to affirm consent before proceeding to submit information.
Activity and Consent Log
The system adds New Activity types for tracking consent activity, and also adds a dedicated “Consent Log” panel for retaining all details and notes pertaining to consent collection.
Inactive Record Identification
An EUC Consent Purpose filter is added to the Identify Inactive Records panel, facilitating the location of inactive records and adding them to a list for Forgetting or other handling.
A new Global Change option allows admin to apply consent setting to multiple records at once, such as all names that have Requested Deletion. All changes are recorded to the Consent Log.
Forget and Download
New Forget and Download action items appear for admin-level users, allowing them to relegate any single contact to the Forget Bin or to back up the record’s fields and attachments locally. An option also exists for ‘auto-forgetting’ records that remain without consent for a given period of time.
Once ‘forgotten,’ a record is given an ID and sent to the Forget Bin admin area. The email remains visible in the bin only. The ID takes the place of the record in Position Pipeline history.