Main Sequence’s guiding principles in regards to EU Data Protection Laws are to:
The pertinent law, scheduled for full-effect 25 May, 2018, is EU Directive 016/679, headed “General Data Protection Regulation”. The now-standard acronym is “GDPR”. The GDPR law is presented as lengthy assembly of principles related to nearly every aspect of handling information.
The GDPR is structured around detailed and defined roles for the various parties involved with handling information. The persons that are the subjects of information (candidates, clients) are called Data Subjects. The parties that process data (recruiters) are called Data Processors, and the parties that collect and use the data (such as Main Sequence) are Data Controllers.
The GDPR rule developed in light of the previous rule, and from a political process that unfolded over the previous decade. The political sticking points involved with international data protection are inescapable when subjecting firms with varying interests, assets, and exposures to various sovereigns, and arriving at dispute enforcement mechanisms that are actually compelling of good behavior.
So far, these structures have taken the form of quasi-treaties. One that was heavily relied on by Data Processors was known as “Safe Harbor”. Safe Harbor was built around a memo of understanding between vendors and US government agencies that the vendors would reasonably respond to EU data protection authority demands.
Eventually, the EU judiciary did not find that protection to be adequate, and in ruling C-362/14, the EU Court of Justice determined that Safe Harbor would no longer suffice for compliance with EU Data Authority rules.
This decision created immediate disruption and uncertainty for hundreds of cloud vendors and thousands of customers. In response to that pressure, the EU executive body (EU Commission) issued COM 566 (November 2015), stating that Data Exporters who had executed contracts with Data Importers containing unmodified EU provided standard Model Contract Terms (and appropriate appendices) would be compliant until further notice. These contract terms are explicit and comprehensive, although enforcement remains situational.
Main Sequence interprets section (106) of Directive 016/79 (“The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organization, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.”) as authorizing us to continue offering EU Model Contract Terms until at least 25 May 2018 or such time as the EU Commission no longer recognizes the Model Contract Terms as sufficient safeguards under Directive 016/679.
Along with GDPR, a successor to Safe Harbor was created. It’s called Privacy Shield. Main Sequence is a certified participant in Privacy Shield as of 20 November, 2017. That certification may be found here.
In EU Commission COM(2017) 611 (final), the Commission states that: “In its Decision of 12 July 2016 (“the adequacy decision”), the Commission found that the EU-U.S. Privacy Shield (“Privacy Shield”) ensures an adequate level of protection for personal data that has been transferred from the European Union to organisations in the U.S.”
Main Sequence is satisfied that Data Controllers may use our services in the reasonable expectation that they will be found adequate under GDPR.
A key open question of enforcement for Data Processors appears to be the question of where data must be hosted. On 16 October, 2017, The United States Supreme Court granted certiorari in the case United States v. Microsoft, which turns on the question presented to the court:
Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.
On 23 March, 2018, The Clarifying Lawful Overseas Use of Data Act, commonly known as the CLOUD Act, was signed into law. The CLOUD act contains a provision that requires email service providers to disclose emails within their “possession, custody, or control,” even when those emails are located outside the United States. This law rendered moot United States v. Microsoft, which was dismissed by the Supreme Court on 17 April, 2018.
This development removes a significant potential incentive for the EU to demand in-region hosting services.
In addition to the model contract terms, Main Sequence notes the following in regard to compliance with Directive 016/679:
The following capabilities will be available upon request in the first week of May, 2018:
A GDPR tab on all name records, which contains new fields for tracking the Consent Date and Consent Purposes.
Records with Consent Purpose set to Awaiting Consent or Revoked Consent are flagged in orange and are automatically opted out of all list-based email. Names that exist in the database at the time of activation will be automatically set to Awaiting Consent.
Consent Form Letters are generated, which include ‘Insert Field’ merge tags leading the recipient to affirm or revoke consent. Selecting Deny sets the Consent Purpose field on the name to Requested Deletion.
A configurable consent agreement is added to the PCR Job Board so that all online applicants are prompted to affirm consent before proceeding to submit information.
The system adds New Activity types for tracking consent activity, and also adds a dedicated “Consent Log” panel for retaining all details and notes pertaining to consent collection.
An EUC Consent Purpose filter is added to the Identify Inactive Records panel, facilitating the location of inactive records and adding them to a list for Forgetting or other handling.
A new Global Change option allows admin to apply consent setting to multiple records at once, such as all names that have Requested Deletion. All changes are recorded to the Consent Log.
New Forget and Download action items appear for admin-level users, allowing them to relegate any single contact to the Forget Bin or to back up the record’s fields and attachments locally. An option also exists for ‘auto-forgetting’ records that remain without consent for a given period of time.
Once ‘forgotten,’ a record is given an ID and sent to the Forget Bin admin area. The email remains visible in the bin only. The ID takes the place of the record in Position Pipeline history.
With increasingly AI-driven sourcing tools and a sea of public profiles at your fingertips, it’s easy to overlook the benefits of building your own talent pool. But owning a database of people in your industry – potential passive candidates, who you already know and who you’ve already background checked – is a valuable business asset.Read more
Find out more about who we and what we do.