zlacker

[return to "GDPR: Don't Panic"]
1. abraae+K2[view] [source] 2018-05-18 08:32:21
>>grabeh+(OP)
This doesn't consider some factors that dictate how strong any company will experience their firehose of GDPR requests to be:

- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)

- how easy it is for them to make requests (entirely manual vs. online service)

- wildcard factors (internet flash mobs bent on vengeance against a corporate)

There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.

For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.

Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.

◧◩
2. frereu+Y2[view] [source] 2018-05-18 08:35:00
>>abraae+K2
This sounds like the arguments that organisations make against freedom of information laws. There is that risk, but what is the alternative? There doesn't seem to be a middle ground to me - either people can make subject access requests or they can't.
◧◩◪
3. abraae+j3[view] [source] 2018-05-18 08:39:36
>>frereu+Y2
Not an alternative - but the only obvious defence is to do the right thing, and delete data as soon as you have completed processing. e.g. delete those interview notes the second you have declined the candidate.
◧◩◪◨
4. repolf+O5[view] [source] 2018-05-18 09:09:17
>>abraae+j3
That's ridiculous. Has anyone in this thread actually ever run a recruiting operation?

I have. There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations). But you also need the ability to review what your interviewers are doing to ensure consistency and quality of assessment. We also go back and re-read interview notes if someone doesn't make it through probation or gets fired, to see if we could have picked up on the issue earlier.

But hey GDPR defenders, here's a question to ponder. I have argued above that I legitimately need interview notes for the operation of my business. If you disagree, what makes you so sure your interpretation is correct and not mine? Don't you think it'd be good if we could resolve this disagreement in some clear way, like if the law itself spelled it out?

◧◩◪◨⬒
5. Sean17+U6[view] [source] 2018-05-18 09:21:21
>>repolf+O5
> I have argued above that I legitimately need interview notes for the operation of my business.

I agree that you do legitimately need interview notes, but I don't understand why this conflicts with GDPR. In other words, why am I not allowed to see my interview notes?

[go to top]