- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
Unless data is removed before end of the process and company keeps only final outcome. ;)
And yes, civil servants did use those arguments to try and stop FOI. They lost because ultimately they pay themselves out of tax revenues, and when you force people to buy something the bar for denying them information about how that money is used is a lot higher.
This doesn't apply in the case of companies and especially not job candidates.
That said, I don't think it's really comparable to the GDPR. For one FOI compliance is a joke, organisations get out of it all the time on the thinnest of pretexts. There's no real incentive for a government to police itself in this regard. But GDPR enforcement is incentivised by large sums of money, for an organisation that is technically bankrupt.
If your company can not show the candidates why they were not hired, you are doing a very bad job.
Are you discriminating against protected classes?
Are you rude or offensive in your comments?
Then, stop doing it. That will be a very good side-effect of this situation. Public scrutiny works. If a company needs to make public their interview notes, that notes are going to improve quality and abide to law.
> how strong any company will experience their firehose of GDPR requests to be
If you are big enough to have a big influx of GDPR, you need to automate it.
> how easy it is for them to make requests
It needs to be easy. The goal is not to let your company shield behind "sorry it is too complicated to give you the information". You need to give people easy access to their own data.
> wildcard factors
How is this difference of a Denial of service attack on the technical side? On the legal part, there are lawsuits that are going to be more effective than GDPR that starts with recommendations for improvement.
> The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it.
You only get the data about YOUR own interview. You can not hoard data this way. It works the other way around. The data protection is protecting you from the company monetizing this information without your consent. Companies are the ones hoarding YOUR personal data and creating a business around it without YOUR consent.
Your concerns are the main reason GDPR was created.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
Another link from 2012 describing how to handle data protection in the 1998 framework: http://www.shoosmiths.co.uk/client-resources/legal-updates/D...
I have. There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations). But you also need the ability to review what your interviewers are doing to ensure consistency and quality of assessment. We also go back and re-read interview notes if someone doesn't make it through probation or gets fired, to see if we could have picked up on the issue earlier.
But hey GDPR defenders, here's a question to ponder. I have argued above that I legitimately need interview notes for the operation of my business. If you disagree, what makes you so sure your interpretation is correct and not mine? Don't you think it'd be good if we could resolve this disagreement in some clear way, like if the law itself spelled it out?
(simplified)
* You need to have a data processing agreement with the Saas company X.
* You need to tell candidates in your privacy information that you send data to X
* You need to make sure X is properly implementing the data processing agreement (currently not clear how you do this except using e.g. PwC to review X)
If you have the data, you need to tell the candidate what you do to protect it, backup it, restrict access to it etc.
(also if e.g. the talentpool feature is provided by LinkedIn based on LinkedIn data you're not responsible under the GDPR, only if you sent data to X or X collects data on your behalf e.g. in a web form)
I agree that you do legitimately need interview notes, but I don't understand why this conflicts with GDPR. In other words, why am I not allowed to see my interview notes?
> I have argued above that I legitimately need interview notes for the operation of my business.
That's the point. You're keeping data to comply with a law (Equality laws) or for legitimate reasons, and so you don't need permission and you don't need to delete it when asked.
https://gdpr-info.eu/art-6-gdpr/
> Processing shall be lawful only if and to the extent that at least one of the following applies:
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Any of these would suit.
If it would take a decade, then it is a broken business that should cease to exist as it is doing something illegal with the collected data. What kind of business is it?
Realistically, how hard is it to automatically grab some data from a database and export it as JSON, as well as remove data from your database pertaining to a user? With a relational database, this would be a cinch. I mention the right to access the erasure right, as I estimate these will be the most frequently called upon.
What do you mean here? It seems to be about suggesting that GDPR is about getting the fine money? Elsewhere the law is quoted where it states the fine should be appropriate to be effective. So even if you don't trust this there's legal ground to back it up. Secondly, why is the EU technically bankrupt? Or is this a theoretical organization?
Appreciate some clarification because currently the sentence I quoted is too open to interpretation.
Interview notes would not have to be turned over to the candidate. They are personal opinion of the interviewer even if they mention the candidate. GDPR protects that data: you may not disclose it because it would violate the rights of the interviewer.
From https://gdpr-info.eu/art-12-gdpr/:
"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: "
The quoted bit is about one person, not multiple so not directly applicable. I assume if someone organizes a coordinated flood of requests from multiple persons you can still argue that it is excessive.
I agree that the amount of requests is very uncertain. Within my company I'm planning to make one request (data regarding me as an employee). This to see if they're prepared.
But interview notes tend to contain personal evaluations of people, often critical. If interviewers believe they are effectively having to criticise people to their face (which is what this change would do), then they won't be willing to be as honest. No interviewer wants an angry job candidate tracking them down via LinkedIn or whatever and then getting mad because you wrote that they sucked in their notes.
This is an interpretation of the GDPR that I don't think makes any sense or aligns with the original intentions at all, but moreover, if it was interpreted and enforced that way it simply means firms would switch to discussing candidates in person and not write down evaluation notes at all.
Most people seem to interpret the directive to say that, because the interview notes constitute "any information relating to an identified or identifiable natural person", they are personal data of the person being interviewed?
Under the existing Data Protection Directive these notes are subject to people making a Subject Access Request.
You sound like you've never had to deal with telling a candidate they weren't chosen for a position. There's a reason rejection letters are usually canned responses - it's not that HR teams are unanimously evil people, it's because any bit of information could open up the potential for a law suit, even if in good spirit. Someone gets a rejection letter saying "they aren't a good fit"...oh well it must be because I have different colored skin, right? It's a slippery slope from there.
...in the US. Probably not anywhere else, unless the hiring company is illegally discriminating.
The fun of red tape. You will be violating one or the other regulation, that’s the beauty of it.
Huh. So, you’re saying a side effect of GDPR is a radical increase in recruitment/hiring transparency. As if that was a bad thing (clearly, it would be a shift in the capital/labor power assymetry in favor of labor, but I'm not seeing how that's bad.)
The real reasons for such policies send to be a combination of:
(1) Regardless of organizational policies, hiring managers will still sometimes use directly prohibited criteria, and some of them will clumsily reveal this (perhaps in ignorance of the prohibition) if they provide explanations. A clear blanket corporate no-explanation policy doesn't prevent the bad acts, but prevents the bad acts that slip through other corporate policies from being announced to victims, and
(2) Hiring criteria that aren't directly prohibited may be prohibited indirectly due to disparate impact. Providing honest explanations for negative decisions makes it possible for people who gain access to the explanations given to multiple candidates to discover disparate impacts, and take action against them, and
(3) People attempting to give honest explanations will sometimes explain things poorly in a way which indicates a prohibited (directly or indirectly) criteria was used, either positively (which might be evidence in other cases)) or negatively.
Probably you can redact it so that it doesn't include the actual names of which interview panellist said what.
This seem explicitly allowed for in the law.
Secondly, why is the EU technically bankrupt? Or is this a theoretical organization?
Because its liabilities are greater than its assets, or put another way, it spends more than it receives and does so structurally.
http://bruegel.org/wp-content/uploads/2018/03/PB-2018_01_cor...
EU budget commitments exceed payments by about €10 billion a year, leading to an ever-rising volume of outstanding commitments, known as reste à liquider (RAL). RAL is expected to exceed €250 billion by 2020.
The EU is not a company, it's effectively a government, and so it simply doesn't allow itself to go bankrupt in a legal sense. It can violate contracts at will because it ultimately controls the courts. So when it doesn't have enough money to make payments it has committed to, it simply delays those payments. This results in an ever growing backlog of delayed payments that can't be made because the EU doesn't have sufficient funds.
Note that this behaviour is illegal under the treaties. The EU is not allowed to spend more than it receives. It does so anyway because it correctly believes the member states are too weak to enforce the rules. Also, the EU controls the ECB and ultimately the ECB is keeping many member states afloat via massive bond purchases. Whilst the EU Commission cannot legally just print money to fund its own operations, in practice that's what it's doing - the ECB prints money and uses them to buy the bonds of insolvent member states, which then turn around and hand some of that money back to the EU as part of its budget.
(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.
I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.
But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.
Sure, you can infer all you want, but I'm talking about whether there is grounds for legal proceedings. There is a higher probability that a defense lawyer would take a case where the rejection letter says "you weren't a good culture fit" vs "you didn't get the job". Companies simply do not want to even open themselves up to litigated, even if they've done nothing wrong. Further, there is no commercial incentive to tell the candidate anything other than "you didn't get the job", so why bother?
> People attempting to give honest explanations will sometimes explain things poorly in a way which indicates a prohibited
That's precisely my point. It's very difficult to explain to someone that they've been rejected for a position even in the most sincere and nicest way possible.
IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related
A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.
Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?
I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.
EDIT:
Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:
"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."
This is immediately after saying businesses should create API's to allow data portability and GDPR requests.
You can of course go and approach this from a legalistic point of view but that's usually not how things work in the EU, if you are going to split legal hairs to see how you might be able to get away with something then you will be in for a surprise.
But don't take my word for it, feel free to build and launch the service and we'll see if it flies. For $40 I'll pass :)
> I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Exactly, and it is abuse. There are so called 'mass letter writers' here in NL that keep on sending FOI requests and other letters to local government effectively DDOSing the services and they too can be - and have been - slapped down.