GDPR, opt-in and the right to be forgotten: Well Facebook and Google, what are you going to do now?

High level recruitment and low level social and search data

Large numbers of companies hold information about us. Recruitment companies hold some of the most personal details about their candidates, contractors and temps. It tends to be a relatively low volume for each individual. Contrast this with the huge volumes of data held by the social and search internet giants, Facebook and Google.
Besides the relative volume of information, the other key difference is the ‘level’ of data. Recruitment data is composed of high level information, including personal details, such as mobile, educational and employment histories, qualifications and accreditations. Passport details and driving licence information including points and bans. It may also contain the assessments of psych tests and other selection methodologies. This is all information over which most people would want to have tight control.
Compared this with Facebook and Google, which over time accumulate vast amounts of data about each individual. In terms of privacy value, this tends to be relatively low-level information. Your Likes, and perhaps where you went last night and who you were with; what you searched for on the Internet and who you may have emailed with what.
With the exception of email, most of us would regard this as low-level data, information we choose to share on a social platform with who we want. However, there is an important difference. Crunching social and search history enables the internet giants to build a profile, identifying patterns of behaviour and enabling them to make predictions about each individual.
Even if the majority of the source information is relatively low-level, the analytical data is perhaps at least as valuable as the personal data held by recruitment firms. In a feat of digital alchemy, low value information is transmuted into something of very high value.
All of this has created concerns over privacy and raised questions about how the data is used for advertising and marketing, activities which are critical to the Facebook and Google business models.

25 May 2018: Enter the GDPR

On 25 May 2018, GDPR, the European Union General Data Protection Regulation (EU-GDPR) comes into force. This is a significant change to the regulatory frameworks which govern business practice and is set to disrupt the business models of Facebook and Google as well as many other internet companies, such as WhatsApp.
Quite simply, the GDPR means Facebook and Google will not be able to use personal data for advertising purposes without user permission. The firms cannot use a “service-wide” opt-in across all their services. Also, they will be unable to deny access to their services to users who refuse to opt-in to tracking.
Currently, Facebook and Google users willingly disclose personal data and these web giants have the right to process the data to drive their services. However, the GDPR is set to prevent them using personal data without specific user permission.
The GDPR applies the principle of “purpose limitation”. The wording of the regulation states that personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. In a nutshell, Facebook and Google will be unable to present users with non-specific, consent requests in order to gain permission to drive all their activities.
Over the years, Facebook’s privacy policies and user account privacy settings, and what you can and cannot hide have been the subject of much controversy. GDPR introduces the right to be forgotten, allowing users to find out what data an organisation holds and to request it deleted. Quite how this will play out is yet to be seen, but they are unlikely to acquiesce, and co-operate quietly.

Better data security and certainty on GDPR with ETZ

Facebook and Google leveraged disruptive technology over a handful of short years to become two of the world’s major businesses. However, with the advent of GDPR, the disruptors face being disrupted.
The impact on how giant corporations use personal data is just one side of the GDPR. On the flip side is the creation of a framework for better information security for all businesses. With strict rules around securing business networks and data backed by very stiff financial penalties, UK and EU regulators will have the power of global reach, taking in any business that processes the data of UK and EU citizens.
In an uncertain world, certainty is everything. So, right now, we’re working to make sure ETZ is GDPR-ready so that our clients in the recruitment industry don’t have to worry about it.
We encourage all of our clients to engage with all their suppliers of technology services to make sure they know where they stand. This is vital, because under GDPR, each firm is responsible for its own GDPR compliance. It won’t be possible to defend a charge of GDPR compliance failure by blaming a third-party.
If you need to know more about GDPR, ETZ and recruitment data, simply get in touch.
Click here to see the article ‘How the GDPR will disrupt Google and Facebook’ at pagefair.com.