1. GDPR - Practical Steps for Researchers

5. IT Audit
As data controllers, we are all responsible for the security of our own IT systems and those of our data processors.
Make a System/IT audit a key part of your data inventory.

6. Privacy Impact Assessments
A DPIA (Data Protection Impact Assessment) is mandatory when processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

7. Consent v
Legitimate Interest

8. Appendix B, legitimate interests assessment template

9. Issues around Informing Candidates or Requesting Consent
How about market mapping? Do we need to inform everyone?
How long should we keep people’s data for?
When is the best time to request consent/inform people?
What if consent is declined?
What about candidates outside the EEA?
How do you structure the approach? How many times can you request consent?
Consent when using LI Recruiter and browser add-ons
What if you are contacting a candidate on behalf of an anonymous client?
What if you are a freelancer working separate but similar assignments on behalf of different clients?

16. Subject Access Requests (SARS)
Clearly inform data subjects how to request this
Have a SARS policy
Ensure the data controller responds
30 day time limit
Standard procedure throughout
Check legitimate and reasonable
Include certain minimum information

17. Data Deletion Requests ‘The Right to be Forgotten’
“There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.”
But none of these applies to headhunting?
This also needs a standard procedure. Also a record so that you do not re-add the person.

18. Informing data subjects going forwards
Draw up workflows for:
Informing under legitimate interest
Obtaining consent for medium-level data
Obtaining consent for sensitive data

19. Documentation

21. Also see APSCO Privacy Policy Checklist: