GDPR rollout... so here’s the skinny.
We (LiCa Scientific) take in data all the time, CV’s full of private data we need this to help you get a job. Mainly it’s peoples phone numbers, emails, shoe sizes, your favourite cocktail… some of those are a fib but the point is this.
Your data, and a load of it at that, goes out there into the internet and you want to be confident it’s handled well and respected.
Data is and always has been important to us and it’s ALWAYS been kept in highly secure systems, and absolutely goes NOWHERE without your say so. So without doing anything we were compliant with GDPR. If you’ve gone for a job through us you’ll know you sign off each and every company, over email, before your CV leaves the systems here.
Thinking about it therefore I’ve been compliant 15 years because I just want to be professional and treat other people with the kind of respect I’d want back. On that principle, I actually think my dads business in the 1980’s was compliant with GDPR.
You just need to be respectful of peoples data and keep them informed of what you’re doing with it. That’s really it.
Now we’ll put a few structures in place but little else needs to change.
This got me thinking, I mean, who the hell is this for really?
For example, could you imagine us explaining to a client why the interview they requested to do couldn’t happen, because the candidate had no idea their CV was going there and we’d just slinged it to them? Could you imagine being that candidate knowing your CV’s just been launched around the market like a commodity? No thank you!
Could you imagine the reputation you’d develop, quickly as some fast handed scattergun?
This ain’t the company we are.
So, at a recent training session I found we’re compliant. Very compliant. And this has led to a worry.
You see, as a Director there’s nothing worse than someone coming up with an acronym to scare you and then finding it simple. I figured surely it can’t be this straightforward.
“Are you compliant with GDPR?” came the question. I looked into the guidance. It’s wooly at best. The main question that emerged that we didn’t have an answer to, and it’s a doozey, was how long we keep data for?
So, in some cases, I’ve personally known people 15 years and keep in touch on a business level, so there’s an argument we keep everyone’s data for 15 years. However really are we going to use a 15-year-old CV? Are we hell!
So what’s reasonable and practicable? We settled on up to 5 years. If you register with us, we’ll keep your CV for 5 years. Is this compliant with the Information Commissioners Office?
But then, they’ve produced any actual time guidance on how long you can hold data, in terms of the traditional way of giving it (in science at least), which is a number followed by a unit.
Instead, the phrase “it depends” gets banded about. Basically you keep it for “as long as you need it”. If you’re like me and hate ambiguity, GDPR’s not going to be your favoured subject.
So ,from the 25th May we’ll continue to keep your CV on file and on a rolling 5 year basis re-email you to ask if you still want to be registered.
So if you register on 25th May 2019, you’ll get your email in 4 years, 2021 it’ll be in 2 and so forth.
You’re intelligent you get this.
As you'll know, in the meantime you have the right to be forgotten and to put in a subject access request anytime. I, Matthew Rollinson was recently ordained the Data Protection Officer. You can contact me anytime with any questions.