10 Jan 2019

Part 1: Personal data and expert calls – What’s the state of GDPR compliance for expert networks?

Photo of Josefine Vinberg, COO at Inex One
Josefine VinbergCOO at Inex One
Compliance

This blog post is written for informational purposes only. It does not constitute legal advice, and should not be used as such.

Based on a quick search on Google, not a lot has been written on the topic of expert networks and GDPR. In an industry that has been plagued by insider trading scandals, and where robust compliance processes are a primary selling point, this is a bit surprising.

We at Inex One decided to do a bit of digging and look closer at the state of GDPR compliance for expert calls. We will introduce our findings in a series of blog posts throughout January, starting today by looking at expert networks and GDPR.

Part 1: What responsibilities do expert networks have under the GDPR?

We will look at the responsibilities of the expert networks in a minute, but let’s first take a step back and decode some of the definitions under the GDPR (definitions are simplified for the purpose of this article):

Personal data: any information relating to an identified or identifiable natural person.

Data Subject: a natural person who can be identified, directly or indirectly.

Data Controller: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: a natural or legal person which processes personal data on behalf of the controller.

Sub-processor: a third party data processor engaged by a processor.

Recipient: a natural or legal person, to which the personal data are disclosed, whether a third party or not (depending on the circumstances, the recipient may also be a controller or processor).

As we’ve already established, not a lot has been written on the topic of GDPR and expert calls. But don’t despair. There’s another closely related industry that can be used as an analogy; headhunting and recruitment. After all, expert networks are acting as headhunting firms, chasing the best candidates for very short job assignments.

When it comes to recruitment, most sources seem to agree; the job candidate is a data subject, and the recruitment firm is a data controller in relation to the processing of the candidate’s personal data.

Is this also true for expert calls? Let’s look at a basic scenario: A client uses an expert network to engage with an expert. For simplicity, all parties are based in the EU. Remember that the definition of personal data is rather broad, and that it includes any information that can be used to identify a natural person, even if it needs to be combined with other data. Career history for example qualifies as personal data, even if a person’s name has been removed from the resumé.

If we map how the personal data related to experts would flow in this scenario, it would look like this:

In this scenario, the expert is the data subject. The expert network determines the purpose and the means of the processing of the personal data, and hence acts as data controller.

The role of the data controller is connected to a list of obligations and responsibilities. We will take a closer look at two of them: legal basis for processing and data storage limitation.

What does ‘legal basis for processing’ mean?

No matter if the expert network is processing personal data in the sourcing stage of a project or after an expert has been contracted, it needs to define a legal basis for each processing activity it’s undertaking. While the GDPR defines six different legal bases that organizations can gather personal data under, consent and legitimate interest are the ones most often discussed in relation to recruitment.

Consent vs. legitimate interest

Consent means that the data subject has agreed to the processing. Under the GDPR, a consent must be freely given, and specific to each processing activity. General consent that covers multiple processing activities or implied consent by pre-ticked boxes are no longer sufficient.

Legitimate interest means that the organization can prove that it has a legitimate interest to perform the processing (except where such interests are overridden by the interests or fundamental rights of the data subject). Legitimate interest is the most flexible of the legal bases, but it can’t mechanistically be used to motivate just any kind of processing. The expert network needs to be able to demonstrate that it’s using the expert’s personal data in a way that he or she would reasonably expect, and where there is a valid justification for the data being processed.

No matter if the expert network relies on consent, legitimate interest or one of the other legal bases, it should be clearly stated in its privacy statement or privacy policy.

What about when expert networks source experts online?

Anyone who has worked with recruiting experts for expert calls knows that it’s a task performed under constant time pressure. Deadlines are tight, and you want to get to the expert before any of your competitors do. Time pressure combined with the detailed information about individuals’ professional history that’s publicly available online opens up for shortcuts. Every now and then, an expert network will introduce an expert profile to a client before the expert has been contracted. Or the recruiter will come across an interesting profile and save it on a hard drive or in an internal system just in case it becomes relevant later on.

In these cases, the expert network will collect personal data from publicly available sources, but process it for its own purposes. As soon as the processing starts, the expert network gets the status (and responsibilities) of a data controller.

Where personal data have not been obtained directly from the data subject, the controller is responsible to get in touch with the data subject and inform him or her about the processing. The information should contain details about which purposes the data is processed for, the legal basis for the processing, the data retention period, and other relevant information. The expert network must contact the (prospective) expert in a reasonable period after obtaining the personal data, but at the latest within one month.

What does ‘storage limitation’ mean?

A principle under GDPR that clearly affects the expert networks is data retention and storage limitation. GDPR states that data should be stored “no longer than is necessary for the purposes for which the personal data are processed”. This means that a data controller cannot motivate that it’s storing data for another purpose than it was first collected for. The principle on storage limitation can be interpreted differently, but it’s clear that databases with hundreds of thousands of candidates can become a liability rather than an asset under the new stricter privacy legislation.

The GDPR also puts an emphasis on data minimisation. Not only should the retention time be kept short, a data controller should also refrain from collecting any data points that are not needed to fulfil the purpose of the processing.

So how well do the expert networks live up to the requirements of the GDPR?

We have looked closely at the privacy documentation of the leading expert networks, and it turns out they interpret the law quite differently. Most of the expert networks identify themselves as data controllers, whereas a few put that responsibility on the expert and reduce their own role to that of a data processor. By doing so they put the expert in a very peculiar position. Very few individuals realise that they by taking the role as data controller let the expert network off the hook when it comes to a lot of the responsibilities related to data processing.

It’s highly doubtful that arrangements in which the expert acts as data controller and the expert network acts as data processor (for the processing of the expert’s personal data) would hold up in a court of law. The legal relationship between two parties is defined by the processing activities that take place, and not by contract.

As a client of expert calls, it’s crucial to work with partners that comply with the GDPR. A data breach or a lawsuit where an expert network is found to misuse personal data can severely damage the brand of its clients. Our general advice is to ask your expert network how they handle the requirements of the GDPR, and which responsibility they take in the processing of expert personal data. Which processes do they have in place to keep expert database up to date, and which legal basis are they relying on when processing personal data?

Hopefully this post has cleared out some of the question marks related to the GDPR and expert networks. In the next part of our blog series, we will look at the role and responsibilities of the client.