Get your data compliance obligations right first time. We answer some of the most common questions relating to data security and the General Data Protection Regulation.

The General Data Protection Regulation (GDPR) introduces businesses of all sizes to data security matters.

The strict set of laws control the way organisations can use individuals’ personal data. With heavy penalties for those that fail to comply, the GDPR has become a top concern in a shot amount of time. It has affected the way businesses collect and store data about you; changed the way you browse online; and – if you are an enterprise owner yourself – changed the way you conduct your business.

eBoss was early to tackle our GDPR obligations. As we set our timetable of checks and workflows in place, we realised that this work would be useful to our own customers. We were able to offer advice and guidance to our users to ensure every eBoss customer was GDPR compliant before changes to the law came into effect. Visit our GDPR Hub page for more of our free data compliance support.

On this page, you will find several of the frequently asked questions that our userbase wanted answering. We have reproduced the guidance for you here to browse and refer to at your leisure. Can’t find your answer you were looking for? As an eBoss customer, you can send us your own GDPR questions. We can’t provide specific legal guidance, but we can share some of our own experiences with you.


(Swipe for more >>>)

What is personal data under GDPR?

Q: What is the definition of personal data under the GDPR?

A: In short, any information which may be used to identify a specific, individual (“natural”) person is classed as personal data.

This does not only mean profile data like a contact name, physical address, or email account.

It also includes any identifier which is uniquely attributed to the data subject, their location, or their physical identity. Therefore, data such as IP Address, location data, database identification number, online account data, or factors relating to physical, physiological, genetic, mental, economic, cultural or social identity will all class as personal data.


What are the new rights of the data subject under GDPR?

Q: What are the new rights of the data subject under GDPR?

A: Chapter 3 of the GDPR outlines eight principle rights which data subjects now possess. They are:

  • (a) the right to access;
  • (b) the right to rectification;
  • (c) the right to erasure;
  • (d) the right to restrict processing;
  • (e) the right to object to processing;
  • (f) the right to data portability;
  • (g) the right to complain to a supervisory authority; and
  • (h) the right to withdraw consent.


What are Data Controllers and Processors?

Q: Data controllers and processors – what’s the difference?

A: The distinction between the data controller and the data processor is one of the most important parts of the GDPR.

To summarise, if you choose the methods for processing, or the reason for processing, that makes you a data controller.

If you process data on behalf of another organisation who choose the method or reason for processing, then you are a data processor.

A data controller has a number of additional duties and obligations under the GDPR.


What are legal grounds for processing?

Q: I am trying to get my database of existing candidates into compliance for the GDPR. What are the legal grounds for processing personal information?

A: There are six grounds for processing personal data:

  • (a) Data subject has given consent.
  • (b) Processing is needed to fulfill or establish a contract with the data subject.
  • (c) The controller has a legal obligation to process.
  • (d) When processing protects the vital interests of the data subject.
  • (e) Processing would be in the public interest.
  • (f) The controller, or third party, has a legitimate interest in processing the data. This interest cannot override the rights of the data subject, and cannot be applied to special categories of sensitive personal data.


Which basis for processing is most important?

Q: Which of the six grounds for processing is the most important? Which takes precedent? A: The simple answer is that the most important of the six bases for processing is the one that applies at the time in question. For example, it is not accurate to say that consent is always the most important grounds for processing, nor that you should always seek consent first. If your process fulfills the criteria of one of the legal bases, then you have a right to complete that process. It’s as simple as that.


Which reason for processing should I use?

Q: I have identified multiple legal grounds for processing the same set of data. Which legal basis for processing should I choose?

A: You only require one lawful basis in order to carry out the processing in accordance with GDPR.

You should consider which legal basis may provide conditions for processing which are reliable, and most in-line with your business objectives.

Consider the extent and limitations of certain lawful grounds.

Consider also the additional workload and burden of proof which may be necessary for establishing certain legal grounds (eg: demonstrating a legitimate interest).


How long do I have to erase data?

Q: How quickly must I delete data subject data after receiving a “Right To Erasure” request?

A: GDPR says that a data controller must comply to an erasure request “without undue delay”. As you can see, that is a rather open-ended deadline.

However, while there is no set-in-stone timetable, the regulations are quite strict on what is permissible as a reason for delay. Technological or budgetary shortcomings cannot be used to delay an erasure request.

NB: There is a common misconception that a time limit of 30 days exists for the deletion of data. However, the 30 day time limit refers to a Right to Access request, rather than the deletion process.


Can I avoid sending consent requests?

Q: My recruitment agency holds a database of candidates which I wish to bring into compliance. However, it contains a number of data subjects who I know will not supply consent if requested. This is because of their past misconduct. Can I process their data in any way other than with consent?

A: If you are already processing on the grounds of consent, then probably not. Also, the very fact that you are attempting to avoid a consent request because you know it will be denied is a big indicator that this data could become non-compliant.

For example, if you attempt to process on the grounds of a Legitimate Interest, you would be required to complete a Legitimate Interest Assessment to demonstrate the basis. During this report, you would need to explain the above situation, while balancing the relationship of interests. Doing so would make it virtually impossible to justify the process.


What is a ‘Double Opt-In’ of consent?

Q: What is a Double Opt-In for consent? Why should I use Double Opt-In when I seek consent from my data subjects?

A: A double opt-in is simply a method to double-check the veracity of any given consent from a data subject.

Although it is not always a legal necessity, it should be considered best practice to use a system of double opt-ins, when processing using consents under the GDPR.

A double opt-in can be as straightforward as collecting contact details through an online form, and providing an unfilled checkbox for consent within the form.

The double opt-in part then comes in the form of a follow-up email. This mail can include an embedded link, which “activates” the consent.

By clicking the embedded link, the data subject has supplied a “double opt-in” of their consent to processing.


Sending Marketing Mails Without Consent?

Q: Can I send unsolicited marketing emails without consent? I have read a quote in a blog post which suggests that email marketing constitutes a Legitimate Interest for business?

A: Although it is sometimes possible to send marketing copy on the grounds of a legitimate interest, you probably shouldn’t count on it.

Legitimate Interest for marketing requires a strict balancing of interests between data controller and data subject, the origins of the data, the expectations of the data subject, and many other balancing factors.

For this reason, it might be better to begin from a starting point that “No”, it is not possible to advertise without consent. And then attempt to disprove that assumption with self-assessment and reporting.

If you wish to assess your own claims to a Legitimate Interest for processing, then you should download the eBoss Legitimate Interest Self-Assessment pack.

It contains template forms and a workflow, which help you to assess your own grounds for processing. The resulting report will be invaluable record of your own compliance process.


Handling a Data Portability Request

Q: How do I process a data portability request from a data subject? Can I choose the format I provide their data file in (eg PDF)? Or do I have to provide the format that they request?

A: As a data controller, you need to comply with a “data portability” request made by one of your data subjects – unless you can demonstrate beyond question that the request itself is excessive or unfair.

You must complete the request by providing data in an open and machine-readable format. That means .CSV is acceptable, but .pdf is definitely not.

In fact, even if the data subject asks for a .pdf, you are not permitted to provide one.

The data subject is also allowed to ask you to transfer their data to a third party data controller. You cannot block this type of request without legitimate grounds.


What is ‘Privacy by Design’?

Q: What is “Privacy By Design”? How can I guarantee the security of software which I had no hand in creating?

A: Data Protection By Design is one of the cornerstones of the GDPR. It states that data security and personal privacy must be a consideration at every stage of processing.

In practical terms, this creates a new set of considerations for data controllers. As the question suggests, these considerations will include factors beyond the influence of the data controller – such as software systems and database management.

Obviously, the GDPR does not expect data controllers to develop their own, in-house solutions to these problems. Instead, data controllers will now have to take extra consideration when selecting service providers, to ensure they are appropriate. While the security of individual software solutions is not the responsibility of the data controller, a decision on which service to use will be subject to data protection by design considerations.


The Data Protection Officer

Q: I am a data controller operating in the recruitment sector. Will I need to appoint a Data Protection Officer?

A: Not every data controller will necessarily need to appoint (or hire) a Data Protection Officer (DPO).

However, this is a matter which will need to be assessed on a case-by-case basis.

It might be worthwhile to seek legal advice to inform your decision on this subject.


What will happen with GDPR after Brexit?

Q: What will happen with GDPR after Brexit? Will the laws change again?

A: No. The GDPR applies to businesses anywhere in the world – not just those located within the EU.

The only factor which is important to applying the GDPR is that some of your customers or users are EU citizens. You could be located anywhere on the planet but, if you have clients in the EU, you will need to show compliance to the GDPR. For this reason, there will be no material changes to the GDPR after Brexit.



    Our GDPR Hub has even more information about data protection and the GDPR for recruiters.