Not an alternative - but the only obvious defence is to do the right thing, and delete data as soon as you have completed processing. e.g. delete those interview notes the second you have declined the candidate.
That's ridiculous. Has anyone in this thread actually ever run a recruiting operation?
I have. There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations). But you also need the ability to review what your interviewers are doing to ensure consistency and quality of assessment. We also go back and re-read interview notes if someone doesn't make it through probation or gets fired, to see if we could have picked up on the issue earlier.
But hey GDPR defenders, here's a question to ponder. I have argued above that I legitimately need interview notes for the operation of my business. If you disagree, what makes you so sure your interpretation is correct and not mine? Don't you think it'd be good if we could resolve this disagreement in some clear way, like if the law itself spelled it out?
The onyl change you need to make is to be able to delete information about criminal offences when those convictions become spent. Arguably that's not a new requirement, but GDPR does make it clearer.
> I have argued above that I legitimately need interview notes for the operation of my business.
That's the point. You're keeping data to comply with a law (Equality laws) or for legitimate reasons, and so you don't need permission and you don't need to delete it when asked.
> Processing shall be lawful only if and to the extent that at least one of the following applies:
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
> I have argued above that I legitimately need interview notes for the operation of my business.
I agree that you do legitimately need interview notes, but I don't understand why this conflicts with GDPR. In other words, why am I not allowed to see my interview notes?
We were talking above about deleting them, not publishing them.
But interview notes tend to contain personal evaluations of people, often critical. If interviewers believe they are effectively having to criticise people to their face (which is what this change would do), then they won't be willing to be as honest. No interviewer wants an angry job candidate tracking them down via LinkedIn or whatever and then getting mad because you wrote that they sucked in their notes.
This is an interpretation of the GDPR that I don't think makes any sense or aligns with the original intentions at all, but moreover, if it was interpreted and enforced that way it simply means firms would switch to discussing candidates in person and not write down evaluation notes at all.
> There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations).
The fun of red tape. You will be violating one or the other regulation, that’s the beauty of it.
