On May 25, 2018, the General Data Protection Regulation, or GDPR, will come into effect in the European Union. The GDPR is a data protection and privacy regulation designed to afford EU residents with more control over their personal data by unifying data protection regulations across the EU.
Essentially, the GDPR gives EU citizens more control over how their data is used. This “data” can come in many forms, but for Criteria the most relevant forms of data include personally identifiable information (or PII), which can include people’s names, email addresses, and any other information that distinguishes someone’s identity. GDPR makes it possible for EU citizens to request access to their own data or request that their data be removed, among other rights to control the usage of their personal data.
The GDPR applies to all companies that collect or process personal data of EU residents, regardless of the company’s location. Criteria Corp takes data security, and especially an individual’s privacy rights, very seriously. In accordance with the new regulations, we have a solution in place and will be fully compliant by the deadline in May.
The main issues addressed in the GDPR that relate to Criteria Corp include:
- Data Breach Notification: Data Processors are required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
- Right to Access: The Data Controller must receive consent from each individual after informing them what personal data is being collected, what is being processed, where, and for what purpose(s).
- Right to be Forgotten (Data Erasure): The individual has the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability: The individual has the right to receive the personal data concerning them, unless it has been sufficiently anonymized.
- Privacy by Design: Data protection needs to be designed from the onset of the designing of systems, rather than addition as an afterthought.
- Data Protection Officers: Each company must have an individual whose expertise and responsibility is data protection and internal monitoring to ensure compliance with the GDPR.
As it relates to our testing platform, in most cases Criteria's platform collects an individual job candidate’s name and email address (personal information). In some cases, Criteria may also be used to collect resumes and take online job applications (also personal information). Demographic data, such as age, gender, ethnicity, etc., is optionally provided by candidates, under the assurance that Criteria uses this data internally, in anonymized aggregate form only, to evaluate and refine test questions to reduce adverse impact and to provide normative data for test results. If a customer requests, Criteria may share this demographic data however it is provided only in anonymized, aggregate form, in full compliance with GDPR.
In the case of an erasure request from an individual or a customer, Criteria thoroughly removes all PII: deleting name, email, resumes, and applications from the Criteria database, thereby complying with GDPR.
Even though Criteria is fully GDPR-compliant, some companies may still prefer not to have any PII in any third-party company databases. For these companies, Criteria designed the “No PII” feature. When selected, “No PII” keeps Criteria from collecting name or email address from individuals. Test Event IDs are provided to the customer who sends them itself, to candidates. Criteria still administers tests, provides score reports, and allows candidate comparison, but no PII is on the Criteria servers or in its database.