On May 25, 2018, enforcement of the General Data Protection Regulation (GDPR) begins affecting any company that does business in the European Union (EU).
The GDPR is a comprehensive European data protection law designed to provide EU residents more control and privacy over their personal data.
Whether or not you are geographically located within the EU, the GDPR affects you as long as you are collecting, processing, and storing personal data of people who live there.
Personal data of data subjects includes names, photos, email addresses, bank details, posts on social networking websites, medical information, and even computer IP addresses.
If you work in hiring and recruitment and collect personal data from candidates who reside in the EU, the GDPR applies to you. This means you must ensure your products and services are compliant with the GDPR by May 28 2018.
Here are 6 details about the GDPR every recruiter should know.
Disclaimer: All materials have been prepared for general information purposes only. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.
1. The roles of data subjects, data controllers, and data processors
1. Data subjects: candidates and employees residing in the EU.
2. Data controller: the organization who decides to, and how to, collect data subject data.
3. Data processor: the organization who processes data on behalf of their customers (e.g., an ATS, an HRM).
Processing is basically anything you can do with personal data including collecting, recording, structuring, storing, retrieving, transmitting, disseminating, erasing, or destroying data.
2. Data Security Standards
Both controllers and processors must comply with Article 32, which requires “appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
3. Data Subject Consent
According to Article 6, consent is one of six distinct legal grounds upon which a controller can process personal data. As long as one of the following conditions applies, processing will be compliant with the GDPR:
- the data subject has given consent;
- processing is necessary for the performance of a contract to which the data subject is party (e.g. an employment contract);
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”
Collecting resumes and other relevant information is a “legitimate interest” of a company who is trying to evaluate candidates for employment, it would be expected by the applicants, therefore, there is no need to obtain consent from job applicants.
It is up to the controller (i.e., the processor’s customers) to determine or seek legal advice regarding the lawful bases for processing a candidate’s personal data.
To prepare for the GDPR, software applications such as applicant tracking systems are adding features to help their customers manage their notice and consent obligations. For example, configurations to allow customers to provide notice and/or add links to their Privacy Policy, and to collect specific, unbundled consent, where appropriate, from their candidates for different data processing activities as relevant to their business (e.g., to process application data, to contact candidates for relevant future job opportunities that they did not explicitly apply for, etc.).
The GDPR does not require a recruiting processor’s customers to obtain consent from job applicants to transfer their personal data from the EU to the US or Canada. Article 46 of the GDPR explicitly states that data transfer to the US or Canada is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission or if an approved certification mechanism demonstrates the processor’s commitment to certain data protection safeguards (e.g., the Privacy Shield).
4. The Right to Be Forgotten
As a processor, software applications (e.g., applicant tracking systems) have processes in place that permit customers to honor candidates’ requests to correct or delete their personal data and assist customers on a case-by-case basis to respond to candidates including opt-outs to help customers respond to the right to restriction and/or objection to processing.
For example:
- Identify candidates that have been in the database beyond the customer-specified retention period;
- Quickly email candidates to refresh their consent; and
- Easily delete candidates who have not provided their consent.
5. Enhanced Rights to Notice and Access
Article 15 grants data data subjects a more robust right to access their personal data that is being processed.
As a processor, software applications (e.g., applicant tracking systems) have added features that will enable their customers to execute upon requests from individuals to access the personal data concerning them.
6. The Right to Object
Article 21 of the GDPR grants data subjects an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling.
As a processor, software applications (e.g., applicant tracking systems) have added features that will enable their customers to execute upon objections from individuals (e.g., a “do not email” feature).