Now that the GDPR, the European Union’s General Data Protection Regulation, has gone into effect (as of May 25, 2018), the time to prepare for the regulations has passed. It’s here to stay and it’s imperative that all companies that process personal data of EU citizens must comply or be subject to hefty fines. HR departments will play a crucial role in ensuring that employee data is processed lawfully, and appropriate information is given to employees about the use of their data.
Candidate Rights with GDPR
At the high-level under the GDPR, candidates have the right to:
- be informed that their details are stored on your system, and for how long;
- consent or otherwise for their data to be stored and/or processed by your system;
- know why you are requesting, storing, and/or processing their information;
- know who will have access to their data (staff, countries, and third-parties);
- access the information that is stored on your system;
- have any incorrect information on your system corrected;
- have their data removed from your system;
- restrict the processing that you do with their data on your system;
- download their information in a standard format;
In this post, we’ll focus on the removal of candidate data and data accessibility (portability).
Under the GDPR, candidates have the “right to be forgotten or right to erasure,” meaning that they can request their data to be erased when it is no longer necessary for the original purpose.
At the minimum, companies must enable candidates to access and review their data, to update their data, and even allow for full erasure upon request in many instances. With regards to data portability, recruiters must also be able to provide all the personal data they have on a candidate, when requested by the candidate, in a portable format. The GDPR states that each candidate has the right to transfer their data anywhere they prefer.
It’s important to note that the GDPR isn’t just about companies who hire in the EU. In the short term, it’s about employers who are employing EU citizens wherever they may live.
The Role of Your Recruiting Vendors: ATS and CRM
When you’re working with recruitment software whether it’s an ATS, CRM, or job board, it is recommended that you choose a company that is knowledgeable about the new regulations, as well as one who has appointed a data protection officer (DPO). Otherwise, it is your company’s responsibility to have someone in the DPO role.
Most HR Technology companies are familiar with the GDPR, however, each different vendor and service provider has a different interpretation in how to comply, their responsibility, and involvement when it comes to the role they play with your candidate data.
Section 4 of the GDPR outlines the requirement for applicable firms to appoint a DPO. According to Article 37(1), data controllers and processors shall designate a DPO where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
Most firms required to appoint a DPO would fall under subparagraphs (b) and (c). Article 39 outlines five minimum tasks that the DPO must perform:
- Inform and advise firms and employees who carry out data processing on applicable data protection provisions
- Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
- Advise on data protection impact assessment (DPIA)
- Cooperate with the supervisory authority
- Serve as main contact for the supervisory authority.
Ideally, your recruiting technology company will have a DPO designated in the EU who manages and serves as the point-of-contact for GDPR compliance.
Talk to your ATS, CRM, and other vendor partners to really understand how they are interpreting GDPR regulations and what their record deletion process entails.
Deleting and Anonymizing Candidate Data
For example, GDPR deletion process in place for candidate data that can be anonymized allowing the candidate to request the deletion or the recruiter working in the recruiting technology to act on the request.
Set a data retention period with an expiration data. Once the data retention period has expired the candidate details will be deleted automatically.
Allows you to manually delete/export/make portable candidate profiles, etc.
Once deleted, the candidate data will no longer be available on your reports, nor should you retain it elsewhere. It should be fully anonymized and removed from all databases, records, and online systems.
The most important factor for you and your company when it comes to GDPR compliance is understanding how your recruiting technology software company is responding to the new regulations and what steps your team must take with regards to candidate data.