Performance Management, Supercharged
DownloadNote: This article is for general information only and is not intended as legal advice. Organizations should seek out independent legal advice to comply with GDPR.
With the deadline for GDPR fast approaching, ClearCompany has the solutions to make sure you and your company remain within compliance. GDPR, or General Data Protection Regulation, provides more rights to individuals in the EU. This regulation was approved by the European Parliament in 2016 and will go into effect on May 25, 2018.
Part of GDPR is the lawful transfer of data from the EU to the US and one way this can be accomplished is by being a part of Privacy Shield. Privacy Shield Framework helps companies comply with the strict data protection requirements from the European Union. To view ClearCompany’s Privacy Shield policy click here.
Who Needs to be Compliant With This New Regulation?
If at anytime you are processing data for EU citizens then you’ll need to comply with GDPR. Even if you don’t do business in the EU your company is still in scope to comply with GDPR because EU residents still have the opportunity to apply for your open positions.
What Happens If My Company Isn’t Compliant With GDPR?
The cost of non-compliance can be up to 4% of your annual global revenue, or 20 million euros, whichever is greater. It’s in your company’s best interest, financially, to make sure you are compliant with GDPR.
Three Key Entities in GDPR
GDPR lays out three different entities in the recruiting process.
- Data Subjects: In the recruiting process, this refers to candidates that are active or passive who are stored within your organization. These are individuals who can be identified by personal data such as name, address, IP address, ethnicity or gender.
2. Data Controllers: The entity or the organization that determines what information it would like to collect from it’s candidates. In this case the data controller would be you, the client.
3. Data Processors: This is a company that processes the personal data on behalf of the data controllers. ClearCompany will be the data processor.
Candidate Rights
Candidates have the right to access their data and change/update any inaccuracies. Once a candidate has requested their data you must provide it to them within one month and in an electronic format.
Candidates have the right to be forgotten. Any candidates have the right to request their data to be deleted. The data controller must locate this data in every place it lives and delete it within one month.
How ClearCompany Complies with GDPR
ClearCompany is currently in compliance with Privacy Shield and is committed to meeting all of the requirements laid out in GDPR. Below you will find ClearCompany’s present and ongoing commitments for GDPR:
- Provide strong encryption.
- Ability to restore availability to personal data in a timely manner.
- Test the effectiveness of organizational and technical controls on a rolling basis.
- Giving our clients the technical abilities to delete, display or change candidate data when it’s been requested.
The data controller, or your organization, is also responsible for ensuring compliance with GDPR. One of the principles within GDPR is to only collect the data that is ‘adequate, relevant and limited to what is necessary,’ as well as have a good understanding on your reasons for collecting this data in the first place.
ClearCompany gives our customers the ability to customize what questions appear on their application as well as making each question optional or required. As the data controller, you will be responsible for how long this candidate data should be kept on file.
Data Subject Consent
GDPR requires that the data controllers, or you the client, receive consent from EU candidates before having them apply to an open position. If the candidate wishes to not submit their information after viewing your privacy policy and data processing agreement, then you’ll need to give the candidate the ability to opt out. With the ClearCompany Knockout Questions feature you can give the candidate this ability to opt out of the application process, keeping your company within compliance.
If you, the data controller, are contacted at any time by a candidate, carefully review their request and determine if you need to comply. If you wish to use the candidates data for anything else other than their initial request, then you’ll need to inform the candidate.
Create a GDPR Privacy Policy
Each data controller will need to create their own GDPR privacy policy. This policy should be embedded in a place where a candidate can easily find and read it. This could be placed within your career site, job description or employment application. Some examples of content that can be included in this policy are:
- The type of information you may be collecting on the candidate.
- Who you will share this candidate data with.
- Appoint a Data Protection Officer (DPO) and provide their contact information.
- Where the candidate data is stored (ClearCompany’s data is stored within the U.S.).
- What rights the candidates have.
- How long you will keep the candidates data on file for.
- Notify affected individuals within 72 hours of a data breach.
Using ClearCompany’s External Candidate Sourcing Tool
Another way in which many organizations attract talent is by sourcing passive candidates. If you wish to use ClearCompany’s External Candidate Sourcing Tool, then you as the data controller will need to email these candidates ‘within a reasonable period after obtaining the personal data, but at the latest within one month’, in order to let the candidate know that you are sourcing them for a potential position. You, the client, should create a standard e-mail template that can be built in ClearCompany which includes, at a minimum, the following information.
- Send them your organization’s contact information.
- Let the candidate know where you sourced their data.
- Provide a link to your GDPR privacy policy.
The same is true if a candidate is referred to a position, if the candidate hands out a resume at a career fair or if the candidate applies via another method which won’t provide them with the appropriate information on how you, the client, will be processing their data.
What Should I Start Doing Today?
If you haven’t started thinking about GDPR it’s still not too late. A common way most organizations will collect candidate data is by using spreadsheets that do not provide an audit trail or that prevent users from creating duplicate copies. This can create headaches for your HR team when attempting to track down all the places their candidate data lives.