The General Data Protection Regulation (GDPR) directly impacts the way organizations go about their hiring process and how the candidates data is collected and secured in their applicant tracking and recruitment systems. This is a significant step towards data privacy and outlines how companies should deal with a user’s data.
Below we look at some key terminologies as well as how organizations and their recruiting teams need to approach this initiative to meet the compliance requirements.
Note: This document is for general information purposes only and outlines how Simplicant will be able to assist its customers in achieving GDPR compliance . This information is not legal advice. You should consult your own legal department regarding your organization’s specific position on data protection.
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of regulations outlined by the European Parliament to enhance the digital rights and increase the protection around personal data of EU citizens. It provides a framework for companies on how to collect, store and process the personal data of individuals residing in EU. This means that most of the information or personal data you collect from EU candidates, as part of your recruitment process, will come under this regulation.
What data is covered under GDPR?
The regulation concerns the personal data of an individual and is defined as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”
Which organizations should be concerned about GDPR?
This regulation affects any company that does business in the EU, and hence applies to your organization if you do hiring within the EU region. Since recruitment involves processing of personal data, the regulation is applicable to your hiring process. If no fine is applicable, you may still be subject to warnings or corrective orders.
What are the costs associated with non-compliance?
The regulation requires organizations to be compliant in their data processing activities and procedures by May 25th, 2018. Non-compliance can result in financial penalty of €20-million or 4% of global revenue (whichever is greater).
Which entities get affected by GDPR?
The GDPR identifies three types of individuals (or groups) that are directly impacted by this regulation because of either having personal rights or personal obligations when it comes to data.
Data subjects: refers to candidates residing in the EU who provide their personal data when applying for your jobs.
Data controller: refers to you, the employer, who is hiring and collecting information about these data subjects and decides the purpose and use of the information collected. You remain the controller whether you collect data yourself or use a tool, product or service that operates on your behalf.
Data processor: refers to a platform or service provider, like Simplicant, who is collecting and processing the data on behalf of, and on the instruction of the employer (you). As an employer, you may have multiple data processors.
What are the GDPR requirements?
Below are some of the key principles that your organization must follow to ensure compliance. Your data processing activities should meet these requirements when it comes to personal data of EU candidates
As an applicant tracking & recruitment platform, we understand the responsibilities of a data processor. Our goal is to build and provide our customers with the technology platform and tools for managing their hiring process including data collection, in a compliant way, while striving towards a secure and reliable system to address your organizational hiring objectives.
Below are some additional FAQs around recruitment, data processing and storage and how Simplicant is assisting customers in meeting their compliance objectives.
Does the data processing of non-EU citizens residing in EU also fall under GDPR?
Yes. GDPR is applicable on the data processing of individuals living in the European Union.
Is GDPR only applicable for candidates who applied after May 25th, 2018 or does it also concern the candidates already in the system who applied previously?
It is generally recommended to get consent from all existing candidates in your recruitment database to be fully compliant and reduce the risk of falling foul. If you have consent from previous candidates in some form, it may be considered valid.
What format should a candidate's consent be acquired in - a signed document or electronic confirmation?
Since the data processing is based on consent, GDPR requires that you should be “"able to demonstrate that the data subject has consented to processing of his or her personal data". This usually means a written or electronic confirmation. A SaaS applicant tracking system such as Simplicant can cater to this through built-in capabilities.
Should we mention how we will process the data while collecting candidate consent?
How to obtain consent from manually sourced candidates or those who submitted application by hand?
Each organization will need to figure out a way to record consent such as getting signed forms, or electronic confirmation. Simplicant offers the ability to request consent, based on applied criteria, from any candidate directly through the system.
If we use an ATS for candidate application, does that imply consent collection?
Simplicant’s applicant tracking platform offers the capability for a company to acquire clear and explicit consent collection from its candidates which is then stored inside the system to help with compliance needs. Not all systems may have the functionality or capabilities to support GDPR compliance.
Does email communication during recruitment constitute consent?
No. You are required to collect explicit consent from a candidate to be able to store and process their personal data.
How do we collect consent from candidates who apply from public job boards?
As a data controller (employer), it is your responsibility to collect consent and incorporate steps in your application process that makes it easier for candidates to provide consent. If the job boards are not GDPR compliant, you can have the candidates complete the application on your career site where you have the ability to collect consent.
How do we collect consent from candidates who apply directly through our careers site?
It is generally recommended to have consent collection be part of your application process. A careers site that is powered by Simplicant makes it easier for employers to obtain consent from the candidates.
How do we address candidates request for data access?
With a GDPR compliant ATS, it is easy for employers to address candidate requests such as update, erase or access a copy of data. Simplicant's platform has the built-in functionality to make data management easier.
If a candidate declines a job offer or gets rejected, are we allowed to keep their data in our system?
If you have permission from the candidate to keep the records in your system for future opportunities, then yes it is permissible. However, this permission or consent must be explicitly sought and stored in the records for future reference.
Can we still use excel or spreadsheets to track candidates and manage recruitment?
Using a manual process or similar tools increases the possibility of non-compliance with GDPR. A cloud based applicant tracking system assists in meeting the requirements laid out by this regulation. With a GDPR compliant recruitment platform, such as Simplicant, your organization will be able to
If my organization is based in EU, are we required to host our candidate data in the EU zone?
No. It is not necessary to host your candidate data in EU to be compliant. Please note that storing your candidate data within the EU zone does not automatically ensure GDPR compliance. An applicant tracking platform that specifically addresses GDPR compliance needs by providing the appropriate functionality to implement the requisite processes in place, can help ensure that your organization meets its regulation guidelines.
How long will Simplicant store candidate data?
As per the regulation, your organization (data controller) will need to decide how long you wish to keep candidate data in Simplicant as needed for your hiring requirements. Simplicant assists in configuring the retention period and then implementing it across the board. Once the consent period lapses, you either must re-collect the consent to continue storing it or delete it immediately.
Is the candidate data stored in Simplicant deleted automatically?
The data is not deleted automatically but will need to be removed by an Admin user (possessing rights to the delete function).
How can we collect consent from candidates that are already in the system?
If you have candidates in your talent database who have previously applied to your company or were manually sourced, and you plan to keep their data in the system for future job roles, you will need to contact them and ask for permission to ensure proper compliance. Simplicant provides the functionality for you to easily initiate the process of collecting consent, directly through the system, either for an individual or for multiple candidate profiles.
How does Simplicant handle requests from candidates who submit a request to see the data that our organization holds about them?
Simplicant gives you various capabilities to address such requests from the candidates by providing basic information about their profile. Additionally, our team will be looking at this on a case by case basis. Kindly contact us via firstname.lastname@example.org for further assistance.
How does Simplicant ensure security of candidate data?
Simplicant is committed to the security of our customers data. Our technology, infrastructure and process management practices ensure that high standards are maintained for providing the appropriate level of security. To learn more about Simplicant security measures, please visit this page.