As 2018 approaches, almost every company is wondering, does the General Data Protection Regulation (“GDPR”) apply to me, and if so how do I make sure I’m ready for it? GDPR represents the most sweeping data privacy legislation in the European Union since 1995, and compliance is a must for any company that does business in the EU. In your preparation for GDPR compliance, it’s critical to work with vendors like Lever who understand and will support your compliance needs.
What is GDPR?
GDPR, consisting of 99 Articles and 173 Recitals, is Europe’s new framework for data protection laws. It basically gives EU residents more control over how organizations collect, process, store, and share their personal data online. It requires organizations to undertake certain steps to ensure they are adequately protecting the personal data collected.
When does GDPR go into effect?
GDPR is already law, but due to the extensive new compliance requirements, organizations were given two years to become compliant. GDPR will start being enforced on May 25, 2018.
How do I know if the changes affect me?
GDPR requires compliance from any organization that collects personal data from someone in the EU. As a recruiting organization, that means you need to be compliant if you’re hiring, and therefore collecting the data of EU residents.
What happens if I ignore GDPR?
The penalties for non-compliance are high. Companies can be fined up to €20 million or 4 percent of their global revenue for non-compliance with key provisions of GDPR. Compared to the prior law, GDPR gives EU data protection authorities more investigative powers as well.
GDPR affects three main groups who are either protected by the Regulation or obligated to comply with it: data subjects, data controllers, and data processors. It’s important to understand each group in order to understand GDPR as it relates to recruiting.
Data Subject → The candidate.
As the person giving their personal information, the candidate is the data subject.
Data Controller → You, the company who is doing the recruiting.
As the company doing the recruiting, you are the data controller because you decide the purposes for which you need to collect data and how to collect it.
Data Processor → Lever, the applicant tracking system, and all other software vendors you use in your hiring processes.
Lever processes data on behalf of its customers, making us a data processor.
Essentially anything you do with personal data is a form of processing. It’s a broad term that includes but is not limited to collecting, recording, organizing, structuring, storing, adapting, retrieving, transmitting, disseminating, restricting, erasing, or destroying personal data.
Data controllers: Some concepts to keep in mind for GDPR compliance
As you probably have already determined, there is no silver bullet for GDPR compliance since the steps each company needs to take for compliance will vary depending on the EU personal data it processes. Furthermore, the text of GDPR establishes data privacy principles, but does not spell out every detail about how these principles should be achieved. Thus, decisions regarding how your organization achieves compliance are best made by consulting legal experts that understand how your business operates.
However, there are some key concepts you may want to keep in mind as a data controller while you prepare for GDPR.
Establishes data privacy principles.The principles concern how to process personal data in a compliant way. Personal data must be (a) processed lawfully, (b) collected for specific and legitimate purposes, (c) limited to what is necessary, accurate and up-to-date, (d) kept for no longer than necessary, and (e) processed in a manner that ensures appropriate security of personal data. In light of these principles, companies may want to consider how they collect candidate data, what they use it for, and how long they store it.
Creates new requirements for how to process personal data legally.In order for companies to process a candidate’s personal data lawfully, one of six conditions – listed in Article 6 of GDPR – must apply. The most relevant conditions for recruiting in a compliant manner are that the data subject (the candidate) has given specific consent, or that the processing is necessary for the purposes of the legitimate interests pursued by the data controller, e.g. evaluating candidates for the purpose of hiring.
Increases data subjects’ rights.Under GDPR, candidates have more control over their personal data, like the right to access (knowing whether their personal data is being processed, and how), right to rectification (if their personal information is incorrect, candidates have the right to correction without “undue delay”), right to erasure (the right to request the deletion of their personal data), and the right to object to their data being used for specific purposes – like for a recruitment marketing newsletter. Companies will need to be prepared to respond to and honor data requests from candidates in a timely manner.
Regulates the safe transfer of data to countries outside of the EU.Transfers of data outside of the European Economic Area (EEA) are typically not permitted if the European Commission deems that a country does not ensure an “adequate” level of data protection. GDPR outlines ways companies in countries outside of the EEA that do not have adequate levels of data protection (like the U.S.) can transfer data legally.
Requires reporting of data breaches.Controllers will be required to report data breaches within 72 hours of determining that a data breach is likely to “result in a risk for the rights and freedoms of individuals.” They will also be required to notify their data subjects “without undue delay” after first becoming aware of a data breach.
Allows Member States to make more specific rules in relation to recruitment and the processing of employees’ personal data.Controllers will want to be mindful of Article 88, and be sure to track any additional rules enacted by Member States in this area.
Requires a Data Protection Officer (DPO) in certain instances.GDPR requires the appointment of a DPO in organizations whose core activities consist of large scale processing operations that require regular and systematic monitoring of data subjects or the processing of special categories of data. The data protection officer may be an employee or a contractor as long as they can fulfill the tasks detailed in Article 39, such as monitoring the company’s compliance with GDPR.
Requires maintaining records.Finally, a critical measure of GDPR is that data controllers are required to maintain records of the processing activities relevant to each candidate, such as purposes for having a candidate’s data, logs of how you found them, and envisioned parameters for erasure. Controllers must be able to provide this data upon request. This makes recruiting in spreadsheets and multiple tools a risk for GDPR compliance. Using an ATS like Lever that stores every piece of data and every interaction your company has with a candidate in one place supports your ability to provide records and prove compliance.
If you’re a company that recruits and hires EU residents, you need to be aware of the requirements for processing their personal data. This may impact the way you recruit, like how you notify applicants and sourced candidates about the personal data you're collecting from them and how you store their personal data. For full context, there’s no better resource than the text of GDPR.
As a premium applicant tracking system with global customers, data security and compliance are a top priority at Lever. Our existing best practices around information security and privacy, including our SOC 2 Type 2 compliance, provide a strong foundation for compliance under GDPR going forward. Lever is actively preparing for GDPR compliance, and is committed to working with our customers in their compliance efforts.