Now that you’ve installed a deep and constant privacy-first approach, and have updated your privacy policy, you’re ready to:

Select the Right Partners for Compliance

The GDPR is an expansive piece of legislation that requires organizations to devote a great deal of thought, effort, and resources to demonstrating compliance, while also respecting the rights of data subjects – who can now impose certain requests and restrictions on the use of their personal data. The process is onerous, and it’s been reported that some companies are spending hundreds of thousands of dollars to prepare.

And while this can seem overwhelming, the good news is you’re not alone, because GDPR imposes obligations and requirements on Data Processors as well as Data Collectors. For employers, this means vendors and applications who help facilitate or enhance your recruiting processes are now also required to help facilitate compliance under the GDPR.

For recruiting and TA leaders, the use of HR technology can greatly help with performing some of your objectives, specific to compliant recruiting data. While you’re working through the inventory phase of your preparedness, it’s worth taking time to survey your recruiting partners and suppliers, and see where they can lend help with reaching your GDPR compliance objectives.

As data processors, we at SmartRecruiters have been working hard to ensure compliance for our 3,000+ customers, and look forward to long, prosperous, GDPR-compliant relationships with all of them.

For more information on getting your company ready for GDPR tune into one of our on-demand webinars.

GDPR Implications on Recruiting in the US

GDPR Implications on Recruiting in the UK

Die DSGVO und ihre Auswirkungen aufs Recruiting

RGPD: Répercussions sur Votre Recrutement

As we discussed in Part 1, the best way to familiarize yourself with the GDPR is to read it. Then take appropriate steps, preferably with trained legal counsel, to make sure all your systems and data across the entire hiring process have been examined, and changed if necessary, to comply with a privacy-first approach. The next thing you need to do is:

Review and update privacy policy to ensure transparency

The GDPR is explicit in its instructions to Data Controllers that proper notice must be given to Data Subjects for how the Data Controller will use, store, transfer and protect their personal information. Relevant to your recruiting process, the most logical example of where employers might provide notice to job seekers is via a Privacy Policy (which you likely already have in place somewhere).

That said, the GDPR requires your privacy policy to be open, accessible and clearly understandable, while also meeting specific notice requirements that employers provide in their privacy policy before any information is gathered from job seekers. For example, with a digital recruiting process, where candidates complete an online application, employers can provide a privacy policy on their career site or as part of the application process. When reviewing and updating your privacy policies, be sure to review the GDPR to ensure the notice requirements are easily accessible and easy to understand by job seekers of all backgrounds and skill levels.

Under the GDPR, the processing of personal information must be fair, lawful and transparent to be legal. The transparency requirement is often satisfied by providing proper notice to a data subject – e.g. an updated privacy policy that identifies what data is processed, for what purpose it is used, and for how long. For processing to be fair and lawful, Data Controllers need to meet and demonstrate at least one of these conditions:

• Data Subject Consents to Data Processing
• Data Processing is Necessary for Contract Performance
• Data Processing is Part of a Legal Obligation
• Data Processing Protects Vital Interests of Data Subject
• Data Processing in the Public Interest
• Data Processing Necessary for Controller’s Legitimate Interest

While not all conditions are relevant to an organization’s hiring process, the most commonly used condition for justifying whether recruiting data is lawfully obtained is consent – i.e. the applicant consented to the application process and/or consented to be a part of the employer’s recruiting/sourcing activities for future job opportunities.

If you are a company that currently relies, or plans to rely, on the use of consent for conducting your recruiting activities, be sure you can demonstrate express consent and record such consent.

Having said that, consent is merely one of several options an organization may use to justify the lawfulness of its recruiting data. Please refer to the GDPR (Chapter 2: Lawfulness, Article 6 & GDPR Recitals – 40 through 47) for more detail around each of these conditions and their applicability to your operations.

For more information on getting your company ready for GDPR tune into one of our on-demand webinars.

GDPR Implications on Recruiting in the US

GDPR Implications on Recruiting in the UK

Die DSGVO und ihre Auswirkungen aufs Recruiting

RGPD: Répercussions sur Votre Recrutement

On May 25th, all companies within the EU, doing business with EU companies, or with one EU citizen as an employee, must have systems in place to comply with Europe’s new personal data laws. How will this affect recruiters specifically? We asked our senior manager of solutions engagement, and this is what she had to say, in three easy parts.

Part 1

If you’re an HR professional or a TA Leader, then you know the entire process of hiring and recruiting centers on the ability to evaluate a jobseeker, which includes relying on the personal data they supply for your team to make a hiring decision. This is true whether a job seeker is actively soliciting opportunities or passively open to a discussion. Examples of “personal data” that fall within the purview of the GDPR are names, contact information, resumes, social profiles, work history, education, experience, salary expectations, and even your existing talent pools, pipelines, and applicant databases.

So it goes without saying, GDPR obligations extend to employers and apply to the personal data that is collected, either directly or indirectly, from sourcing efforts and related hiring workflows that make up an employer’s recruitment processes.

At SmartRecruiters, we understand the implications of the GDPR can feel overwhelming. And while we can’t offer you legal advice (because we’re an HR tech company, not a law firm), we can offer some tips to help organize your thinking as you prepare to have GDPR be part of your recruiting process:

1 – Think “privacy first”.

The first step is often the simplest – start by reviewing the General Data Protection Regulation to familiarize yourself with the requirements, assess applicability, and identify any gaps or areas of risk relevant to your recruiting data and hiring processes. Understanding the the GDPR is crucial for developing and executing a plan to meet compliance objectives. Oftentimes, customers will partner with legal counsel or security/privacy-focused consulting firms at this stage, to navigate the complexity of GDPR requirements, understand obligations and create a plan for readiness. In some situations (as directed by the GDPR) it may be appropriate for an organization to appoint a Data Privacy Officer (DPO) to oversee ongoing compliance efforts and manage data protection risk.

The GDPR introduces us to the principles of “Privacy by Design” and “Privacy by Default,” which serve as a paradigm shift for how organizations think about, approach, implement and manage privacy. In essence, these principles require organizations to take proactive steps for the inclusion of privacy measures at every level of operations and for incorporation into every business process – this marks a shift from the typical control-based approach around data privacy, to a risk-based approach. Success in this endeavor truly requires an organization to adopt a “privacy-first” mindset, and often begins with launching an in-depth inventory of existing business applications, tools, resources, policies, processes, and data, to evaluate risk and potential risk exposure, and then formulate a proactive plan for data privacy measures. Enterprise customers will often work with legal counsel and privacy-focused consultants to facilitate this process given the expansiveness of their operations and systems.

Specific to hiring and recruiting, a good way for employers to get started is by taking inventory of your recruiting process(es). This helps identify areas where proactive privacy measures can be strengthened, and/or embedded into current processes and applications, and/or where privacy measures should be created and implemented to reduce risk and exposure of personal data.

Examples of a “privacy-first” approach as applied to recruiting may include:

• Identifying and labeling the systems used in your HR tech stack (ATS, CRM, HRIS, etc.) to identify risks and gaps between systems and/or for streamlining recruiting data
• Creating a data map specific to your recruiting process that documents both the manual and digital flow of candidates’ personal data (e.g. where sourced, gathered, collected, classified, stored etc.) for fostering transparent communications with job seekers regarding the use of their personal information.
• Identifying any third-party vendors or applications used in your recruiting efforts where data processing agreements may be required
• Noting any associated resources (people and tools) that may access or come into contact with personal data obtained in the recruiting process to implement or strengthen access management policies

Because your hiring process (and your business) is unique, there is no prescriptive template to follow for implementing the principles of Privacy by Design and Privacy by Default. They key is to be able to demonstrate a strategic, ongoing and proactive approach to data privacy across all areas of the organization.

For more information on getting your company ready for GDPR tune into one of our on-demand webinars.

GDPR Implications on Recruiting in the US

GDPR Implications on Recruiting in the UK

Die DSGVO und ihre Auswirkungen aufs Recruiting

RGPD: Répercussions sur Votre Recrutement

Countdown to compliance with General Data Protection Regulations (GDPR) continues. With only 210 some days left on the clock, will your company be ready?

If you’re asking yourself, “What is the GDPR?” then we should probably chat because the GDPR will significantly impact your recruiting efforts in 2018.  Based on the conversations we’ve had with our customers, it’s clear the GDPR hasn’t made it onto everyone’s radar. So, let’s change that.

The General Data Protection Regulation (GDPR) is a major piece of legislation out of the European Union (EU) that could severely impact your recruiting efforts, whether your organization is based in the U.S. or abroad.

“Don’t end up the poster child of non-compliance because examples will be made”

If that doesn’t get your attention, then let’s talk penalties for non-compliance. Organizations that fail to comply with the GDPR will face severe fines － to the tune of $20-million or 4% of worldwide revenue. Yes, you read that correctly. And, if you think no one’s watching – you’re wrong. Don’t end up the poster child of non-compliance because examples will be made.

So, how much time do you have to prepare? While the GDPR technically requires organizations be compliant today, penalties are suspended to allow for the complexity of this transition. GDPR enforcement won’t start for another 217-some days, according to the official GDPR website countdown. So, the good news is you have some time, but the clock IS ticking.

The GDPR is, perhaps, the most expansive privacy legislation to date, significantly enhancing data privacy rights for individuals, while placing obligations of transparency, accountability, and fairness, on nearly every company in every industry that relies on the use of personal data for conducting business. This means, for example, companies engaged in Marketing, Social Technologies, Professional Services, and (you’ve guessed it) Recruiting and HR, among other areas, are subject to this legislation.

“We’re constantly monitoring legislative changes on a global scale to better serve our customers”

At SmartRecruiters, we take data privacy and security seriously －so we’re constantly monitoring legislative changes on a global scale to better serve our customers and, ultimately deliver better recruiting software that enables our customers to meet their compliance objectives. In fact, the team at SmartRecruiters has monitored legislative efforts on GDPR for the past two years. Rest assured, it’s been on our radar for quite some time and we’re pleased to share that GDPR compliance efforts are just one component of our holistic approach to data privacy. In addition we have also taken it upon ourselves to incorporate the principle of privacy by design (PbD) at critical stages of product development －from planning to design and continuing throughout development and delivery.

“We are extremely sensitive to protecting the incredible amount of data that is generated from your recruiting activities”

Because SmartRecruiters supports customers with global operations, both in the U.S. and abroad, we are extremely sensitive to protecting the incredible amount of data that is generated from your recruiting activities. To that end, we’ve prepared a host of items to help your team prepare for the GDPR, including a comprehensive guide to the GDPR for insights and a proactive look at data privacy as it relates to your recruitment activities.

SmartRecruiters is proud to serve as your partner for data privacy while delivering value to your hiring teams through recruitment innovation. We look forward to sharing more about our product development and compliance enhancements, as we partner together to support your journey to compliance.