The General Data Protection Regulation (GDPR) gives EU residents more control over their personal data. The GDPR applies to any company that does business in the EU and collects personal data from prospects, employees and candidates who reside in the EU.
Adopted by the European Parliament in April 2016, the GDPR has been in effect since May 25, 2018. Non-compliance with the GDPR can result in fees of up to €20 million or 4% of global annual revenue - so your company needs to be ready!
The GDPR creates new obligations for your company to help individuals control the personal data you collect about them. This includes the hiring data that is housed in JobScore, so we have analyzed our platform to help you mitigate risk. We are actively preparing to help our customers comply with the GDPR.
This article includes JobScore’s position on the GDPR and our plans to provide tools to manage candidate data to help our customers be compliant. Everything in this article is for general information purposes only, and does not constitute legal advice.
You’ll likely need to establish internal procedures and policies for GDPR compliance and we are committed to helping you in that effort. If you have questions after reading this article, please have your attorney email gdpr@jobscore.com.
Definitions
The GDPR specifically defines the actors in data privacy. Here’s our take on who is who:
- Data Subjects: Candidates, because they are the ones whose data is being shared. (and your employees residing in the EU who use JobScore, but that is not discussed here).
- Data Controller: Your company, because you own your data and “determine the purposes and means of the processing of personal data” - meaning you decide what data to collect, how to process it and when to delete it.
- Data Processor: JobScore, because we process data on the behalf of many companies according to their specifications.
The GDPR gives rights to data subjects. This creates compliance obligations for data controllers and the data processors who serve them. For more detail about these definitions, please refer to the full text of the GDPR here >>
Individual Rights
The GDPR can be most easily understood as a series of rights for individuals (data subjects) that companies (data controllers) must support. Individual rights include:
Right to Notice
According to GDPR Article 12 (1) data controllers must have a “concise, transparent, intelligible and easily accessible” policy that uses “clear and plain language” about how you handle an individual’s personal data.
According to GDPR Article 13 you must show the policy to people when they share their information with you (when candidates apply for a job).
According to GDPR Article 14 when your company collects information on people, you need to share your data policy with them “within one month” (this applies to candidates you add to JobScore in any way other than the individual adding their own information directly to the system)
JobScore Approach
As a data processor, we assert that you (the data controller) need to clearly and concisely document exactly what you do with people’s personal data to meet the requirements of Articles 12-21. Our opinion is that this will likely not only be in your company’s privacy policy but also a separate “plain English” document that we refer to as your “recruitment data privacy notice.”
We recommend that you engage an attorney to help guide you through the necessary privacy decisions and have them draft this document. The decisions that you make regarding your policies will impact how you remain compliant and support the individual rights described herein.
To ensure compliance with Article 13 we recommend that you publish your recruitment data privacy notice on your own website. In addition, JobScore will make it easy to present a link to this policy to candidates at the time of data collection (i.e. when they apply for a job). When you activate our GDPR compliance feature and paste in a link to your recruitment data privacy notice, it will be shown to all candidates on the job application form where they enter their personal information.
Compliance with Article 14 requires you to send notifications to candidates that are added directly to JobScore within 30 days. Customers who activate the GDPR compliance feature will have a link to their recruitment data privacy notice inserted in the footer of the first email you send to the candidate through JobScore to meet this notification requirement for sourced candidates.
Right to Access & Data Portability
According to GDPR Article 15 people have the right to know what information you have on file about them. This means that if an individual asks for it, you need to give them a copy of their information.
Furthermore, according to GDPR Article 20 this data must be in a format where it can easily be transferred between systems so it is "portable."
JobScore Approach
Today you can download both candidate resumes and fielded candidate data from JobScore. We are adding functionality to streamline downloading an individual candidate’s personal data (like the candidate’s name, phone number, email and current employer / job title) as an .xml file prior to the May 25, 2018 deadline.
This .xml file will meet the requirement of the data subject’s information being easily portable to other systems.
Right to Rectification
According to GDPR Article 16 people have the right to have you update and correct any incomplete information you have about them.
JobScore Approach
Rectification requests will be handled in a similar way to access requests. JobScore provides the ability to edit candidate records and tracks the fact that edits took place. After you make edits, you’ll be able to download the candidate’s updated data as an .xml file to send to them to verify that requested edits were made.
Right to Erasure (aka Right to be Forgotten)
According to Article 17 people have the right to request that their data be removed, so you’ll be required to erase a candidate’s personal data when they ask you to.
Article 17 also states that you must have a data retention policy (an erasure policy) and that it must be included in your recruitment data privacy notice.
JobScore Approach
Requests
Account administrators can delete candidate profiles upon request in JobScore. So, if you receive an erasure request, visit the candidate’s profile and click on the “x” button in the upper right hand corner of the page and all information about the candidate will be purged from JobScore.
Data Retention Policy
Your recruitment data privacy notice must document your data retention policy, but the GDPR does not define specific guidelines. The only guidance afforded is that personal data should be stored “no longer than is necessary for the purposes for which the personal data are processed.”
At JobScore we believe that collecting personal data for hiring is a “legitimate interest” (see consent, below) and personal data is incredibly useful and should be preserved. The purpose of the JobScore system is not just to collect applicants and select someone to hire… we also analyze and report on recruiting data to help your company get better at hiring.
We recommend that your data retention policy be to keep candidate information file for many years (a long time). Here are few examples of why:
- Name and contact information: It is commonplace in recruitment to reconsider and re-interview candidates for newly opened positions. Simply, just because someone wasn’t good for one role doesn’t mean they won’t be great for a different role in the future. If a person’s name and contact information are erased, how would you find them and contact them again about another job?
- Work and education history: JobScore is specifically designed to help customers refine their understanding of the “right fit” for new jobs based on past recruiting activity. Specifically looking at who was considered for past roles - and who did well and who didn’t - is an excellent indicator of who might be appropriate for a newly opened job. If the work and education history of past candidates are erased it would be impossible to build better talent profiles and hire the best candidates.
Hence, we not only recommend having a data policy where personal data is kept for a long time, but that you state in your uses of data that:
- Data will be used to create talent profiles
- That you will analyze data in aggregate to improve your ability to find and hire great people
- That you may choose to contact candidates about other employment opportunities in the future.
Despite our recommendation, we recognize that you may choose to have a policy of automatically deleting hiring related personal data quickly, either because your country has more stringent erasure requirements, or your legal team recommends it.
For this reason we are building a feature that automatically deletes candidate personal data based on a number of months from the notification date that you select (and explicitly state in your recruitment data privacy notice).
If your firm wants to delete candidate data according to different rules, please email us at gdpr@jobscore.com to see if we can meet your needs.
Erasure mechanism
Our current “purging” approach to data erasure is problematic in terms of maintaining data quality and getting full value out of JobScore’s reporting features, especially in the context of large scale programmatic candidate profile deletion.
For this reason JobScore is adding a second approach to erasure (Pseudonymization) where personal data is removed but de-identified records are preserved for reporting purposes. This feature will be activated automatically for all customers that turn on the GDPR Compliance feature.
Right to Object
According to Article 21 people have the right to object to their personal data being processed for direct marketing and related profiling purposes. This means they have the right to request that you no longer send them emails or otherwise solicit them (effectively “opting out” of future communications).
JobScore Approach
JobScore does not support sending marketing email or other direct solicitation communications. The JobScore interface only permits you to send emails to candidates about specific job opportunities (transactional emails which we consider a “legitimate interest”). Sending product marketing or general newsletter emails through JobScore is not supported.
If we add marketing features to the JobScore platform in the future we will support this “right to object” as an opt-out. Today, if a candidate communicates that they object, we recommend erasing their candidate record (see Right to Erasure, above).
We do not recommend that you export data from JobScore to other systems to send marketing emails unless you specifically include this practice in your recruitment data privacy notice. If you choose to do this, we recommend you manage objection requests from data subjects (requests to opt out) in the system you choose to send marketing communications, not JobScore.
Data Controller Responsibilities
Consent
A common misconception about the GDPR is that data controllers will need to “secure consent” from data subjects to process their data. GDPR Article 6 “Lawfulness of Processing” states that data can be processed for the “legitimate interests” of the data controller.
Collecting resumes and other relevant personal information is a “legitimate interest” of a company trying to evaluate and hire candidates. Simply put, candidates expect that you'll need to review their personal information to consider them for job opportunities. While companies DO need to notify candidates of their data processing practices and respect their rights, they DO NOT need to collect consent to do so.
JobScore Approach
As we anticipate that virtually every company will want to avoid the complexity and expense of collecting unnecessary consent for recruitment data, we do not have plans to build a specific feature to collect and store consent from candidates. If your legal team disagrees with our opinion, we’re sorry to hear that - it’s going to make it a lot harder for you recruit people. We strongly recommend that you pursue a "legitimate interest" candidate notification strategy (outlined below).
That said, JobScore is a powerful and flexible platform ... while you could create a checkbox question to collect consent from inbound job applicants, recording candidate consent outside of the inbound job application form will be very difficult and unwieldy. We also do not plan to build self-service consent management by candidates at this time.
Notice
Article 6 of the GDPR states that companies are required to provide notice to data subjects whenever they collect personal data. In the notice, companies need to identify the lawful basis for processing personal data, processing practices and your data retention policies.
We recommend that you engage legal counsel to draft your recruitment data privacy notice and corresponding data privacy procedures. A layman’s overview of what to include in your notice and a few best practices are outlined in our GDPR checklist for HR & recruiters.
JobScore Approach
What’s important is that JobScore can’t write your recruitment data privacy notice or set data privacy procedures for you. You are responsible for creating your recruitment data privacy notice and making it public. Here's what JobScore will do to help you with notification:
- Include a link to your recruitment data privacy notice job application forms.
- Automatically include a link to your recruitment data privacy notice in the first email sent to candidates who reside in Europe who are directly add to the system by someone else.
Request Management
According to the GDPR your company must provide an easy way for data subjects to request access, rectification or erasure of their personal information.
JobScore Approach
JobScore will not help you manage inbound requests from data subjects. We recommend that you create a dedicated email address to gather these requests and include it in your recruitment data privacy notice. Furthermore, we recommend you document internal procedures about how requests will be handled and how to perform necessary actions in JobScore and other systems to address them.
Response Management
According to GDPR Article 12 (3): “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.” This means that if people ask for access, rectification or erasure, you need to tell them that you did it.
According to Article 12 (4) you also need to let them know if you didn’t do anything (likely because you don’t have a record to share, update or erase).
JobScore Approach
While JobScore will create a downloadable .xml file with the data subject’s information for you to share, we will not automate the sending of this information to the data subject ... but you can do this on your own. We will also not automate communication regarding erasure events.
This is is because the domain of the GDPR is broader than just the information housed in the JobScore system. Requests may require gathering, editing and deletion of data across multiple systems to successfully honor requests from data subjects.
For this reason we recommend that you create a single email inbox to process all data subject requests and send all responses from the same email account. This will generate a record of requests and responses in a single repository.
Processing Record
According to GDPR Article 30 companies with more than 250 employees are required to maintain records of their processing activity.
JobScore Approach
Prior to May 25, 2018 JobScore will document what data we process and how we process it per GDPR Article 30 (2) on this page. As a reminder, data controllers must document their data collection and processing practices in their recruitment data privacy notice to be compliant.
Data Processor Responsibilities
Data Security
According to GDPR Article 32 data controllers and processors must apply a reasonable level of security to the data collected against loss, unauthorized changes, or data breach.
JobScore Approach
JobScore maintains a comprehensive information security program that is summarized in our public Security Statement.
International Data Transfer
JobScore’s servers are located in the Amazon AWS cloud in the United States. GDPR Article 46 outlines the safeguards that must be in place for the exportation of personal data outside of the European Union.
JobScore Approach
JobScore has a two-pronged approach to meeting the safeguards mandated by the GDPR:
- Privacy Shield: JobScore maintains EU-US and Swiss-US Privacy Shield certification (and prior to the Privacy Shield program, maintained Safe Harbor certification). This certification commits JobScore to the protection of personal data transferred to and stored on servers in the US at levels conforming to GDPR requirements. This certification and its consequence are detailed in JobScore’s Privacy Policy. Our participation in the Privacy Shield program and public notice thereof constitutes sufficient notice and description of our commitments to the transfer and processing of personal data outside the EU.
- Data Processing Addenda: If your legal team wants contractual commitment between your company as data controller and JobScore as data processor, JobScore will be happy to provide our Data Processing Addenda that establishes the same commitments and principles covered by the Privacy Shield program. Please email gdpr@jobscore.com to request a copy.
Conclusion
Though it creates additional work and risk for data controllers and processors, the GDPR feels like a great step towards helping individuals secure their privacy rights.
We look forward to working with the JobScore community to help you define, refine and execute your data policies.
As a reminder, everything included in this article is for information purposes only and is not legal advice. To author your firm's data policies and notices, and for formal advice on compliance requirements, we recommend that you hire professional legal and compliance experts.
Please email gdpr@jobscore.com if you have any questions or comments about the content herein.
Last updated: January 3, 2019
Comments