The General Data Protection Regulation (GDPR) is a new set of regulations that began to be enforced on May 25, 2018. The GDPR gives EU residents more control over their personal data. Non-compliance with the GDPR can result in fees of up to €20 million or 4% of global annual revenue - so your company needs to be ready!
We’ve separately published a detailed article for lawyers and compliance professionals that explains how JobScore is preparing to help employers with GDPR Compliance.
This article is a checklist for recruiters and HR professionals who want to know exactly what needs to happen to keep your account in compliance. While we’ve consulted with a number of knowledgeable folks about this checklist and how to configure JobScore to help with GDPR compliance - what’s included here is not legal advice. We strongly recommend that you get your own independent legal advice about GDPR and your company’s data policies & practices.
Does my company have to comply with GDPR?
The GDPR applies to any company that does business in the EU and collects personal data from prospects, employees and candidates who reside in the EU.
So, in short, probably. If your company does business in the EU (has paying customers there) and/or you have employees who reside in the EU, you need to comply.
Even if that’s not true, some of your customers and partners may require that you be GDPR compliant. If in doubt, comply. The consequences for non-compliance are steep. Better safe than sorry.
1. Complete a data audit
GDPR is about more than recruiting data, it’s about how you handle personal information across your entire business. To successfully comply, your organization will have to conduct and audit all of its systems and practices for handling personally identifiable information. As an HR or recruiting professional, we strongly recommend that you ask for help doing this and not try to lead an audit yourself.
The first step to get help is to raise awareness of the need to be compliant. We recommend starting your communications with the potential penalties of €20 million or 4% of global annual revenue. Chances are folks on your leadership team will find some time and budget to help out when you share this.
2. Author and publish your recruitment data privacy statement
Once you’ve completed your audit and made some decisions about your data policies, it’s time to draft your recruitment data privacy statement. This needs to be written in plain English (not legalese) and a link to it will be shown to job seekers when they apply to your jobs and emailed to the candidates you source through other means.
While you definitely need to enlist the help of professionals to draft this statement, it's important that you thoroughly understand what it says and means as every job seeker is going to see it … and they’ll likely have questions.
This statement is effectively part of your company's candidate experience… so try to keep it helpful, simple and clear. You can learn more about individual privacy rights and your company’s obligations in our GDPR summary article here >>
Finally, once you have your statement locked in, make sure it gets published on your company website and that you know where it is!
3. Ensure you notify job applicants about what you are doing
When you activate the GDPR compliance feature in JobScore we'll prompt you to include a link to the page where you published your recruitment data privacy statement on your company’s website.
Once you activate the GDPR compliance feature a link to your agreement will be shown on all of your job application forms where you collect information from candidates -- and we'll record that they were notified - easy peasy!
4. Update your sourcing practices to be GDPR compliant
The GDPR requires that you notify people who don’t apply (everyone you otherwise source) about your data practices within 30 days.
When you activate the JobScore GDPR compliance feature a link to your recruitment data privacy statement will be included in the footer of the first email you send to candidates you add to your account who reside in the European Union. This will work for any email sent through the system so you can get as creative as you want with your outreach email templates.
To make life even easier, if you add or edit a candidate who resides in the EU who hasn't been notified, we'll remind you to email the candidate. All that said, you need to click to send an email or you may find that they've been erased after you activate the feature.
5. Update your job application forms
Your recruitment data privacy statement will need to explicitly cover what data you are collecting from job applicants and why. Once this is set, go through the job application forms you've set up in JobScore, including your custom questions, to make sure you are only asking for data that you need and is that is covered by your recruitment data privacy statement. If you have added custom questions, take care to review and confirm that you're not asking for personal identifiers or "special categories" of personal data per GDPR Article 9 ("ethnic origin, political opinions, religious or philosophical beliefs" and so on).
6. Follow your own data retention policy
As part of your recruiting data privacy statement you will need to define your data retention policy - or, how long you intend to keep recruiting data.
When you activate the JobScore GDPR compliance feature you'll be able to choose the # of months you want to keep data before it's erased. Make sure this matches what you include in your recruitment data privacy statement and you are good to go.
7. Create procedures to handle individual privacy requests
GDPR gives individuals the right to ask for copies of their data, request changes to it or delete their personal information. Make sure your company sets up a place where individuals can make these requests, and procedures to review and execute them.
Many of these requests will require accessing JobScore and many other systems at your company - ensure that the person in charge knows what to do, where to get what they need, and how to keep data in JobScore up to date.
Most requests will require looking up candidate records, editing them or clicking the download button to gather a copy of the candidate's information to send them on access and rectification requests.