The GDPR ready
to roll hiring guide.

You may have heard about the new General Data Protection Regulation (GDPR) that comes into effect May 25th 2018. It’s a positive move that allows candidates to have more control over their data.

What is the GDPR

Read this section if you're new to the GDPR and want to understand the GDPR in general, its definitions and key principles.

The GDPR explained

In essence, the GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed and intended to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.

Please note, if you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, regardless of whether the organization has a physical presence in the EU.

In more detail, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. The concept of personal data is very broad. Personal data means any information relating to a identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR gives Data Subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

Legal side note

Please take into consideration that while we have worked on this with experts in the privacy field, we are not lawyers. This is why the information in this article should not be construed as legal advice. However, we do want you to know that we fully understand the new regulations and are committed to helping you achieve compliance. Please note that in this guide the scope of the GDPR will mostly be limited to recruitment and hiring.

GDPR definitions

🙋‍♀️   Data Subject
A natural person whose personal data is processed by a controller or processor.
🏭   Data Controller
The entity that determines the purposes, conditions and means of the processing of personal data.
🚡   Data Processor
The entity that processes data on behalf of the Data Controller.
🕵️‍♂️   Data Protection Officer
An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in de GDPR.
📜   Data Processing Agreement
Legal document that governs the sharing of personal data between data controller and data processor.
👮‍♀️   Data Protection Authority
Independent national authority tasked with the protection of data and privacy as well as monitoring the enforcement of the GDPR within the EU.
✍️   Privacy by Design
A principle that calls for the inclusion of data protection from the onset of the designing of systems or business processes, rather than an addition.
📃   Privacy Impact Assessment
A tool used to identify and reduce the privacy risks by analysing the personal data that is processed and the policies in place to protect the data.

Definitions in regard to recruitment

🙋   Data Subjects: Candidates
Persons who apply for employment with your company, or persons your company would like to consider or approach for employment.
🏭   Data Controllers: That’s you
Homerun customers who determine the purpose of the personal data that is being processed.
🚡   Data Processors: That’s us
Homerun, we process the personal data on behalf of you, our customer (the data controller).

6 Key Principles of the GDPR

These 6 privacy principles form the fundamental conditions which organisations must follow when collecting, processing and managing the personal information data for all European citizens.

1. Lawful, fair and transparent processing

This principle emphasizes on transparency for data subjects in the EU. When you are collecting personal data it must be clear why you are collecting this data and in what way this data will be used. This is why, to remain transparent, you should state what type of data you’re collecting as well as the reason for collecting it in your privacy statement. A privacy statement is intended to inform data subjects. It should be short, understandable, transparent and easily accessible.

2. Purpose limitation

This principle is about collecting data for a specific purpose. Only collect data for a legitimate reason, and then only use that data for that purpose.

3. Data minimization

This principle is about ensuring that you only store the minimum amount of data you need in order to achieve your processing purpose. In short, you should store as little personal data as possible.

4. Accuracy

This principle is about making sure that the information you store is valid, complete and still serves a purpose. You are obliged to actively maintain your database and make sure that every reasonable step must be taken to erase or correct personal data.

5. Storage limitation

This principle limits how and how long your data is stored. In short, you need to delete data that is no longer necessary for you to have. Since it could be argued that there is no way of knowing how long data might be needed, you should implement clear policies about your data retention.

6. Integrity and Confidentiality

This principle deals with security. You must ensure that adequate measures are being taken to protect personal data. In more detail, your data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Homerun and GDPR

Homerun makes it easier for you to comply with the GDPR, this section shares our roadmap, information security policy and privacy whitepaper.

Homerun's GDPR Roadmap

Homerun is fully committed to helping our customers achieve compliance with the GDPR. This roadmap shares an insight into what we've done and are planning to do.

Name & Description
Status
Internal GDPR team
Set up an internal team dedicated to the GDPR and work with an external team of privacy experts to perform an Information Security Risk Assessment
Completed
Extenstive GDPR research
Perform extensive research into all areas of our product and business that are impacted by the GDPR
Completed
Update Terms of Service
Update our Terms of Service according to the new regulations
Completed
Update Privacy Statement
Update our Privacy Statement according to the new regulations
Completed
Develop Privacy Whitepaper
Develop a Privacy Whitepaper that describes the personal data processing by the Homerun software
Completed
Set up Data Processing Agreement
Set up a Data Processing Agreement (DPA) that is fully compliant with the new regulations
Completed
GDPR Product update strategy
Develop a strategy and roadmap to perform the necessary changes to our product
Completed
Implement product updates
Implement the necessary changes and improvements in our product based on the requirements. Learn more here.
Completed
Communicate GDPR updates to customers
Communicate most important changes and improvements to our customers
Completed
Implement advanced data retention
Implement advanced data retention related features in order to make this process easier for our customers
In progress
More GDPR educational content
Publish more GDPR related educational content for our customers
In progress

Information security policy

Homerun’s Information Security Policy is a set of policies issued to ensure that all users within the organisation or its networks comply with rules and guidelines related to the security of the information stored digitally at any point. Homerun’s Information Security Policy can be found here:

Privacy whitepaper

Homerun’s Privacy Whitepaper describes the personal data processing by the Homerun software. Homerun’s Privacy Whitepaper can be found here:

Actionable GDPR hiring tips

Read this section if you want actionable tips and advice on what you can do to get GDPR ready.

Candidate data retention

Because of the GDPR you are no longer allowed to store candidate data indefinitely. This is why, as the controller, you are responsible for deciding how long you want to keep the personal data.

For inspiration, you may want to have a look at section 5.3 of the Recruitment Code of the Dutch Association for Personnel Management and Organizational Development (NVP), which can be found here (Dutch) or here (English).

Start by defining a retention period for your company first. You can then enforce your retention policy by regularly deleting personal data in bulk through the Homerun customer portal using date filters. We intend to extend and automate this process further in the future.

Your retention period will determine how long you’re storing the profiles of your candidates. This period starts on the day that a candidate applies and ends on the day that the period determined by you expires. After that day you should delete a candidates profile or ask his or her permission to keep his data for another period of time determined by you.

Candidate sourcing

When you, a colleague or a recruiter is sourcing candidates (adding a potential candidate to Homerun), their data is not collected directly from the candidate, but typically from a different source like LinkedIn, Twitter, Dribble, Facebook or GitHub.

However, GDPR Article 14 explains in detail what information your organisation should provide to these persons.

We suggest that your company creates an email template containing the information explained below to contact candidates within a reasonable time, but at the latest within a month after adding them to Homerun. This way you can ensure that you have the right process in place. If a candidate asks to be deleted you should remove all the information you gathered about him or her from Homerun.

  • The name and contact details of your organisation
  • The source from which the data was obtained and whether it came from a public source
  • The purposes for which the data is intended
  • A link to your privacy statement for recruitment
  • How long your organisation intends to store the candidate data
  • How candidates can withdraw their consent to the processing of their personal data
  • How candidates can request corrections or access to their data, or ask for it to be deleted from your system
  • Who candidates should contact should they want to lodge a complaint regarding the processing of their personal data. This could be your Data Protection Officer in case your company is required to have one (GDPR Article 37).

Privacy statements for career sites

Your career site will need a privacy statement to comply with GDPR. Since you are collecting candidate data through your career site, you need to advertise your privacy practices on there as well. The statement should should be short, understandable, transparent and easily accessible. For inspiration, please have a look at our own Jobs website Privacy Statement.

Delivery and Responsibilities

Homerun is a standardised platform in the form of Software as a Service (SaaS). The following overview clarifies the responsibilities of Homerun and its customers:

Customer
Configure the software to your needs
Manage job applications
Interact with candidates
Manage users
Homerun
Decide on the features of the software
Decide on technical implementation (code, systems)
Develop and maintain the software
Host the software
Provide support

Your Responsibility as a Homerun customer

You decide on your own which data you will be collecting from or about candidates. Personal data is then collected either by candidates filling out the application form (which you have customised to include certain fields or questions), by the hire team manually adding a candidate (sourcing), or by the hire team interacting with the candidate through (free-form) email via the Homerun platform. Ultimately, as ‘data controller’ the responsibility for compliance rests with you.

Privacy by Design and Privacy by Default

We develop our services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you, as our customer, to explicitly enable features that collect more information.

More questions?

Any questions how Homerun can help your company achieve compliance with the GDPR? Send us a message at privacy@homerun.co