You may have heard about the General Data Protection Regulation (GDPR) that came into effect May 25th 2018. It’s a positive move that allows candidates to have more control over their data.
Read this section if you're new to the GDPR and want to understand the GDPR in general, its definitions and key principles.
In essence, the GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed and intended to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.
Please note, if you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, regardless of whether the organization has a physical presence in the EU.
In more detail, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. The concept of personal data is very broad. Personal data means any information relating to a identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR gives Data Subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
Curious how to be GDPR compliant while hiring with Homerun?
We wrote an article about that, explaining how being compliant is simpler than you think.
Homerun is full force, beautifully designed recruitment software for companies that care about brand, culture, and personal data. Customers include The Next Web, TBWA/NEBOKO and Geckoboard. Watch the 2 minute video below for an impression.
Please take into consideration that while we have worked on this with experts in the privacy field, we are not lawyers. This is why the information in this article should not be construed as legal advice. However, we do want you to know that we fully understand the new regulations and are committed to helping you achieve compliance. Please note that in this guide the scope of the GDPR will mostly be limited to recruitment and hiring.
A natural person whose personal data is processed by a controller or processor.
The entity that determines the purposes, conditions and means of the processing of personal data.
The entity that processes data on behalf of the Data Controller.
An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in de GDPR.
Legal document that governs the sharing of personal data between data controller and data processor.
Independent national authority tasked with the protection of data and privacy as well as monitoring the enforcement of the GDPR within the EU.
A principle that calls for the inclusion of data protection from the onset of the designing of systems or business processes, rather than an addition.
A tool used to identify and reduce the privacy risks by analysing the personal data that is processed and the policies in place to protect the data.
Persons who apply for employment with your company, or persons your company would like to consider or approach for employment.
Homerun customers who determine the purpose of the personal data that is being processed.
Homerun, we process the personal data on behalf of you, our customer (the data controller).
These 6 privacy principles form the fundamental conditions which organisations must follow when collecting, processing and managing the personal information data for all European citizens.
This principle emphasizes on transparency for data subjects in the EU. When you are collecting personal data it must be clear why you are collecting this data and in what way this data will be used. This is why, to remain transparent, you should state what type of data you’re collecting as well as the reason for collecting it in your privacy statement. A privacy statement is intended to inform data subjects. It should be short, understandable, transparent and easily accessible.
This principle is about collecting data for a specific purpose. Only collect data for a legitimate reason, and then only use that data for that purpose.
This principle is about ensuring that you only store the minimum amount of data you need in order to achieve your processing purpose. In short, you should store as little personal data as possible.
This principle is about making sure that the information you store is valid, complete and still serves a purpose. You are obliged to actively maintain your database and make sure that every reasonable step must be taken to erase or correct personal data.
This principle limits how and how long your data is stored. In short, you need to delete data that is no longer necessary for you to have. Since it could be argued that there is no way of knowing how long data might be needed, you should implement clear policies about your data retention.
This principle deals with security. You must ensure that adequate measures are being taken to protect personal data. In more detail, your data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Read this section if you want actionable tips and advice on what you can do to get GDPR ready.
Because of the GDPR you are no longer allowed to store candidate data indefinitely. This is why, as the controller, you are responsible for deciding how long you want to keep the personal data.
For inspiration, you may want to have a look at section 5.3 of the Recruitment Code of the Dutch Association for Personnel Management and Organizational Development (NVP), which can be found here (Dutch) or here (English).
Start by defining a retention period for your company first. You can then enforce your retention policy by regularly deleting personal data in bulk through the Homerun customer portal using date filters. We intend to extend and automate this process further in the future.
Your retention period will determine how long you’re storing the profiles of your candidates. This period starts on the day that a candidate applies and ends on the day that the period determined by you expires. After that day you should delete a candidates profile or ask his or her permission to keep his data for another period of time determined by you.
When someone actively applies to one of your job openings, it can be argued that the candidate has given you consent to process their personal data. However, if you really want to make sure you have active consent, you can use Homerun’s consent checkbox feature, to let candidates know for what purpose and how long you’re planning on storing their personal data. Be aware that although you might not always need explicit consent to store their data you should always ensure that you share your privacy statement with them.
When you, a colleague or a recruiter is sourcing candidates (adding a potential candidate to Homerun), their data is not collected directly from the candidate, but typically from a different source like LinkedIn, Twitter, Dribble, Facebook or GitHub.
However, GDPR Article 14 explains in detail what information your organisation should provide to these persons.
We suggest that your company creates an email template containing the information explained below to contact candidates within a reasonable time, but at the latest within a month after adding them to Homerun. This way you can ensure that you have the right process in place. If a candidate asks to be deleted you should remove all the information you gathered about him or her from Homerun.
Your career page will need a privacy statement to comply with GDPR. Since you are collecting candidate data through your career page, you need to advertise your privacy practices on there as well. The statement should should be short, understandable, transparent and easily accessible. For inspiration, please have a look at our own Jobs website Privacy Statement.
Homerun is a standardised platform in the form of Software as a Service (SaaS). The following overview clarifies the responsibilities of Homerun and its customers:
You decide on your own which data you will be collecting from or about candidates. Personal data is then collected either by candidates filling out the application form (which you have customised to include certain fields or questions), by the hire team manually adding a candidate (sourcing), or by the hire team interacting with the candidate through (free-form) email via the Homerun platform. Ultimately, as ‘data controller’ the responsibility for compliance rests with you.
We develop our services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you, as our customer, to explicitly enable features that collect more information.
Any questions how Homerun can help your company achieve compliance with the GDPR? Send us a message at email@example.com