By now, you’ve no doubt read about the European Union’s far-reaching General Data Protection Regulation (GDPR) effective May 25, and researched whether and how it affects your Talent Acquisition technology and activities.
GDPR follows up on a 1995 directive (95/46/EC) of the European Parliament that sought to protect individuals’ data and govern the flow of data between EU member states and other countries with lower standards of data protection and privacy. That directive has guided how recruiters acquire talent in the EU by ensuring consumer protections for candidates and applicants, while also giving companies who outsource some or all recruitment functions a common framework to structure agreements and their roles.
Now, the EU is seeking to harmonize data laws across their member states, and catch up with decades of technological progress. GDPR doesn’t drastically change the terms used in 95/46/EC – Data Controller and Data Processor remain the main roles most in the recruiting industry will fit into – but GDPR does alter processes, organizational structures, and consumer protections in a few major ways.
Who it Applies To
A key point to remember is that, while GDPR protections apply to anyone within a European Union member state who has their data collected or processed, the protections must be followed by any Data Controller or Processor regardless of where they are. If that sounds pretty broad to you, you’re not alone.
To appreciate GDPR’s broad territorial scope, consider a small but web-savvy ice cream shop in Salt Lake City, Utah, hiring for their seasonal rush. Their sophisticated careers page personalizes visitors’ experiences based on their browsing habits on the site, and remarkets to them through ad networks like Google’s.
If people in the EU start browsing the site, having their data collected, or submitting info so they can receive alerts on new openings, then that ice cream shop could be considered subject to the GDPR. In practice, it’s not clear how this could be enforced for a small employer in middle America, but for Data Controllers and Processors with operations in the EU, it’s clearer.
GDPR has teeth, setting fines as high as €20 million or 4 percent of your company’s worldwide revenue, whichever is higher.
Rights of a Data Subject
To evaluate whether and how you must comply with GDPR, it’s important to know what a person in a European Member state whose personal data is processed (Data Subject) can do after submitting their data to a controller or processor. They have:
- Right of Access – Ask a Data Controller to confirm whether or not data concerning the data subject is being processed, and what data is being processed.
- Right to Rectification – Have any incorrect data concerning them amended.
- Right to be Forgotten – Request that their data be deleted from the controller’s systems.
- Right to Restrict Processing – Require the controller to stop processing their data in certain ways or at all.
- Right to Portability – Request readable copies of their personal data held by a controller.
- Right to Object – At any time, fully revoke consent for processing, such as unsubscribing from email alerts for new job opportunities.
Effects on Recruiting
These extensive rights mean that recruiters and their IT and legal colleagues must ensure that their procedures and technology enable them.
Although GDPR’s security provision, like most of the regulation, is non-prescriptive, it does require that the level of security protecting the data is appropriate for the risks to a Data Subject if the data were to be destroyed, lost, stolen, compromised or otherwise unavailable due to an incident. A Data Protection Impact Assessment (DPIA) is a great tool for understanding where risks might be through the entire lifecycle of personal data held by a controller or processor, and should help push security in the design phase of your offerings.
Information gathered before May 25, 2018, that was not collected in a GDPR-compliant manner should not be used after May 25. As a result, many companies operating email subscription services have been proactively reaching out to their subscribers requiring them to opt-in again to continue the services, while other companies have required double-opt-in and other mechanisms to obtain informed consent for future email marketing that complies with GDPR.
New Organizational Measures May Be Needed
More generally, your organization will need to fulfill some requirements.
- A Data Protection Officer (DPO) must be appointed if the controller or processor engages in large-scale monitoring of data subjects within the EU. This person must have the ability to act without any conflicts of interest. The wording is quite vague on what constitutes “large-scale” monitoring of data subjects, so some companies have instead elected to simply have an EU representative, either a person or an organization, respond to any requests by the Data Protection Authorities or complaints by Data Subjects.
- A Data Protection Impact Assessment is a way to assess the risks, justifications and overall processing of personal data. Each distinct processing activity must be assessed so the company can affirmatively acknowledge they offer adequate protections or identify gaps for remediation. A DPIA should be completed any time a processing activity changes, and at least every 3 years.
- With heavy fines and a potential influx of Data Subjects exercising their rights under GDPR, having a process in place to process and fulfill Subject Access Requests will be crucial after May 25. You will have 30 days to respond to a request by a Data Subject, and it’s acceptable to inform them that it will take more than 30 days to fulfill their request.
- GDPR also requires that all relationships between companies processing data must meet GDPR requirements. The EU Model Clauses have served as the standard for transferring data out of the EU for processing to companies in the U.S., but there are several gaps between those documents and GDPR. Each company with subprocessor or client agreements that concern processed personal data should assess whether they need to modify their agreements to include provisions not defined in the Model Clauses, including coordination when a processor suffers a data breach or receives a subject access request.
GDPR doesn’t make it clear who is ultimately responsible for ensuring a processing activity is governed by a GDPR-compliant agreement, so all parties should be proactive in their assessments with their subprocessors and clients.
GDPR specifies a 72-hour window for reporting a data breach to relevant authorities in EU member states after a controller becomes aware. If a breach is not reported within this window, reasons for the delay must also be communicated. This means companies need to coordinate with their processors and contractors to ensure they meet their obligations.
Can’t get enough of GDPR? Check out this infographic: