Jobvite & GDPR: Complete, Compliant Recruiting

GDPR compliance graphic

You’ve probably noticed a recent flurry of training, webinars, and communications from Jobvite focusing on GDPR–or the General Data Protection Regulation. The GDPR is a regulation within European law covering data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the Europe Union. And if you think GDPR doesn’t pertain to you, you’re probably wrong. Any recruiter, company, or recruiting organization doing business in or working with candidates from the European Union must be compliant with this law by May 25, 2018, or risk significant penalties and fines for non-compliance. At Jobvite we’ve spent a lot of time working to ensure your recruiting team can manage GDPR compliance related to your recruiting and hiring in accordance with the deadline. We have made the necessary updates to our application, tools, and services to give you confidence that you are compliant when using Jobvite technology to recruit and hire candidates from the EU. Check out the information below to see what we’ve been doing and how Jobvite helps you stay compliant. Here’s what you’ll find in this post:

  • First, we’re summarizing recent product enhancements and pointing you to specific Articles within the GDPR law that pertain to those updates. Be sure you read them through and understand how Jobvite has adapted our technology to help you meet the requirements.
  • Second, we’re providing some deeper insight into why consent is required and not optional
  • Finally, we’re giving a quick update on Jobvite compliance as your data processor, which is also part of the GDPR.

Our GDPR updates in a nutshell…

In keeping with new GDPR standards, Jobvite has updated our platform to enable the following new features:

  • Post privacy policies customizable for each region or organization
  • Obtain and record consent with customizable consent forms​
  • Customize data retention period​
  • Seek consent for historical data
  • Delete candidate information​
  • Reporting​

It all starts with consent

Under the GDPR, the processing of personal data must be lawful based upon the definitions and guidance found in GDPR Article 6. You may have heard from some recruiting software providers that recruiters and employers don’t need to obtain explicit consent from data subjects (i.e., candidates), but Jobvite Privacy has done the research and has found that it’s not optional. If you want more information on the topic of consent, read our white paper Is Consent Required? for more information. After reviewing the options for ensuring Lawful Processing under Article 6, it’s obvious that a candidate has to explicitly give an organization permission to obtain and process their personal information. Personal information includes things like resumes, offer letters, and other documents related to the recruiting and hiring process. The requirements for when to obtain consent, how to obtain consent, and conditions for consent can be reviewed in Articles 6 and 7 and specified further in Recitals 32, 33, 42, and 43. In general, the requirements state that consent must be voluntarily granted, through a true choice, after sufficient information is clearly communicated to the person involved. In addition, the consent must be bound to one or several specific purposes which are then sufficiently explained in the consent document or page. Should the consent be intended to legitimize the processing of special personal data, it must expressly refer to this. The person impacted must, in all cases, have a clear explanation of the ability to retract his consent. Bottom line: No misleading questions, statements or tricks. Jobvite is now making the consent process easy and convenient for both recruiting organizations and potential candidates. We’ve updated our products with highly customizable consent forms and privacy notices that can be configured to meet the custom fields and language requirements of different regions or countries. When a Jobvite customer configures consent as part of the apply process, consent is recorded and can be produced via the Reporting function – which is a key function as the Controller is required to demonstrate that consent was obtained, i.e. produce a report. The reports can then be used to respond to internal compliance audits, external audits, data subject requests, and requests from the Data Authority. The same function is true for data subject deletion requests; when a data subject (i.e., candidate) requests deletion of their personal data and the controller complies with the request by deleting the data, the deletion is recorded (with date and time stamp) and is then available via the Reporting function. One of the most asked question from our customers pertains to how long they should retain candidates’ personal information. The specifics are up to you–but we suggest you refer to Recital 39 – Principles of Data Processing for help in determining what works best for your organization. Most companies will want to ensure that no personal data is kept longer than necessary, particularly if it’s in a form that can identify the data subject, and time limits should be established by the controller for erasure or for a periodic review. Jobvite GDPR capabilities make this a straightforward process for our users by enabling them to configure automatic data deletion or anonymization based upon your organization’s specific policies and defined retention period.

We take data processing seriously

GDPR Article 24, Responsibility of the Controller, states: “The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” This means that the choice of Data Processor (Jobvite) is very important in demonstrating end-to-end compliance for the data flow and lifetimes. Partnering with Jobvite will ensure that you, the Controller, are able to demonstrate that the processing of your data is compliant with GDPR’s other privacy laws. Jobvite will soon make available the required Article 30 Reporting for our customers in order to provide transparency around the security, management, and storage of your organization’s personal data.

What’s next?

Processors are required, under Article 30 – Records of Processing Activity, to maintain a record of all categories of processing activities carried out on behalf of a controller. The reporting must contain information about the processor organization, the categories of processing carried out on behalf of each controller; information related to transfers of personal data to a third country, documentation of safeguards; and, where possible, a general description of the technical and organizational security measures as is referred to in Article 32(1).This documentation will be made available to our customers well before the May 25th compliance deadline. We’ve also requested feedback from current customers as they use the new GDPR enhancements, in order that we can use it to drive a customer-focused roadmap for our platform and tools. We’re committed, as always, to delivering the tools that today’s top talent professionals need most–not only to recruit and hire superstars, but to be able to recruit from any corner of the globe without concern about compliance. Check back in the coming weeks for more updates and refinements related to GDPR and privacy. Click here to learn more about GDPR and Jobvite.