What is GDPR?

The EU regulations are aimed at strengthening protections for personal data for EU citizens and took effect on May 25, 2018. The regulations impact organizations that have establishments in the European Union and/or does business in the EU.

Download the PDF

Candidate Access and Rectification

GDPR regulations require the data subject has the right to know if the data controller is processing their personal data and requires that the data subject have access.

Don’t Forget to:

• Establish processes across your company on how to manage candidate requests to be forgotten

Check that your Recruiting Platform (Data Processor) can:

• Collect and retain only the necessary data
• Have the ability to process any ad hoc “Right to Be Forgotten” requests from candidates

Deleting and Retaining Data

GDPR requires that the data controller (you) must respond to a request from an individual to edit/delete their personal data from your database.

Don’t Forget to:

• Develop your company’s method for how and where applicants and contacts will submit their request to
  access, rectify, or forget their personal data

Check that your Recruiting Platform (Data Processor) can:

• Choose to delete or anonymize candidate data when no longer legally required, based on your organisation’s preferences and processes
• Anonymize candidate/applicant data, so that it’s no longer subject to GDPR but doesn’t distort reporting
• Create and publish as many retention policies as are necessary, i.e. for different locations
• Schedule deletions or re-seek collecting consent
• Automatically display the expiration date of your applicants

Collecting Consent

GDPR requires companies to have a legal basis for collecting and processing any personal data obtained in or
from the EU.

Don’t Forget to:

• Develop your company’s messaging for all the necessary countries and/or languages
• Define your company’s data retention and privacy policies
• Determine how your company needs to turn on active GDPR consent, for example, by clicking “I agree” during the apply process
• Collect consent from applicants and contacts in your database

Check that your Recruiting Platform (Data Processor) can:

• Obtain unambiguous consent from your applicants, contacts, and new hires to process and retain their data
• Clearly inform candidates of the purpose of collecting their data and inform them of their rights to their data
• Automatically turn collecting consent on/off, determined by their noted location
• Log the action associated with collecting consent

Reporting and Auditing

GDPR requires that the data controller maintain proper records of data processing and notify data subjects of any breach no later than 72 hours after having become aware of it.

Don’t Forget to:

• Schedule regular reviews of your Compliance reporting
• Agree on processes to review and re-seek collecting consent, if applicable

Check that your Recruiting Platform (Data Processor) can:

• Show records of the timestamp of consent
• Show that consent was collected across your recruiting platform, from your ATS to sourcing efforts to your onboarding portal
• Show when future deletions are set to occur or show a record of past deletions

Download the PDF