GDPR Compliance & Jobvite
What is GDPR?
The EU regulations are aimed at strengthening protections for personal data for EU citizens and took effect on May 25, 2018. The regulations impact organizations that have establishments in the European Union and/or does business in the EU.
Candidate Access and Rectification
GDPR regulations require the data subject has the right to know if the data controller is processing their personal data and requires that the data subject have access.
Don’t Forget to:
- Establish processes across your company on how to manage candidate requests to be forgotten
Check that your Recruiting Platform (Data Processor) can:
- Collect and retain only the necessary data
- Have the ability to process any ad hoc “Right to Be Forgotten” requests from candidates
Deleting and Retaining Data
GDPR requires that the data controller (you) must respond to a request from an individual to edit/delete their personal data from your database.
Don’t Forget to:
- Develop your company’s method for how and where applicants and contacts will submit their request to
access, rectify, or forget their personal data
Check that your Recruiting Platform (Data Processor) can:
- Choose to delete or anonymize candidate data when no longer legally required, based on your organisation’s preferences and processes
- Anonymize candidate/applicant data, so that it’s no longer subject to GDPR but doesn’t distort reporting
- Create and publish as many retention policies as are necessary, i.e. for different locations
- Schedule deletions or re-seek collecting consent
- Automatically display the expiration date of your applicants
Collecting Consent
GDPR requires companies to have a legal basis for collecting and processing any personal data obtained in or
from the EU.
Don’t Forget to:
- Develop your company’s messaging for all the necessary countries and/or languages
- Define your company’s data retention and privacy policies
- Determine how your company needs to turn on active GDPR consent, for example, by clicking “I agree” during the apply process
- Collect consent from applicants and contacts in your database
Check that your Recruiting Platform (Data Processor) can:
- Obtain unambiguous consent from your applicants, contacts, and new hires to process and retain their data
- Clearly inform candidates of the purpose of collecting their data and inform them of their rights to their data
- Automatically turn collecting consent on/off, determined by their noted location
- Log the action associated with collecting consent
Reporting and Auditing
GDPR requires that the data controller maintain proper records of data processing and notify data subjects of any breach no later than 72 hours after having become aware of it.
Don’t Forget to:
- Schedule regular reviews of your Compliance reporting
- Agree on processes to review and re-seek collecting consent, if applicable
Check that your Recruiting Platform (Data Processor) can:
- Show records of the timestamp of consent
- Show that consent was collected across your recruiting platform, from your ATS to sourcing efforts to your onboarding portal
- Show when future deletions are set to occur or show a record of past deletions