GDPR: The Questions to Ask and Best Practices to Know

GDPR: The Questions to Ask and Best Practices to Know

Find out what you really need to know about GDPR and how to directly apply it to your own recruiting processes.

  • What GDPR means for you and your software
  • Best practices on managing your compliance
  • Key questions you need to ask yourself and vendors
  • Real-life examples of how companies are preparing for the regulations

Webinar Transcript:

Claire: Good morning good afternoon everyone my name is Claire Alloway I’m a part of the  marketing team here at Jobvite. And we're going to get started with this GDPR webinar. Thank you so much for joining we're going to cover the questions ask and the best practices you need to know about this upcoming regulation.  To start off something that if you've attended any GDPR content you are well familiar with this webinar is meant to be an informational presentation not meant to offer legal advice. So if you have any questions about your specific conditions or any any questions where you're a little bit iffy on the answer make sure to reach out to your legal counsel for that.

The agenda so to start off I wanted to to let you guys know a question that we definitely get asked with every webinar you will be getting the recording and you will be getting the slides so those will be in your inbox tomorrow so definitely take a look for those for yourself if you want to review them afterwards and obviously feel free to share them with your colleagues if they weren't able to attend today. So here's the agenda of what we're going to be covering we're going to go over an overview of GDPR regulations themselves and then going through a couple of the different categories that are covered within the regulation.

Here are today's speakers unfortunately Kimberly Smathers was not able to join us this morning unexpectedly so we've got a great lineup nonetheless Sujay Rao VP of Product at Jobvite and then Shanthi, butcher your last name come on thank you who is the Senior Product Marketing Manager here at Jobvite. I'll let them say hello before we get started.

Sujay: Hi there nice to be here.

Shanthi: Hello everyone this is Shanti I'm extremely excited to be here covering the most top of my topic everyone right now which is GDPR like Claire said I would love to start our conversation or webinar here with a general overview of GDPR. Now as you all know GDPR stands for general data protection regulation this is a EU  regulation that is intended to strengthen the protections for EU citizens particularly when it comes to their personal data and data privacy right and who does it impact well organizations that have establishments in EU or does business in EU they are impacted by GDP are and so for the recruiting audience here from a recruiting context if you are recruiting talent in and from EU GDP our supplies to you and you are also probably already familiar that if you do not comply with GDPR  there are serious business implications red equal risk serious fines 20 million euro or up to 4 percent of the global annual revenue.

So given that a seriousness of this topic that does before me go into the best practices let's understand the some of the terminologies that are in GDPR and understand who's who right GDPR identifies and governs three key stakeholders what they call the data controller the data processor and data subject well according to the regulation data controller is an organization or individuals to whom the data is submitted so from a recruiting standpoint since your organization is requiring personal data of the applicant or the contact to evaluate and make hiring decisions or even onboard your new hire by definition you've become the data controller and you are legally responsible to meet the GDPR requirements.

Well the data processor is the entity that accepts instructions from the data controller and processes the data on their behalf so in this case that would be your recruitment solution  provider or ADF for that matter who collects the applicants contact or new hire data on your behalf and processes the data so by that definition say for our customers who use our recruiting software Jobvite is the data processor and then we finally have the data subject which defined as a living human being to whom the personal data relates to or identifies so in this case that's your applicant contact new hire in EU who now has enhanced rights under so what are those specific regulations right at a high level we can boil this down to five things the first thing is to get that comes up in for them to give their personal data to you so GDPR requires that you obtain unambiguous consent from your applicant or contact or new hire and it also requires that you provide greater transparency to those individuals about the data you're collecting.

How would it be used how long you plan to keep the data in your database and record that consent the second requirement is around erasure of the information also known as right to be forgotten now your candidate applicant and they have the right to say I don't want to be in your database could you please delete my information from your database and to be in compliance with gdpr you should be able to meet that request the next is the data subjects right to access information and rectification meaning they can request to view the information you have about them or even request that you edit or correct the information and you should be in a position to be able to process that request in the next requirement is around right - objection and right your restriction now the data subject and this is where the data subject asks you that they not be contacted anymore or they say that they don't want that information to be processed and so you again you should be able to be in a position to be able to process that I mean that request and finally it all comes down to reporting right gdpr request that you maintain record of all of the processing activities so you can demonstrate compliance if and when an audit is conducted by EU Data Protection Authority. So given this let's go through each one of these requirements in detail and and you know cover the questions you need to ask and we'll also share some best practices to follow so starting with consent so Sujay I would love to turn it over to you at this point so you can help our audience understand the variety of applicants or scenarios they need to think about when it comes to staying in compliance with GDPR.

Sujay: Sure thing and thanks for the fantastic overview Shanti. So hi there this is a GDPR apart database let me walk you through all the requirements and how Joburg meet those GDPR co-regulation we starting off with consent here as a recruiter when you think about all of the sources how you attract talent into your pipeline where you can cooperate so it's typically candidates applying to your career side or coming into a different job board or perhaps you know you're doing a math resume import into the 80s right so that's what you think about. But there's actually more to it so here's where Jobvite is coming in and then giving you some guidance and best practices think about Job alerts  these are passive candidates that you know applied for the job but they're willing to apply in the future when a new job opens up or you know as a recruiter you could be manually adding candidates into the system yourself perhaps you met someone at your local bar and then they gave you a to pay and then you want to import that or you could have and be nurturing it I know a talent pool or you can have your employees referring their own connections are to your open job.

So Jobvite now has thought through all of these different pathways and investing candidates or passive contact and enter into your system and we do have capabilities to process all of those. So what's my recommendation you know when you go out and then look for a ATS system these are the questions that you should be thinking about when it comes to seeking consent first one is you know can you collect consent explicitly and I've seen other agencies out there that just provide you a simple checkbox on the job listing page or the apply page job rate has actually gone above and beyond that you know we provide you a separate consent form selection page.

So you definitely think about how you can collect consent and also you should be  thinking about why are you capturing consent in the candidate what's the purpose of collecting their data and what is it that you plan to do with that data. The other thing you need to think about is even though GDP or as the regulation is applied to all of Europe we've already heard that there were there some countries that are coming up with slightly different variants of that regulation and if that is indeed the case how do you set up consent forms so that you know it applies you know say a slightly differently for the for France or the Netherlands.

Last thing you need to definitely think what consent is or you know is your 80s provider logging all of this content actions in an audit report in case you ever need to pull it up. So as a sector for a let's take a quick example of how Jobvite allows you to seek consent on the career side the first image that you've seen on the left is where you know once your candidate clicks on the apply button they've been taken to a data concerned capture page and that's where they get to self-identify you know their their country of citizenship or residence.

So for example you know you belong to you know it's the United Kingdom or if any other part of the EU or maybe you know for global multinationals that work across countries you know you could setup consent forms for all of your countries or you could also set it up so that you know you can ship content for those countries that do not require. So once you select you know you would go through a the candidate would now quickly accept or decline the consent Burbidge if they're happy with it and then that's when they finally end up on the application based that's the image that you see on the right. So that explains how you would capture consent from the candidates from the apply pages so here's what happens within Jobvite if you order a recruiter and then you manually enter a candidate into the system.

So you may not be familiar with this cream but I'll quickly talk through it on the left image is where this is our candidate profile and you know this is a candidate that you can you manage add into the system and if that is indeed the case we provide you a quick seek consent link there that allows you to send an email to the candidate asking for word for consent once they get that email there's a link there that lands them on a certain page where they go through the self identification process and provide their consent. Our best practice right is that you know you make sure that when you put up your consent notice you tell the candidate you know what you plan to do with their personal data.

Shanthi: So right that was excellent thank you Sujay. Moving on to our next topic which is around deleting and retaining data this is their data subject right around the laser of information and additional rights right so one of the most commonly asked questions relates to how long they should retain candidates personal information and what information they should keep and what information should they delete? So can you show our audience how they could go about doing that in Jobvite and share some best practices around that.

Sujay: Yes indeed. So again when it comes to setting up deletion or retention policies right so Jobvite gives you a lot of capabilities here but here's what you need to be thinking about yourself when you're going to think about data retention right so can you retain you know or create as many retention policies as necessary for different locations? Again we see that there are many countries that have come up with their own retention timeframes.

So it's really you working with your legal counsels they're determined how long you want to keep you know a certain applicant data so we've seen some countries saying six months to up to three years where you can keep you know data you know in your ATF before it get on anonymized or deleted. The other thing that you should also be thinking about is can this be automatically set up so that you know you don't you don't have to do anything you just set it up one time and then these deletions occur automatically in the future that's another thing you need to think about and then of course when it comes to addition and retaining of data you might want to go and every once in a while to understand okay I'm working on this candidate how long is you know have deployed consent for how long is there data being retain data system so you might want to have a quick check on that.

Here's a on the screen you're seeing how a Jobvite allows you to set up multiple retention policies just like how we now provide you a library of consent forms targeted to a particular country or set of countries similarly you can set up a of retention policies of by countries. Example here you've seen that you're seeing that we've set up a retention  policy for all French applicants for a period of 24 months in the Netherlands for another 24 months you know as an example you can all see if you'll have operations in the US you could probably decide to retain that Canada application forever because the u.s. yet doesn't have a minimum or maximum threshold in how long you can keep this data so you would just retain it forever.

One quick thing about the retention policies is Jobvite has provided you of what we call a a smart token that you can insert which actually shows the retention time frame in the content policy automatically. So for example if the candidate is applying to a friend job on the consent form they will see that you know their data is being held on file for for 24 months.

So you don't have to go in and then remember these and then have to set it up you just have to drag and drop this token or place order to your content form and depending on where this job vacancy is being hosted a Jobvite automatically shows you the correct retention time frame. So that is how our retention policies work this screen shows you if you have to manually go in and either seek consent from a candidate or in the system or you want management to go in and then delete someone's data you will just go to our candidate list pages we have provided many filters for you or one of them is to be able to filter by data consent status or be able to you know filter by the data consent date or the automatic or the future are deletion so you should be able to go in and then use of this filter to either retic consent or delete  candidate records.

Remember that you know Jobvite provides two ways to delete data one of them is to be able to fully wipe out data or just wipe out a personally identifiable information it is Jobvites recommendation that you know if you order as a recruiting organization you probably just want to delete the PII data so that you get to retain everything else we are reporting analytics purposes for example what was the workflow that happened around this candidate which source is they coming for so you should be able to do that all right.

Shanthi: That was a good discussion there thank you so much to Jay. Now let's talk about the next requirement which is around their enhanced right to access under GDPR like I said a candidate now has the right to request to view the information or update their profile with the correct information to help it organizations go about accomplishing that.

Sujay: Great so let's let's talk about I'm sorry I think we were talking about give me one second here I apologize so we're talking about right to access data yes so this is a the right side so so you know this Jobvite we have provided a you know a one-click data export capability that just in case your data subject which is a candidate is coming in and asking for a copy of their data so as a recruiter or anybody with access to you know the candidate profile and with the right roles configured you can just go in and then click on the export data button to be downloaded a copy of the candidates data. So it's now up to you to take that data and determine what can be shared with the candidate or watch it because back and then send a copy of the data to the candidate.

Shanthi: Awesome. Alright then finally let's bring it all together we're reporting right how can they prove that they are DDP are compliant where are some of the things they should look out for and what are some best practices when it comes to demonstrating compliance under gdpr.

Sujay: We hope you never get audited with Jobvite throughout it all of the right capabilities but you know you must still want to go in and then periodically look at your gdpr reports. So there some things that you need to consider while selecting an ATS right so first is can the ATS show records of the time type of content so if you ever have to prove that you did seek consent from  candidate and you process their data properly you should be able to substantiate that by pulling up report. You should also think about you know your entire talent acquisition funnel right so it's not just a candidate applying to a job they could be a passive contact that you know probably was just interested in learning more about your company and then maybe they apply at a certain point in time in the future and then they went through the application process and then they got hired and they were on-boarded into your into your company so you should be able to you know show consent all the way from them being a passive contact to them turning over into a new hire.

Another thing about reporting is to prove that a data subject wanted their records deleted or anonymized you should be able to go into reporting and then you know prove that your request came in at a certain point in time and then you went in and then deleted a certain data. So just to kind of close that topic we have provided you know compliance reports across all of our product line Hire our ATS system Engage is our candidate relationship management system Onboarding is our new Hire, our Onboarding System and you'll see here that each one of these product lines has reporting capabilities around deletion reports or content reports.

Claire: Perfect thanks so much everyone. We do have a couple more minutes it's got nine more minutes before the end of the webinar we want to give you guys a little bit of time to ask any questions. Sujay and Shanthi will do their very best to provide our best practices and specific to your questions and maybe concerns. So please feel free to chat those in to the chat box in the lower left hand corner of the ReadyTalk panel and we'll get to as many as we have time for as many as you guys have to ask. So we're going to start off here so Mary has a question does Jobvite provide any consent language that we can use. Shanthi maybe can you take this one.

Shanthi: Yeah, so the I want to say the answer is no because everyone GDPR are everyone's companies GDPr our requirements are unique and so we recommend that you really contact your legal counsel to seek the GDPR our messaging that is applicable to your unique condition within the company.

Claire: Okay perfect. Okay so the next question we have a couple of people asking they have operations outside of the EU and they're wondering are these capabilities that were recovered today are they only supportive of GDPR?

Shanthi: Yeah not at all I mean what we offer is a genetic data privacy functionality that gives you the flexibility to easily extend this to other countries that have similar data privacy policies I think Sujay touched on that a little bit in this presentation. So for example you can easily use the framework that we have built today for gdpr to meet the privacy regulations in South Korea and Singapore for example.

Claire: Awesome ok so we have a common question coming in and Andrea and Susan a couple other people so if we a a us-based company that does not actively recruit in the EU but you have a candidate apply from there are you still required to follow GDPR? Sujay can you take this one?

Sujay: Yes, let me take this question again don't treat this as legal guidance the GDPR language is really targeted for businesses that operate in the EU. So if you are a US only company but you still get you know a handful of applications from say the EU you may actually be ok by not providing any consent but again this is not legal guidance I would highly ask that you know you go to your own data privacy team and your a data protection officer to see what you want to do.

Claire: Perfect ok these are some long questions here apologies. Ok so Don has a question if someone applies position at what point do they need to provide active consent I assume we have legitimate interest to work with them on that one particular role so that needed only if we want to keep them after the job is filled or closed.

SanJay: Yeah let me take that up there's risks involved in claiming legitimate interest. But essentially what the needs are happening  is that you are on the hook to prove to everybody that you know that you  have legitimate interest in holding onto someone's data. Again do not treat this as legal guidance but check with your own legal counsel that's why Jobvite has gone with the approach of making this easier for our customer by being able to set up a consent form so you don't leave anything you know at risk here.

Claire: Cool and so we have a question from Elana sorry is it enough to have online consent by ticking the box or are there cases when we have to have a written consent from a candidate.

Sujay: There's no reason to take written consent online consent are easy it is perfectly acceptable are by the law so as long as you've provided a consent notice to the candidate and then They agree to the to the content by either checking a checkbox or clicking on an I accept button and you being able to show at what time the provided consent that's all that required.

Claire: Perfect okay so we have another question that's coming in from Rob so if we contact a candidate through LinkedIn or another job board what are our requirements re consent under GDPR.

SuJay: So that's a question that I unfortunately cannot answer because you're not using the Jobvite to get in touch with this candidate you would have to work with either the job board or LinkedIn to try and understand and how you can gain consent in those systems.

Claire: Right so it's only if you were able to add that candidate in to Jobvite that we can help.

Sajay: That is correct.

Claire: Make sense okay let's see okay so from Mike if we just delete the PII do we need to have consent forms?

Sujay: So consent forms do not have any personally identifiable information in it so there's no harm in that form being stored within the system. A person identifiable information is really other sensitive information like name email address phone number physical location address etc.

Claire: Got it okay it seems like we've answered the majority of questions here and I know we're getting close to the half hour point we do have a couple of questions asking about the presentation and so I wanted to let everyone know you are going to be getting a copy of the presentation and the recording so that  you can review it obviously yourself or you can send it over to any of your colleagues that have any interest in it and so you'll have that recordings you can send them specifically to a piece that you find interesting or specific slides those will be in your inbox within 24 hours were based in California here so that'll be in your inbox tomorrow morning if you share that time zone.

Okay so and don't see any more new questions if we do have any questions that I have missed we will make sure to follow up with you with a response and so don't worry about that I'm going to finish up here honestly. So thank you very much to Sujay and then Shanthi.

The presentation was excellent I think everyone's heard a lot about GDPR but hopefully everyone on the call heard a little bit of a spin on the content something a little bit new to take away and hope everyone has a wonderful day bye everyone.