The General Data Protection Regulation has been a long time coming. It represents an important update to the existing privacy legislation: the Data Protection Directive, established in 1995. The GDPR aims to improve the protection of EU citizens against major privacy breaches in a world that is increasingly data-driven.
Before we jump in, it’s important to note while this document can be helpful in ensuring your company’s compliance with the GDPR when using the VidCruiter Platform, we recommend you consult with your legal team to make sure all bases are covered.
Candidates represent an important source of data (data subjects) – your applicants can be identified through their personal data, the CVs they provide when applying to a job or when completing a video interview may include sensitive information like their names, user credentials, addresses and/or phone numbers. The GDPR was put in place to strengthen the rights of individuals with regard to this kind of personal data.
Video interviewing, applicant tracking system (ATS), and other recruitment software tools are big data processors – A cloud-based recruiting platform like VidCruiter collects, processes and stores candidate data for a specific purpose (recruiting). The recruiting function relies heavily on collecting data from candidates to help make informed hiring decisions.
The GDPR applies to any organization that processes the data of EU citizens. To be specific in the context of recruitment and video hiring, it applies to any company, within or outside the EU borders, that recruits (and processes the data of) applicants from Europe. The new legislation was passed in 2016, but companies were given a 2 year grace period to prepare for the imminent changes. As of May 25, 2018, compliance to GDPR requirements is compulsory, with fines reaching unprecedented heights; the maximum penalty for non-compliance is set at a staggering €20M, or 4% of a company’s global revenue, whichever number is higher.
Under the GDPR, applicants can request to be forgotten or to have their data revealed/rectified – Individuals will now have the right to demand that organizations delete from their systems the personal information that they have on them. The company will be fully responsible for compliance with these rights and will have to delete the information within 30 days of the candidate’s request.
Applicants will also have the right to ask your company to reveal the data it holds on them at any time and rectify inaccuracies if they feel the need to do so. In either case, the company will need to provide a digital copy of said data to the applicant within 30 days of his/her request.
Every time you access the web, log into a website or software platform, complete a survey, open a new account, fill out a questionnaire or provide information of any kind online, your data is being collected, often solely for the purpose of resale. In VidCruiter’s case, we use the data we collect to screen candidates and determine suitability to progress beyond the application and pre-qualifying stages in the hiring process.
In any instance, it is known data collection helps consumers and businesses alike. On one hand, companies gain valuable insights into their customer demographics, on the other, consumers get products and services tailored specifically to them. The problem arises when people’s privacy becomes compromised. Sensitive information is collected, stored, exchanged and/or possibly lost, exposing individuals to potential abuse such as fraud or identity theft.
The changes your hiring team will likely see in their day-to-day
It is important to understand under the GDPR, in order to collect data from applicants, the intent must be explicit and justifiable. Your hiring team can only source job-related information as necessary and needs to obtain informed consent from applicants before doing so.
Obtaining Consent from Your Applicants
The GDPR will require applicants to provide informed and explicit consent to very specific terms when providing information to data processors. There can be no confusion as to what the candidate is giving his/her consent to. The message needs to be crystal clear.
Ensuring your Software Vendors are GDPR Compliant
Data processors like your applicant tracking system (if your company is using a separate ATS in tandem with VidCruiter) can have access to all of your candidate’s data. It is important to make sure your software partners intend to protect your applicant data the same way you do and have also updated their procedures and privacy policies to ensure compliance.
Accountability and GDPR Compliance
After a two year transition period from the Data Protection Directive to the GDPR, your business is now fully accountable for its compliance with the new regulations. On top of that, your organization is also responsible for who it engages in business with. If a vendor or contractor you do business with falls short of compliance for any reason, you could be held responsible.
Transparency in the Application Process
It is important to highlight in your job advertisements that you are planning to collect data from your candidates for recruitment purposes only and outline how long you intend to keep this data in your systems. If you require additional information throughout the hiring process, for example, a review of an applicant’s social media profiles, make sure this is also properly defined in the terms and conditions.
When it comes to processing/storing applicant data within your VidCruiter System, you have two options:
Option 1: Request Permission to Keep Applicant Data on File
If you wish to keep applicant data on file past the point of the job being posted and closed, you must ask each applicant specifically to opt-in to having their data kept within your VidCruiter database for an extended period of time, which must be explicitly defined. Using a simple checkbox at the time of an applicant’s video interview is not an acceptable means of obtaining consent. The applicant must be asked by email (at a later date) and then will need to log in to VidCruiter in order to confirm that, in fact, it is acceptable for their data to be kept on file. If you would like this extra step to be set up within your VidCruiter workflow, we can assist you with the process to ensure compliance with these new GDPR guidelines.
Option 2: Do Not Keep Applicant Data on File
For applicants who do not affirmatively confirm consent to have their records kept on file, you have to delete their profiles soon after the position is closed, within the timeframe necessary to make hiring decisions, as explained to the applicants prior. To delete these applicants, your team will have to manually remove them from the system with a group setting within the VidCruiter platform, which we can help you set up. All your team will need to do is archive them individually and then there will be an option to delete them all at once.
VidCruiter has also appointed a Data Protection Officer (DPO) that can be contacted at [email protected] to assist with any of the requests that your organization might receive.