Principles for Compliance
How is compliance demonstrated?
Let’s recap. Whether you are located in the EU or, alternatively, located elsewhere but conducting business in the EU, any of your data processing activities involving personal data of EU citizens, must comply with GDPR principles to be lawfully permitted.
For SmartRecruiters customers, this applies to the recruiting and hiring activities you perform while leveraging our platform that involves collection of your candidates’ personal information.
So, the next logical question is – what are the principles you need to follow to be compliant with the GDPR?
Specific to the GDPR’s protections for Data Subjects, there are several principles that are key for processing personal data.
This discussion highlights five (5) of these principles that must be met relevant for processing personal data, which provides an accountability framework for Data Controllers:
Principle 1 - “Fair and Lawful with Transparency”
Data Processing activities involving personal information must be performed in a fair and lawful way, as well as in a manner that provides transparency to the data subject. So, namely, Principle 1 involves two elements that must be satisfied:
Transparency – Transparency is accomplished by informing the data subject what data of his or hers is or will be processed, and how that data will be used. Hence, there must be “transparency” around processing activities. So, personal data cannot be processed unless the data subject knows about it.
Hence, it is important for you – the data controller – to think about how you will provide such notice to your job applicants, especially when using a data collection tool or recruitment software as the means for facilitating your hiring process. Ask yourself, when a candidate applies – have we informed them about what information we collect and how it will be used?
In SmartRecruiters, for example, transparency is provided to applicants in the form of a Privacy Policy that covers acceptable access to and use of personal data. Leveraging our Compliance Interface, SmartRecruiters Customers may share with applicants their own privacy policies governing the collection and processing of an applicant’s personal information as part of the job application and hiring process, enabling applicant (and data subjects) to be informed about how their data will be used. That said, it is up to the Data Controller for ensuring their Privacy Policy is comprehensive enough to satisfy GDPR’s transparency element.
Fair and Lawful – To show that Data Processing activities are performed in a fair and lawful manner requires Data Controllers to show at least one of the following conditions exist:
- Data Subject Consents to Data Processing
- Data Processing is Necessary for Contract Performance
- Data Processing is Part of a Legal Obligation
- Data Processing Protects Vital Interests of Data Subject
- Data Processing in the Public Interest
- Data Processing Necessary for Controller’s Legitimate Interest
Obviously, not all of these conditions are relevant to your hiring process. The most logical conditions to demonstrate “fair and lawful” data processing for processing a job applicant would likely be consent – i.e. the applicant consented to the process – and/or legitimate interest – i.e. this data is relied upon by our business to hire qualified employees and meet growth objectives.
Whichever condition is most relevant to your data processing activities – remember, you, the data controller must show one of these conditions exists.
Note, if relying on consent, the GDPR requires it to be explicit — meaning the applicant (data subject) must have explicitly consented to his or her data being processed. It is not enough to say the simple act of applying qualifies as implied consent.
Consent must take on the form of an express action whereas a candidate actually checks a box or overtly selects an option to move forward/continue and such action is recorded. If your organization relies on a candidate’s consent for demonstrating lawfulness – we suggest you familiarize yourself with the relevant GDPR provisions and accompanying recitals that speak to consent as it has become more tricky to provide under GDPR (see reference in blue below).
SmartRecruiters Global Compliance Center – part of our Global Subscription package – provides functionality for customers to display their relevant privacy policies, should they opt to provide these to their applicants. For more information, on our Global Compliance Center, please follow up with our sales team or your dedicated Customer Success Manager for more information.
Principle 2 - “Explicitly Specified“
Personal Data may only be processed for a specific and limited purpose. This means personal data processed for one purpose, cannot then be processed for another. In other words, the purpose of the data processing must be explicitly specified.
Use Case
Let’s provide a recruiting example to highlight this rule. YOU – the Data Controller – request the email address (processing) of Data Subject “Applicant A” and inform “Applicant A” you will only use the email provided for communicating information with him or her during the hiring process of Position 1. “Applicant A” consents to this use and provides you the email address (personal information).
The hiring process of Position 1 concludes because the vacancy was filled with a different applicant, and you inform “Applicant A” of this news, thereby ending Hiring Process 1. However, in your opinion “Applicant A” was a really great candidate, and likely a better fit elsewhere. So, you decide to keep “Applicant A’s” email for sharing information about future opportunities. Would this be permitted?
The answer is a very likely, No, pursuant to the “specific and limited” rule. Here, “Applicant A” was told the email address is only for hiring process communications pertaining to Position 1. At no time was it communicated that the email address would be used for future opportunities. Hence, the personal data (email address) provided to you – the Data Controller – was explicitly stated for communications purposes related to Position 1.
Should the specific purpose be communicated differently, here, say “used for communications about this position and for any future openings,” then any communications about future positions would then be permissible in this example because the specific and explicit use included Position 1 and future opportunities.
So, as you prepare for compliance with the GDPR, it is critical to think about how you plan to use candidate data in SmartRecruiters when communicating its explicit purpose for data processing with your candidates, such that you do not fall in violation of this rule.
Remember, personal data explicitly specified for one purpose may not be used for another – so be clear and comprehensive in your notice to data subjects.
Principle 3 - “Only What is Necessary”
Data Controllers are further limited in their data processing activities to the extent they may only use that data which is absolutely necessary for achieving their purpose. In other words, Controllers must minimize the amount of personal data they process, limiting processing activities to only critical personal data.
This requires Data Controllers to be thoughtful about their data processing activities – discerning between personal data that is nice to have vs. personal data that is necessary. So, what is the litmus test for determining “only what is necessary”? The GDPR is silent, here, and places the burden on the Data Controller to make that determination, as it depends on the circumstances of the data processing activity.
Relevant to our platform, SmartRecruiters’ productized application and job advertisement process serve to standardize andlimit the amount of personal data collected from applicants, thereby enabling customers to more easily identify what information is critical and necessary for efficient and effective recruiting that produces the best results. That said, we understand every hiring process is unique, and therefore also provide breadth and depth in our configurations, with features like custom fields, screening questions, analytics, reporting and more, for customers to decide what is most necessary – just as the GDPR allows them to do – the personal data they deem absolutely necessary to their hiring process and to demonstrate compliance thereof.
While Data Controllers are given authority to determine what personal data is necessary for achieving the specified purpose of their data processing activity, this means they also carry the burden of proof in the event of an alleged GDPR violation or audit to show their data processing activities are limited only to that personal data that is necessary.
Principle 4 - “Current and Accurate”
The GDPR states that Data Controllers must take “every reasonable step” for ensuring the personal data processed is current and accurate. This principle is really self-explanatory and simply means data must be up-to-date and correct as to its purpose. Where inaccuracies exist, the Data Controller is responsible for remedying the errors without delay, and the erroneous information must be “erased or rectified” per the GDPR.
A common risk arising in recruitment is the presence of an outdated talent database, which runs directly afoul of this accuracy rule. Hence, personal data collected from your applicants must be accurate and up-to-date. Where it isn’t, your candidates (Data Subjects) have the “right to rectification,” compelling YOU (the Data Controller) to remedy any inaccuracies. Managing information accuracy is an incredibly onerous and burdensome process, so having a recruitment solution that helps mitigate this risk is key.
SmartRecruiters supports our customers in their efforts to capture accurate information by offering functionality that serves to reduce the risk of erroneous and duplicative data. SmartRecruiters features like SmartProfile, or our seamless HRIS integrations – that offer integration capability to all major HRIS providers – promote current, credible, and accurate candidate data maintenance for our customers.
Principle 5 - “Limited Retention”
Personal data may not be retained indefinitely, so data retention limits must apply.
The GDPR makes it clear that personal data may be retained “for only as long as is necessary,” when in a format where the data subject can be readily identified. Further, personal data must be processed in a manner that ensures the security of the data, while also enabling the data subject to exercise his/her rights under the GDPR.
So, how long is too long? The GDPR does not currently specify a length of time, as it likely depends on the nature of the data processing activity, and/or local requirements. That said, the burden is on the Data Controller to show adequate data retention limits exist and that such limits are followed. Thus, an important question for Data Controllers to consider, especially if relying on an outside Data Processors, is how this will accomplished.
SmartRecruiters platform is designed with embedded features to assist customers with meeting their compliance needs. Specific to retention of applicant data, SmartRecruiters provides a simple and easy-to-use Compliance Administration interface that enables customers to set their own rules and limits for maintaining an applicant’s personal data. While our platform certainly aids customers in facilitating compliance with data retention regulations, the burden ultimately lies on the customer for ensuring and providing proof of actual compliance.
As we briefly alluded to above in Principle 5, the GDPR makes clear the ultimate responsibility for ensuring data processing activities are compliant rests on the Data Controller. Thus, the Data Controller (meaning YOU, the customer) bears the burden for demonstrating that each of these principles (#1-5) are satisfied with respect to your data processing activities. To ensure your team is compliant, we recommend a thorough review of each of these within the GDPR.