IAPP CIPT – Lawful Processing of HR Data, Contracts & Recruiting Part 5

17. Create a privacy policy for recruiting

Hi, guys. In terms of crossborder transfers, the general principles under the GDPR looks much the same as under the Data Protection Directive or DPD. The whole legislation data can be transferred under a Commission adequacy decision, like the one used to give effect to the European Union U. S. Privacy Shield. The GDPR contains details of how this should be reached or with model clauses or binding corporate rules, which are BCRs for intragroup transfers.

The good news for employers wanting to transfer employee data crossborder is that their current arrangements may continue to be valid under the GDPR, although in terms of the UK Brexit may have an impact. The GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which is helpful for data transfers involving those member states that do not as yet recognize BCRs. Under the GDPR, model clauses may be used without such prior approval.

Further, employers are likely to be able to use a new regime of transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processors to apply the appropriate safeguards. In addition, under the GDPR, there will still be limited possibilities to transfer data where it is necessary for the performance of a contract or with the consent of the data subject, although this is likely to be difficult to achieve in an HR context.

As discussed in the previous lessons, the GDPR makes it clear that it is not lawful to transfer personal data out of European Union in response to a legal requirement from a third country. It also imposes significant penalties for breaches, including non compliance transfers. All of this will be relevant where employers wish to transfer employee data abroad. Perhaps in order to keep employee data in a central global HR function or in the context business expansion and acquisitions, employers will need to think ahead on all these points. Those providing information as part of Tube tiup transfer business sales or funding round, for example, will need to consider whether they have sufficient grounds to make the necessary transfers.

18. Source candidates online with care

Hi, guys. Sourcing is an essential function for organizations that want to find great people. However, sourcing requires finding and storing personal candidate data, so complying with GDPR all the way is critical. First, keep in mind that you need legitimate interest to source candidates and process their personal data, so ensure that you want actually intends to contact those candidates. Simply building your talent database by adding candidate data in case you need it in the future is not legal under GPR. Two. Plan to contact candidates as soon as possible. You can only keep a candidate’s data without informing them for a limited time, a month at most.

Contact these candidates as soon as possible and delete their data if they ask you to. If you change your mind about a candidate and decide not to contact them, you must delete their data immediately. Three. Collect only the data you need. You may want to process candidate data relating to education, work history, or skills, along with contact details. These types of data makes sense for your recruitment process. However, you should not process irrelevant data, for example, cultural information for recruiting purposes. If you need to process this data, make sure to explain it when you contact candidates and ask for their consent.

Fourth, obtain data lawfully gathering data from social profiles is legal under GPI. If those profiles are publicly accessible and if you can reasonably assume that candidates expect to be contacted. For example, you may assume that a publicly accessible LinkedIn profile indicates a reasonable expectation of contact only. Then, you can proceed to process candidate data you need to create a template that you can add to your sourcing images.

If you have a recruitment specific policy in place, you can provide your organization’s name and contact details, say that you intend to keep data for recruitment purposes only, and link to your recruitment Privacy policy to convey the rest of the necessary information. If you don’t have a recruitment privacy not Is yet, you need to include all information required by GDPR Article 14 in your email. You can also find in the resources area of this lesson a sample email text with placeholders.

19. Ensure you job application process complies with GDPR

Hi, guys. Let’s discuss about the job application process. Well, when candidates fill out your job application forms, they provide you with their personal data. Because job applications correspond to actual job openings, you have legitimate interest in processing this data, and you do not need to ask for explicit consent. But to be fully compliant with GDPR, you need to ensure the following one ask only for personal data that you need. The Working Party 29 the Collection of Data Protection Authorities states that the data you collect from candidates must be necessary and relevant to the performance of the job which is being applied for. Two be transparent in your job ads. Let candidates know that you intend to use their data for recruitment purposes only and how long you may need to keep this data.

If you plan to gather more information about candidates, for example, by reviewing their social media profiles as part of your screening process, you need to say that explicitly and explain how and why. Three link to your Privacy Policy Your company’s privacy policy should be easily accessible. It should include instructions to candidates on how they can ask you to delete, rectify, or stop sharing their personal data in your job ad. Let candidates know that they can find that information in your privacy policies. Let’s discuss now about your rejection email templates and why you need that. Sometimes you have more than one great applicant for a role. If you can’t hire all of them, you may want to keep the ones you didn’t hire on file for future roles.

To remain compliant with GDPR, you need to make sure that you will not keep this data for a longer period than the one you originally mentioned to candidates. If, for example, you told candidates in your sourcing email that you would keep their data for a year after they apply, you don’t need to send them another email until that year has passed. Conversely, if you told candidates you would keep their data until you fill this particular position, then you need to inform them again that you want to keep the data you had collected. Do this with your rejection email. Add a few sentences to explain why you want to keep the candidates data. Mention how long you plan to keep their details. Provide a link again to your recruitment privacy notice. Let candidates know they can ask you to delete their data at any time.

If they ask you to delete their data, you must comply with that. Prepare to inform candidates of data processing whenever you receive their data. Often, you will find yourself processing personal candidate data through means other than job applications or online sourcing. Candidates may give you their CVS at a career fair or a networking event, or they may ask you to contact them with job opportunities. All these scenarios are lawful under the GDPR, but you need to be able to demonstrate that you have been transparent. You can do this by preparing standard forms that provide all information required by GDPR and ask candidates to sign. Or you can email them afterwards with your recruitment, privacy notice and the rest of the necessary information.

Let’s discuss now about reviewing existing talent pipelines. GDPR covers personal data that your company has collected in the past. This means that you must review your talent databases, spreadsheets, and other files where you store candidate data. This is a good opportunity to make sure your talent database is updated and relevant. Determine which candidates may be good matches for future open roles in your company and which are not. If you determine that a candidate is unlikely to be qualified for future roles or is no longer relevant, or you obtain their information too long ago, then you must delete their data. If you store candidate data in your ATS applicant tracking system, it will be easy to delete the data of those who are disqualified.

Take a quick look at all candidate profiles to see if there are candidates who are promising or whom you wanted to contact in the future you could match. Delete the rest. If you’d like to keep a candidate in your talent pipelines, reach out to them to inform them that you are processing their data. For candidates that you want to keep in your database, prepare an email to give them necessary information. This email should be similar to the email you would send to source candidates in that it must include all information about what data you hold and where. These emails should also include links to your privacy policies. Your ATS may have bulk email functions that will make sending this email much easier.

20. Ensure your software vendors are compliant

Hi guys. In this lesson, we’ll discuss about your software vendors. My recommendation is to enroll you in our GDPR Cloud Service Provider course. That will explain this concept in more details and will also provide more documents for you to use. Data processors have full access to your candidates data. This is why GDPR expects you to be certain that your partners protect this data the same way you do. Your most important vendor in recruitment is your ATS applicant Tracking system provider. Your ATS is the place where you will store almost all candidate data, send emails, and delete or modify information. If your ATS complies with GDPR, it will be a great ally in ensuring your company complies as well. If you aren’t using an ATS, consider investing in one.

Spreadsheet, which are the most common alternative to software vendors, may expose you to risks concerning GDPR compliance as they provide a poor audit trail. Access Controls and Version Control One of the key benefits of spreadsheet is also one of their key flows, in that they can be easily duplicated, modified, and disseminated without the owner’s knowledge, and they are a cumbersome method of erasing and correcting the data. As a first step, arrange a meeting with your ATS provider or several. If you are planning on purchasing an ATS, ask the following whether GDPR applies to them as processors if they aren’t a European Union company, they should either be part of the privacy shield for US. Companies or be ready to sign effective data processing agreements that oblige them to follow GDPR’s guidelines. How they plan to become GDPR compliant. They should also be able to tell you where they store the data and how they ensure this data is protected.

Whether they use compliant vendors, they should have data processing agreements in place with all those subcontractors. Whether they have clear privacy policies and review their privacy policies to ensure they comply with GDPR and can adequately protect your candidate data. Be prepared to grant candidate Requests a big part of remaining compliant with GDPR is to be able to help candidates exercise their rights under this law.

To do this, you must provide guidelines and processes to let candidates access their personal data upon request. In order for this to happen, you need to do two things determine the format of the electronic copy of their data that you must give to candidates and establish a process to extract and send that copy. Then delete candidates personal data or restrict processing upon their request. In order for this to happen, you need to find all places where you keep data. You must have done this during your data audit and establish a process to delete data from all these places.

Then rectify candidate data. In order for this to happen, you need to ensure you have processes to control different versions of candidate data. For example, you should not correct the same candidate data on one’s precious and not in another. Having an ATS in place can save you all this trouble and in the end, let candidates withdraw consent. In case you decided to use consent as the legal basis for processing, in order for this to happen, you need to compare this process to the process of giving consent. GDPR requires that the processes of giving and withdrawing consent should be equally easy and simple. In the end, you need to ensure you communicate these processes clearly on your website and or your terms and conditions.

• Category: Uncategorized