GDPR compliance is every business’ number one concern these days.
The General Data Protection Regulation (GDPR) was adopted in April 2016 to reinforce data protection laws for all citizens within the European Union (EU). Since 25th May 2018, GDPR is now in full effect and impacts all businesses working with personal data from the EU. That means all of us – everyone who ever had, has had, or will have candidates from the EU in their hiring pipelines. We will all have to comply with GDPR fully. As the chosen applicant tracking system (ATS) for many international companies handling EU data, we have a firm stance when it comes to GDPR :
We have been fully committed to achieving GDPR compliance before its effective date – 25th May 2018.
Below you will find our step-by-step plan of how we fulfilled GDPR requirements before enforcement and how we plan on safeguarding compliance.
Internal process adjustments
We have been working on measures to comply with GDPR since early 2017. We consider GDPR a crucial component of how we operate as a company and what we do as an ATS. We value our clients’ data privacy, and their compliance with GDPR is of utmost importance to us.
First and foremost, the GDPR has changed the way we look at our internal processes. To facilitate the development of a compliant product, we have made our operation and procedures compliant as well. Here is what we have done to achieve that:
1–Researched GDPR’s impact on our industry, business, and product. We have identified areas where we need to implement measures to protect our clients’ and their candidates’ data.
2–Hired a Data Security Officer and Legal Counsel. We have carefully selected an officer that has a deep understanding of our business and industry. From day one, they have been involved in various projects dedicated to GDPR compliance. One foundation we have laid together is having all Recruitee employees and all our business partners sign confidentiality agreements. Our Data Security Officer and Legal Counsel will continue to play an essential role in our product development (more on this below).
4–Improved our internal processes and procedures to become GDPR compliant. For instance, we have established a data breach policy and internal security processes to ensure maximum privacy protection for our clients’ data. We will keep making security improvements in our operation because we view GDPR compliance not as a one-time change but a continuous process.
5–Continue being selective in choosing our business partners. GDPR compliance and EU-hosted data are two of the key factors we look for. The latter is a prerequisite we have been determined on since day one. Because data stored in the US has two risks:
- The legal basis for transferring data to the US can be deemed invalid just like Safe Harbor in the future, and
- The US government can access the data without informing our clients.
6–Encrypt our clients’ and their candidates’ data as much as possible. We, as the data processor, do this to protect their data. We never take ownership of the data.
From process to product
Once we ensured that our operation and procedures were GDPR compliant, we moved on to the most significant piece of the puzzle: improving the Recruitee product and helping its users comply with GDPR.
Since the recruitment industry revolves around candidate data, we need to take GDPR into account in every aspect of the product. That’s why we have consulted multiple legal experts to ensure our features’ compliance. Here is what we have done and planned to do:
7–Developed a special product roadmap that addressed all areas in Recruitee impacted by GDPR. With the aid of our Data Security Officer and external law firms, we have outlined out a GDPR-tailored product roadmap that will assist our clients in achieving 100% compliance in their recruitment activities.
8–Worked on the special product roadmap to realize the features for GDPR compliance. By including the legal aspects early on, we have been able to develop the new features at speed. One of the core GDPR features anonymizes candidates’ personal information, allowing full reporting of old candidate profiles you no longer hold. Another one lets you control how long you want to keep candidate data. There is also a feature allowing candidates to make requests when they want to access, remove, or correct their data in your database in Recruitee.
These are some examples of the GDPR compliance feature package we have launched.
9–Tested and verified GDPR compliance features with both our Data Security Officer and external law firms. It has been vital in our process to involve them in the full product development cycle.
10–Finalised and announced our full compliance with GDPR.
We were the first ATS to be fully compliant with GDPR’s Privacy by Design principles before GDPR’s effective date and we continue to demonstrate our commitment to full compliance.
If you want to learn more about using Recruitee’s GDPR features for your recruitment today, please drop us an in-app message.