GDPR compliance is every business’ number one concern these days.
The General Data Protection Regulation (GDPR) was adopted in April 2016 to reinforce data protection laws for all citizens within the European Union (EU). Coming into effect on 25th May 2018, the GDPR will impact all businesses working with personal data from the EU. That means all of us – Recruitee, our clients, and everyone who ever had, has had, or will have candidates from the EU in their hiring pipelines. We will all have to fully comply with the GDPR. As the applicant tracking system (ATS) for many international companies worldwide, here is our stand on this matter:
We fully commit to achieving GDPR compliance before its effective date – 25th May 2018.
Below you will find our step-by-step plan to fulfill the GDPR requirements:
We have been working on measures to comply with the GDPR since last year. We consider the GDPR a crucial component in how we operate as a company and what we do as an ATS. We value our clients’ data privacy and their compliance with the GDPR is of utmost importance to us.
First and foremost, the GDPR has changed the way we look at our internal processes. In order to facilitate the development of a compliant product, we need to make our operation and procedures compliant. Here is what we have done to achieve that:
1–Research the GDPR’s impact on our industry, business, and product. We have clearly identified areas where we need to implement measures to protect our clients’ and their candidates’ data.
2–Hire a Data Security Officer and Legal Counsel. We have carefully selected an officer that has a deep understanding of our business and industry. From day one, he has been involved in various projects dedicated to GDPR compliance. One foundation we have laid together is having all Recruitee employees and all our business partners sign confidentiality agreements. He will continue playing an important role in our product development (more on this below).
4–Improve our internal processes and procedures to comply with the GDPR. For instance, we have established a data breach policy and internal security processes to ensure maximum privacy protection for our clients’ data. We will keep making security improvements in our operation, because we view GDPR compliance not as a one-time change but a continuous process.
5–Be selective in choosing our business partners. GDPR compliance and EU-hosted data are two of the key factors we look for. The latter is a prerequisite we have been determined on since day one. Because data stored in the US has two risks: 1) The legal basis for transferring data to the US can be deemed invalid just like Safe Harbor in the future, and 2) The US government can access the data without informing our clients.
6–Encrypt our clients’ and their candidates’ data as much as possible. We, as the data processor, do this to protect their data. We never take ownership of the data.
From process to product
Once we finished preparing our operation and processes to be GDPR-compliant, we moved on to the biggest piece of the puzzle: improving the Recruitee product and helping its users comply with the GDPR.
Since the recruitment industry revolves around candidate data, we need to take the GDPR into account in every aspect of the product. That’s why we have consulted multiple legal experts to ensure our features’ compliance. Here is what we have done and planned to do:
7–Develop a special product roadmap that addresses all areas in Recruitee impacted by the GDPR. With the aid of our Data Security Officer and external law firms, we have fleshed out a GDPR-tailored product roadmap that will assist our clients in achieving 100% compliance in their recruitment activities.
8–Work on the special product roadmap to realize the features for GDPR compliance. By including the legal aspects early on, we have been able to develop the new features at speed. One of the core GDPR features would anonymize candidates’ personal information, allowing full reporting of old candidate profiles you no longer hold. Another one would let you control how long you want to keep the candidate data. There is also a feature letting candidates make requests when they want to access, remove, or correct their data in your database in Recruitee. These are some examples of the GDPR-compliance feature package we’re going to launch before May 2018. Stay up to date with our latest development for these features here.
9–Test and verify the GDPR-compliance features with both our Data Security Officer and external law firms. It’s key in our process to involve them in the full product development cycle.
10–Finalize and announce our full compliance with the GDPR. We plan to execute this before May 2018 – ideally when our GDPR-compliance features are launched.
With our forecast, we would be the first ATS to be fully compliant with the GDPR’s Privacy by Design principles before the GDPR’s effective date. Our clients would benefit greatly from being able to comply with the GDPR at the push of a button. Their candidates would be properly informed of their rights regarding their personal data. If you want to learn more about using Recruitee’s GDPR features for your recruitment today, please drop us a message.