What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It replaces the 1995 Data Protection Directive which current UK law is based.
When does the new regulation start?
25th May 2018.
Will it apply to clients of Jobtrain?
Who will enforce GDPR in the UK?
The Information Commissioner’s Office (the ICO).
There are new rights for people to access the information that companies hold about them, obligations for better data management for businesses, and a new regime of fines. Organisations must be much more explicit in telling individuals what data will be held about them, and how it will be used before they submit it. Of particular note, is that candidates will have the right to request the information be deleted at any time. The information is extensive, and we advise your organisation undertakes a detailed review of this legislation to prepare accordingly.
How can Jobtrain help?
We’ve collated guidance on how to prepare for this legislation with regards to your recruitment process and use of the Jobtrain ATS.
Our dedicated Client Success Managers and our helpdesk, backed up by our in-house technical team are here to help with system set up and any questions on system use.
Jobtrain’s archiving feature – whether by the automated method or individual requests managed by our helpdesk – has been developed to anonymise data so it is no longer “personal data’’ but leaves an anonymous “footprint’’ to enable extensive historic reporting.
Preparation – 4 ‘W’s
In the GDPR, personal data is broadly defined as any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as for example a name, address, identification number, email, social media handle, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So with specifically Jobtrain in mind…
WHOSE… personal data is processed?
Consider whose data you hold. For example:
- Job alert registrants
- Job applicants
- Third party recruitment consultants
- Referees / former employers
WHY… is personal data processed?
Consider why you collect, use and hold this data. For example:
- Job alerts – holding individuals’ data to alert them about jobs they may be interested in based on their expressed preferences
- Job applications – holding individuals’ data to assess their suitability for a job
- Talent Pooling – holding individuals’ data to assess their suitability for future jobs that may or may not arise
- Offers made – holding individual’s data for offers made (whether accepted or not)
WHAT … personal data is processed?
Based on whose data you hold and why you hold it, review what data you’re holding, and consider if it’s all necessary? For example:
- Registration form content
- Application form content
- Offer / onboarding content
- Email / SMS communications
- Selection data
WHEN … is personal data processed?
‘Processing’ includes the actions of obtaining, disclosing and deleting personal data. Consider the following points:
1. When is the personal data obtained? For example:
- First stage application
- Second stage application
2. To who is it disclosed to and why? For example:
- Line managers
- HR Partners
- Jobtrain helpdesk
3. How long is it retained for? Consider the following:
- The retention period may be determined by:
- A statutory requirement. Identify which particular section of law/regulation sets out the retention period – is that a maximum or minimum period?
- A business/professional practice – what is it?
- Other reason – provide an explanation
- How long is data held within Jobtrain, is auto-archiving* turned on and what time period is it set to initiate?
- How long data is held outside of Jobtrain, for example:
- Offline Interview / Assessment Centre records
- Print Outs / Exports
*NOTE: The GDPR does not apply to data that is anonymised in such a way that an individual can no longer be identified from the information on its own, or “reconstituted” with other data to enable identification, as it is no longer “personal data”. Jobtrain’s archiving feature – whether by the automated method or individual requests managed by our helpdesk – anonymises data so it is no longer “personal data’’ but leaves an anonymous “footprint’’ to enable extensive historic reporting.
Once you have defined the “Whose”, “Why”, “What” and “When”…
- Draw up a policy process and a governance/auditing process. These should be written for both those submitting information (candidates) and those receiving and processing it (your employees).
- Adapt your recruitment polices, process and user roles/practices accordingly
- Communicate and train this out across your organisation
Specifically relating to Jobtrain…
- Ensure you have a link to your policy/process document – that is explicit as to what reason you are asking for this data and how you intend to use it – available to candidates immediately prior to the option to register their details. An example of this is supplied below.
- You may wish to remind them of this at the point they complete the declaration (which has previously been focused on them declaring their application is truthful) prior to submission of their application
- In your email communication templates within Jobtrain, consider adding a footnote to each explaining why they have been sent the email, and who they should contact if they have a concern. In the case of the Job Alert communication template, draw attention to the fact they can unsubscribe from these alerts, and provide steps on how to do this
- Ensure the auto-archiving (within Settings>System Customisation) is switched on and set to the appropriate time period
- Have a process for handling ad-hoc requests for data removal. The Jobtrain helpdesk can support with archiving of an individual’s data on a case by case basis.
- Review the data collected, who has access, and where necessary adapt:
- Application forms
- Assessment forms
- Sifting/shortlisting forms or any other selection orientated data stored
- User profiles
- Security roles