The European Union has identified concerns surrounding data security and has put a new regulation, the General Data Protection Regulation (GDPR), in place to protect its citizens. This legislation goes into effect as of May 25, 2018 and will be strictly enforced, setting the new standard for consumer rights regarding the protection of their data.
The GDPR regulates the processing, including collection, storage, transfer or use, of data for EU individuals. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. It is important to note that the GDPR concept of “personal data” is very broad.
For companies subject to GDPR, the compliance requirements for processing data are significant, including:
- Gathering and using email addresses
- Documenting internal processes to stay GDPR compliant
- Conducting a Data Privacy Impact Assessment for new technologies
- Mandating certain types of businesses hire a Data Privacy Officer
- Creating privacy policies and compliant contract terms
- Reporting obligations when a data breach occurs
Any kind of information that can be used to identify a person – like a candidate’s name, email address, social networking posts, and even down to information as granular as their computer IP address.
The new regulation will affect any organization that stores and/or processes the personal information of EU citizens. There are three levels of GDRP classifications you should be aware of that cover everything from data security, data control, and governance.
|Data Subjects||Data Controllers||Data Processors|
|Ex: The candidates you recruit||Ex: Your organization||Ex: JazzHR|
How to Comply
- Determine the legal basis for collecting the information and be fully transparent with the types of data and what specifically will be done with that data.
- Only use the data for what you originally intended – you cannot recycle the information for marketing emails or sell to third parties.
- Be mindful of the amount of data you are collecting – only collect the personal information you need to complete the task at hand. For example, if someone is applying for a job, only collect the basics needed to accurately fill out the application.
- Keep your records up to date – outdated information on candidates can be considered a violation. While you have the data, ensure that it is secure at all times.
- Don’t keep the data for extended periods of time. This goes hand in hand with the statement above. While there is no designated expiration at this time, be wary about the data’s “shelf life”.
Building on our existing data-privacy and security infrastructure, we will support our customers in their GDPR compliance efforts with a combination of new features and in-app best practice guidance.
While JazzHR has few new requirements for GDPR, many of our existing feature sets can help customers meet their own requirements. For example, our bulk actions feature can perform mass deletion of candidate data, our custom questionnaires features allow for easy collection of consent, our candidate export provides data subject records in CSV format, and workflow triggers enable the sending of additional information related the data subject's rights immediately upon application.
JazzHR Features and Functionality to Support GDPR:
- Secure Career Pages: Customer career pages will default to HTTPS by May 22, 2018
- Bulk Deletion: Our Bulk Actions feature can be used to delete candidates whose records have been deemed no longer relevant.
- Application Disclaimer: Customers can set a default application disclaimer, which is applied to all of their job applications, informing candidates of how they handle their personal data and their data retention policies
- Customer Data Deletion: When customers cancel their JazzHR account, their data may be deleted from JazzHR’s systems in accordance with our Terms of Service. To request for your account to be deleted, have your Account Owner email email@example.com
Reach out to firstname.lastname@example.org with questions or to learn more about using JazzHR’s compliance-related features.
Need to submit a DPA? Review JazzHR's Data Processing Amendment here.