The new General Data Protection Regulation (GDPR) will change the way we advertise jobs and recruitment in general. Get ahead in your recruitment efforts with some more information.
Article updated in May 2018.
The General Data Protection Regulation is changing the way companies recruit – this is generally good, but it will increase the complexity of online recruitment for some companies.
In this article, we will focus on what you need to ask in your job postings and what data you must collect from potential candidates in the future when the new Personal Data Regulation enters into force at the end of this week, on May 25, 2018.
You will find answers to the following questions regarding online recruitment:
- What kind of data will be allowed in recruitment?
- What are you allowed to ask your candidates according to GDPR?
- What you should be able to document for data protection?
- How to avoid unwanted information?
WHAT DOES THE NEW GENERAL DATA PROTECTION REGULATION ALLOW?
In reality, there is not a big difference in the kind of data you are allowed to collect before and after the General Data Protection Regulation. The key difference is in your documentation and in the processing of data.
Therefore, you can expect some extra work in the processes before and after the collection of data. For example, it is necessary to argue the reason behind the collection of certain kinds of data in connection with recruitment.
Therefore, as a recruitment officer, you need to cast a critical look at the data you collect about your candidates.
A CRITICAL EYE FOR YOUR VACANCIES
Not all the knowledge and data you collect is relevant to evaluate the best candidate for a specific job vacancy.
With the new Personal Data Regulation you need to look at the application form(s) you use and answer the following questions:
- Are all questions relevant to find the right candidate?
- Do you collect sensitive information?
- Have you documented your assessment and positioning of the above?
When the General Data Protection Regulation comes into force on Friday, it is important, that you have thought about and implemented these questions in your recruitment routine, so your online recruitment process meets the requirements of GDPR.
Try the risk assessment tool provided by HR-ON.
IMPORTANT KNOWLEDGE OR INDIFFERENT INFORMATION?
To start with the first question, it is important that you do not have unnecessary questions on your application form.
Is it still relevant to know your applicant’s place of residence, or is it a superfluous information that can be substituted with the candidate’s general zip-code, to know if they live nearby? Most people already communicate by phone or e-mail, so you probably do not need to send a letter to any of your candidates via mail.
Place of residence is, therefore, in most cases, an example of unnecessary information from your applicants.
When the General Data Protection Regulation comes into force on May 25th, it is important that you expound the information and data, that you gather from candidates. The Data Protection Agency will be critical to both redundant and useless data collection from candidates, which can be at risk – especially if there is sensitive information among them.
Which leads us to the next important point.
WHAT KINDS OF DATA DOES THE GDPR ALLOW YOU TO COLLECT AND STORE?
In the European Regulation, it is distinguished between two kinds of personal data: general information and sensitive information.
The level of data security and documentation depends on the type of data you want to collect. Especially your measures in case of data breaches and leaks.
Examples of the two different kinds of personal data can be seen in the table:
|General information||Sensitive information|
If you only want to collect just general information, it makes sense to obtain a so-called ISO 27001 certification.
You can read about ISO 27001 certification here.
As a general rule, you should only collect common information, as sensitive information has much higher information security requirements.
GDPR REQUIRES DOCUMENTATION
One of the most important points in the new General Personal Data Regulation, in relation to your recruitment and job creation, is documentation.
In order to be GDPR-compliant with your questions in the job posting, it is important that you not only have a critical look at the data and questions you ask your applicants – you must also prove that you have been critical of them.
In practice, this means, that you will need a handbook or documented guidelines for questions in vacancies that you can refer to if the Personal Data Agency comes knocking at the door.
For many recruitment officers, it will therefore make sense to use standardized questions in job vacancies to avoid documentation and argumentation for data collection in all job listings and posts.
HOW DO I AVOID SENSITIVE INFORMATION?
Now you know, what you are allowed to ask your candidates and how to document your recruitment process.
But your applicants can still send you sensitive information through mail or your recruitment system – and that can actually become a problem for you. According to the General Data Protection Regulation, you are still obliged to take measures to ensure that you do not receive sensitive information from people.
In the vast majority of cases, it will probably be enough to point out, that you do not want to receive your applicants’ social security number, health history, information about political or religious beliefs and other sensitive information.
In other cases it’s hard to get rid of them; for example on exam papers, which almost always have the social security number printed on them.
But since HR-ON has as its declared purpose to make recruitment easier, we have implemented technical solutions that can automatically sort out much of the sensitive information.
Read about the future of e-recruitment here get a demo before the GDPR is coming into force on May 25, 2018.
May is approaching, and the worries related to the GDPR (General Data Protection Regulation) are increasing as well. The date is fixed and the purpose is clear: this regulation will protect our personal data as any other law before.
So far, we know that GDPR will touch every aspect of our life, from the private to the professional ones. For example, the data that we will include in our CV will be protected by cloud-based systems, where the companies will be able to store every CV and cover letter received without storing personal data on their computers.
But what about the huge amount of data that we use when we are browsing our favorite social media? What about Facebook?
Facebook vs GDPR
Well, the group of Menlo Park didn’t want to be left behind and in order to be fully GDPR-compliant, will let the users manage their own data to protect their privacy. In the privacy section of your own profile, you can already read about their efforts to do so:
“The information you share on Facebook remains your property. This means that you decide what to share and with whom you share it on Facebook and you can even change your mind. That’s why we provide you with the tools to eliminate anything you have published. We remove deleted content from your diary and our servers. In addition, you can also delete your account at any time.”
They will be finally able to check who can see their content and the reactions to the posts. They will have the possibility to manage their tag on the posts and much more, in an easier and clearer way.
Moreover, the social media will let its privacy principle be public, in a surprising move of transparency. In the aftermath, pushed by the coming into force of the GDPR, Facebook will let the users know, how their data will be used. This will be possible thanks to a new control center, but it might result in some alterations in the way Facebook users will navigate the social media platform.
Less time on the newsfeed
In fact, Zuckerberg affirmed that this new strategy will probably decrease the amount of time spent on the platform. But this will be probably the best decision for its brand: more transparency, more trust gained from the user perspective and a full compliance with the new European rule that is altering the whole world.
It is already possible to check the privacy principles of Facebook on this blog post.
And you? Which changes are you doing for your company?
Bon appétit. The French Data Protection Commission nationale de l’informatique et des libertés, CNIL, has issued a $57 million fine for Google for breaching the European Personal Data Protection Registry GDPR.
The fine arises from complaints from the group, None of your business (NOYB), and La quadrature you net – backed up by 10,000 frenchmen. The groups filed the complaint against Google for not having consent to use personal data from users, particularly for targeted ads.
The complainant was registered respectively on the 25th and 28th of May, simultaneously with the GDPR coming into force. The fine is issued based on two breaches of the GDPR. Firstly for the lack of transparency and information towards the users, and secondly because users have not had enough access to see how Google used their data in connection with advertising.
In addition, CNIL decided that Google does not have the legal basis for targeting user-based advertising, which is a cornerstone of Google’s entire business foundation.
According to the CNIL, the big fine and the publication of it are justified by the severity of the infringements in relation to three of the basic principles of the GDPR. Transparency, information and consent. The CNIL also emphasizes that there are ongoing, extensive infringements and not individual incidents.
Google has since responded to the $57 million fine by challenging the penalty. The grounds for this is because they argue that the process is “as transparent and straightforward as possible.”
Time will only tell how Google and inveitably, other big players will respond to allegations of data breaches and who will win out in the end.
Santa Claus has gotten in big trouble and it isn’t because of a red nosed reindeer…
In fact, Santa has found himself in big trouble with the GDPR police. A spokesman from EU states that it was the lines “He’s making a list / He’s checking it twice; / He’s gonna find out who’s naughty or nice / Santa Claus is coming to town”, who drew attention to Santa’s seemingly illegal practices related to personal data.
Articles 8, 9 and 10 of the GPPR appear to have been violated. For example, there is a lot of ambiguity as to whether Santa Claus has obtained explicit consent from the parents of the users who are often children under the age of 16.
Santa Claus is now awaiting for the next step from EU and puts pressure on the fact that children from all over the continent are in danger of not getting Christmas gifts this year! In the EU, the situation is taken seriously and therefore the panel is working to incorporate a special Santa Claus clause into the Personal Data Regulation, a so-called “Santa Clause”, which will allow Santa Claus to continue his business on the European continent without breaking GDPR.
At the same time, the case has generated a lot of discussions among Santa’s elves and in order to avoid problems in the future, the chief elf has decided that in the future they will use the HR-ON’s recruitment system in order to handle incoming Christmas gift applications and the applicants’ data.
Don’t worry boys and girls, we welcome Santa Claus here at HR-ON and know just how to help him be GDPR compliant in the future!
Let the GDPR penalties begins
In many places in Europe, penalties and large fines are already being imposed for breaches of personal data laws.
There is hardly any way of avoiding the fact that on 25 May this year, EU introduced the long-awaited Personal Data Protection Registry (GDPR). Needless to say, not all companies have met up to the strict rules, therefore the authorities have started to clean up the sinners.
Computerworld writes that the German Data Protection Authority has awarded the first fine according to the new rules. It is the big German dating site Knuddels.de that has to pay 20,000 euros, after the company was hit by a hacker attack.
The attack resulted in the hackers, among other things, being able to steal 330,000 users’ passwords and email addresses. Although Knuddel.de itself was exposed to a crime, the digital burglars revealed that the passwords were found as unencrypted text.
According to Computerworld, the German Computer Inspectorate states that Knuddels.de has been cooperative in getting the data security in order, and that the fine could have been much higher.
Personal messages to psychologists
In Denmark, the Danish Data Protection Agency has, according to DR, just reported the therapy portal, GoMentor.
It was the user Ann Pettersson who originally approached the Data Inspectorate. She had contacted a psychologist at GoMentor for help with stress. Then, without a password, she was given access to read four other clients’ confidential communication with the processors.
– These were psychological problems of a sexual nature. There were psychological problems in relation to abuse, alcohol, drugs, childhood problems. Really difficult personal stories, says Ann Pettersson to DR.
She has apparently gained access to the correspondence because different types of users can be mixed together under certain circumstances.
GoMentor’s director, Troels Sletved, did not want to be interviewed about the case, but confirms in writing to DR that there has been a breach of personal data security.
He writes that they are very sorry that the breach happened and that they take their data responsibilities very seriously and they are in the process of ensuring that personal data is processed properly and confidentially.
GoMentor has initiated a major investigation with external consultants to solve the problems.
Uber paid hackers and didn’t tell anyone about it
Although the British are on their way out with brexit, GDPR continues to apply for them. The British Data Inspectorate ICO has given the driving service Uber a fine of £ 385,000 equivalent to € 440 080 million for not having adequately protected the user’s data before a hacker attack. The hackers could therefore download data on 2.7 million UK customers including their full name, email and telephone number.
When Uber became aware of the attack, the company chose to pay the hackers $ 100,000 to destroy the stolen data rather than informing their customers about the big leak.
The hacker attack took place before the GDPR came into force, and Uber did not have any formal disclosure obligation at that time. However, the ICO does not conceal that the cover-up along with the payment to the criminals has influenced their decision.
In the Netherlands, Uber also just got a fine.
Hospital used false profiles
In Portugal too, the authorities have begun to break down on GDPR breaches. In July, a hospital received a fine of € 400,000 because of not having control over their personal data security.
The hospital staff had access to patient data through false profiles, and doctors had unlimited access to patient information beyond what was relevant to their expertise. The hospital defends itself by saying that they were only using the healthcare platform provided by the Portuguese Ministry of Health.