The GDPR adds a Twist to Staffing and Hiring

June 4, 2018

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU citizens’ personal data. As we all know, there are legal requirements to store information regarding individuals who apply for jobs, but the GDPR states an individual has the right to be “forgotten.” This policy creates a conflict, especially for U.S.-based organizations.

In accordance with the dictates of what is personal data, the following identifying factors are labeled as personal data: physical, physiological, genetic, mental, economic, cultural or social identity of a naturalized (EU) citizen. For staffing and hiring, this will include, but is not limited to, background screening checks, copies of driver’s licenses and passports, credit scores and I-9s.

During our last SmartTalks presentation on April 26, I provided an overview of the GDPR and the impact it will have on clients who store data on European (EU) candidates. We’ve been preparing for months in anticipation of this regulation and developing new reports and adding new features to SmartSearch which will automate the necessary tasks to meet the GDPR’s data management requirements and maintain compliance.

The new tools and features are:

  • Four new reports that have been added to the report templates library of the Report Writer. Included are: candidate and contact summary reports which provide a cross-tab summary of how many candidates or contacts exist in each country, where the person has, either, an EU address or is flagged as an EU citizen, and if their consent has expired or is not on file. Also, more detailed reports are available that list email, phone, and country of each individual and show if the person has, either, an EU address or is flagged as an EU citizen and if their consent has expired or is not on file.
  • A new GDPR section has been added to candidate and contact profiles which allows you to quickly see whether or not consent has been received, and where the people are located broken down by geography based on their IP address when they click to grant consent.
  • A new link has been provided to quickly request consent. This will automatically direct individuals to the appropriate web portal to grant consent.
  • A new Trust and Document Center has been created to make it easy for clients, who store EU citizen information in the database, to access compliance-related documents, as well as download and sign our Data Processing Addendum (DPA).  Clients may also sign up to receive notifications when SmartSearch adds new sub-processors into our partner list.
  • All career centers have been updated with a page to request consent when someone uploads a resume, along with logging the consent. In addition to creating a note and updating the consent date on the profiles, we also log it in our click-thru logs.
  • Additional Mail Merge codes have been added to allow candidates and contacts to quickly access and update their personal information, as well as add mail-merge codes to the consent forms when SmartSearch users send out broadcast emails requesting consent. These new mail merge codes allow clients and candidates to quickly and easily access and update their profile information.

SmartSearch users have access to all information in the Release Notes of the GDPR updates posted in the Help area.

The penalties for non-compliance are stiff, so we highly recommend all SmartSearch clients comply with the statutes as prescribed by the regulations set forth by the European Union. The overseers will be looking at compliance for all opt-ins and opt-outs, which means that anyone designated as an EU citizen (currently living in an EU country or who is an EU citizen residing outside an EU country) must be sent a request to stay in the database or to be scrubbed out. Non-confirmation of either choice will constitute non-compliance by the organization seeking a reply.

SmartSearch is dedicated to providing tools and services to help our clients stay in compliance. SmartSearch is certified with PrivacyShield.Gov and is compliant with all data processing requirements of the GDPR.