A Workable approach to GDPR

Rob Long | Workable features |

GDPR stands for General Data Protection Regulation, and is a new set of rules governing individuals’ right to privacy. Approved by the European parliament in 2016, GDPR comes into full effect across all European member states on 25 May 2018.

By strengthening data protection legislation and introducing tougher enforcement measures, GDPR aims to give control of personal data back to the individual. In addition, GDPR aims to provide organisations with a simpler, clearer legal environment in which to operate, by making data protection law identical (subject to a few specific national “derogations”) throughout the EU.

This post is a brief outline of GDPR and Workable’s approach to the new legislation. Note, Workable’s Terms and Conditions, and Privacy policy have been updated to address the new GDPR regulations.

Please note: while Workable has consulted with legal professionals both in the creation of this post and updates to our own product features, Workable is not a law firm. All information in these FAQs is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.

Does GDPR apply to my organisation?

No matter where your organisation is based (even if you are outside the EU), if you are processing the personal data of citizens of the European Union, then GDPR applies to you.

Keep in mind that EU member states may also have additional laws, so ensure that your organisation takes the right legal advice to comply with all relevant national data protection laws.

What happens if my organisation doesn’t comply?

The risk of non-compliance is costly; up to 4% of your annual global turnover (revenue) or €20 million, whichever is greater. If no fine applies, organisations can still be punished via warnings, reprimands and corrective orders. While these reduce the immediate financial burden, the resulting reputational damage can be equally problematic.

GDPR entities as they relate to recruiting

For the purpose of recruiting, the GDPR defines three key entities, which can explained as follows:

Data subjects: in the recruiting process, ‘data subjects’ are all individuals involved in the process. This may include your applicants, candidates or passive candidates and will also include your own staff who are involved in the recruitment process (although much less data will be processed in relation to this latter group). These are individuals who can be identified through their personal data. The definition of ‘personal data’ is broad, covering everything from name, physical address, job title, IP address and bank account number, to economic, cultural, genetic or biometric information.

Data controllers: a data controller is the entity ‘which determines the purposes and means of the processing of personal data’. In recruiting terms, this is your organisation. It’s your organisation that decides on the information you require from candidates, and the way in which you will process that information. You remain the controller, whether you are collecting the data yourself, or requesting that others do that for you via a service like People Search, Workable’s candidate sourcing tool.

Data processors: these are companies that process personal data on behalf of the data controllers, at their instruction. If you are using Workable to source, track and manage applicants and candidates, then Workable is your data processor. You can have more than one processor, so if you’re storing candidate data elsewhere too, you’ll also need to check that those additional systems/entities are compliant with GDPR.

GDPR and data processing

1) As a ‘data processor’, what steps is Workable taking towards GDPR compliance?

Workable’s data processing activities are governed by a contract that complies with EU law. We are already compliant with existing data protection laws, and many of these remain the same under GDPR. Our current and ongoing commitment to GDPR is to:

  • process personal data only on documented instructions from the controller
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    – the encryption of personal data;
    – the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    – the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    – a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires us to retain of the personal data
  • make available to the controller all information necessary to demonstrate compliance with the obligations

Moving forward, to comply with the principle of ‘Privacy by Design’ we will undertake a Data Processing Impact Assessment (DPIA) for any new features. This will ensure that we remain compliant as a data processor.

The application process

2) How can my organisation use Workable for a GDPR compliant application process?

As a ‘data controller’ your organisation will need to take responsibility for their own compliance. Review the data that your organisation requires to make a screening decision prior to interview. In line with the principle of ‘data minimisation’, ensure that as a company you are requesting only what is ‘adequate, relevant and limited to what is necessary’, and that you have a full understanding of exactly why that data is required.

Workable offers customisable application forms, which request only the essential information required for recruiting purposes. This can be used as a starting point.

Use Workable to customize your job application form
Create a custom application form using Workable

Decide how long you need to keep candidate data on file. Document these decisions and communicate them to your hiring teams.

When these decisions have been made, we suggest including a short paragraph at the end of every job description created via Workable. This should be written in clear language, and:

  • Provide the name and contact details of your organisation
  • Be clear that any data requested will be used for recruitment purposes only (should you intend to use candidate data for other purposes, you will need to inform the candidates of the details).
  • Provide a link to your privacy notice for recruitment, outlining the requirements set out in GDPR Article 13.

Ideally, your linked privacy notice will be related to recruitment only, instead of a more general company privacy policy. This will further increase transparency, enabling the candidate to quickly see relevant information which could be missed in a longer, more general policy.

3) Do we need to ask for explicit consent from applicants?

You are considered to be complying with GDPR if your organisation is hiring and you are collecting data ‘for specified, explicit and legitimate purposes’. This means that as long as your organisation has been transparent, and has informed the candidate of the intended use of the information they are supplying, you do not need to request explicit consent to process their data.

The only caveat to this is if you are requesting sensitive information, for example, information about a disability, cultural, genetic or biometric information, information gathered for the EEO survey or a background check. In most cases you must request and record explicit consent to process this information. If a criminal background check is required by law (eg, for working at a nuclear power facility), no consent is required.

If a candidate contacts you at any stage to delete their data from your files you should carefully verify whether you must comply. You must also inform candidates if you wish to use their data for anything other than the initial purpose outlined.

4) How do we handle applications that don’t come into Workable via the application form?

Workable has the option to enable speculative applications
Workable has the option to enable speculative applications

If a candidate is referred, sends in a speculative resume, hands you a resume at a careers fair or applies via any route in which they haven’t had access to the details of how you will process their data, then you must inform them.

We suggest creating an email template which confirms receipt of their application, outlines how you will use the data and links to your privacy notice for recruitment.

Candidate sourcing

5) Is it still legal to source candidates and store their information?

‘Passive candidates’ are people who are being considered for a position but have not actively applied. Sourcing passive candidates (or ‘head-hunting’) is critical to many organisations, whether it’s for hard-to-fill roles, or more senior positions.

After adding passive candidates to the pipeline for a job, or to your Talent Pool, GDPR regulations state that you must email these candidates ‘within a reasonable period after obtaining the personal data, but at the latest within one month’ to notify them that you are processing their information, and to provide them with details of the processing. Article 14 of GDPR explains in detail the information that your organisation should provide to these individuals.

We suggest that after creating and documenting your process for data protection within your organisation, you use Workable to create an email template that can be used to contact passive candidates with a consistent approach.

This should:

  • Provide the name and contact details of your organisation
  • Explain where you sourced their data
  • Provide a link to your privacy notice for recruitment, outlining the requirements set out in GDPR Article 14

Ideally, your privacy notice will be related to recruitment only, instead of a more general company privacy policy. This will further increase transparency, enabling the candidate to quickly see relevant information which could be missed in a longer, more general policy.

The privacy notice should include details of:

  • How long your organisation intends to store the candidate data. If it’s not possible to provide an exact length of time, then explain the criteria used to determine that period
  • How candidates can withdraw their consent to the processing of their personal data
  • How candidates can request corrections or access to their data, or ask for it to be deleted from your system
  • Who candidates should contact should they want to lodge a complaint regarding the processing of their personal data

If you are an external recruiter or agency you should take legal advice to ensure that your processing is compliant with GDPR, and whether there are any other steps that you need to take to ensure that you have the right to pass candidate details to your clients.

If a candidate requests it, their information should be deleted from your system.

6) Can I use People Search and still remain compliant with GDPR?

As a ‘data controller’ you must take steps to ensure that your organisation is using People Search in line with the GDPR. After adding candidates to your hiring pipeline, contact candidates ‘within a reasonable period after obtaining the personal data, but at the latest within one month.’ Follow the steps outlined question 5 above.

7) Do we need to ask for consent to use data sourced via People Search?

As with any other passive candidate sourcing tool, GDPR regulations state that you must email candidates ‘within a reasonable period after obtaining the personal data, but at the latest within one month’ to notify candidates that they are under consideration for current or future positions. Article 14 of GDPR explains in detail the information that your organisation should provide to any passive candidates, whether they are sourced via People Search or by other means. See question 5 above for further details.

Accessing social media profiles

8) As a ‘data controller’ are we legally allowed to view and store the social media profiles that People Search displays inside Workable?

As a ‘data processor’ Workable searches publicly available profiles and opt-in databases for information about candidates and prospects. By clicking the links provided, Workable users (‘data controllers’) can view only the information that candidates and prospects have chosen to make publicly available.

On June 29 2017, the EU’s Article 29 Working Party (the collection of data protection authorities) released guidance on the privacy of employees and candidates. This specifies that employers may process social media profile information if there is legitimate interest. Quoting from Section 5.1:

“In this context the employer should—prior to the inspection of a social media profile—take into account whether the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection. In addition, employers are only allowed to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job which is being applied for”

Therefore, any potential employer using People Search whether directly or via the automatic social media profile retrieval must be able to justify its use on the basis that this is ‘necessary and relevant’ for the job for which the candidate is being evaluated.

Note that the option to turn off automatic social media retrieval on the candidate profile is available via the account settings.

Data processing, storage and deletion

9) Is it still legal to use spreadsheets to store candidate data?

Using spreadsheets increases the risk of non-compliance with GDPR. In short, spreadsheets provide a poor audit trail, access controls and versioning. One of the key benefits of spreadsheets is also one of their key flaws, in that they can easily be duplicated and modified by anyone in your hiring team.

Switching to GDPR compliant recruiting software provides:

  • A clear understanding of who has access to candidate data
  • A single point of data entry and modification
  • A secure way to delete or correct candidate data on request
  • Trackable, visible candidate consent
  • Automated tracking of when personal information was obtained and under what conditions

10) Where does Workable store candidate data?

Data uploaded to Workable is stored in the USA.

11) I’m based in the EU. Under the rules of GDPR, do I need to host my recruiting data in the EU?

No, there is no need to host your recruiting data in the EU to remain compliant with GDPR. In addition, you should note that hosting your data within the EU does not ensure automatic compliance. Using a GDPR compliant vendor will help ensure that you comply with the GDPR.

As a data processor, Workable already complies with existing data protection laws and must also comply with the GDPR by the implementation date. Data uploaded to Workable is stored in the USA. In order to transfer data safely in and out of the EU Workable has the following legal safeguards in place:

  • Workable uses only compliant storage providers
  • Workable has Data Processing agreements in place, incorporating EU Model Clauses with our subcontractors, AWS and Salesforce/Heroku
  • Our subcontractors are participating in the EU-US Privacy Shield

12) The ‘right to be forgotten’ entitles candidates to request that their data be deleted. How can I do this with Workable?

As the data controller, the responsibility of deleting candidate data rests with your organisation. Deleting candidate data is a simple process within Workable. This is possible on a ‘per candidate’ basis, or collectively per job.

13) How long does Workable store candidate data, and is it automatically deleted?

According to current legislation, data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. As the ‘data controller’, your company must decide how long you deem candidate data ‘necessary’ for your purposes. Your decision should be documented and the information shared with relevant employees involved in the hiring process. Candidate data that is no longer necessary should be deleted by an admin for your account. This is possible on a ‘per candidate’ basis, or collectively per job.

14) Our organisation wants to delete candidate data as soon as a job is filled. Is that possible?

Every organisation will have different requirements of their candidate data, so deleting candidate data is the responsibility of the organisation as the ‘data controller’.
Deleting all candidate data gathered for a specific job as soon as a role has been filled is a fast, easy, manual process, performed by admins for your account. Edit the job, and click the arrow next to the ‘Archive’ button. This will reveal the ‘Delete’ button. Click this to delete the job, and all record of the candidates that were sourced, applied, progressed and disqualified.

15) Can I still store the details of rejected candidates?

Sometimes you hit the jackpot and come across more than one great applicant for a role. If you only have one open position, it makes sense to keep the other candidates on file so that you can consider them for roles in the future.
To remain compliant, inform the candidate that you wish to keep their data on file when you send the rejection notice. Explain how long you will keep their details and reshare the link to your privacy notice for recruitment, so that candidates are fully aware of whom they should contact to update or delete their information in the future.

16) What should I do about the existing candidates in my database or talent pool?

GDPR comes into full effect across all European member states on 25 May 2018. Between now and then, review your candidate database:

  • Candidates and prospects who are no longer relevant should be deleted.
    This is possible on a ‘per candidate’ basis, or collectively per job.
  • Candidates who are viable for current or future roles should be contacted.

If candidates have previously applied:
Contact them to remind them that they previously applied for a role with your organisation. Explain that you are interested in keeping them on file for a current or future position. The email should address points in listed in Article 13, and link to your privacy notice for recruitment.

If candidates were previously sourced:
Contact them to explain that you have their details on file as they were under consideration for a previous role. Explain that you would like to keep their details on file for a current or future position. This email should reference points listed in Article 14 and link to your privacy notice for recruitment. (See question 5 above for further details).

In both cases, mention ‘the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.

Bulk email options and templates will reduce the time and effort of this process.

17) How do we handle requests from candidates or prospects who wish to see the data that our organisation holds about them in Workable?

Part of the expanded rights of ‘data subjects’ outlined by the GDPR is the option for your candidates or prospects to request and obtain their personal data in an electronic format.

This is easy to action via Workable. The ‘Candidate Report’ is customisable, based on jobs / departments and date range. Using the filter menu at the top left, check ‘select all’ to reveal all the details held on candidates within your specific parameters.

18) As data controllers, we have to let candidates and prospects know if their data has been breached. How will we know?

In the unlikely event of a data breach, Workable will notify with priority all admins of affected accounts by email within 72 hours of Workable becoming aware of the breach. As the data controller it is your organisation’s responsibility to decide whether or not you should notify the applicable supervisory authority and/or the individuals in your database.

Get more details on GDPR for recruiters

For further details on how the new GDPR regulations will effect recruiters, see our Recruiter’s guide to GDPR compliance. Ready to start taking your next steps? The GDPR checklist: Requirements for recruiters and HR will help you to get started, or the GDPR Readiness Evaluator will help you measure how far you have to go.

Further questions? Watch the video of our Live Stream event, What you need to know about GDPR.

And finally, if you’re not using Workable yet, but would like to find out how recruiting software can help move you towards GDPR compliance, get in touch for a personalized demo.

Looking for an all-in-one recruiting solution? Workable can improve candidate sourcing, interviewing and applicant tracking for a streamlined hiring process. Sign up for our 15-day free trial today.

Get a free trial

Rob Long

Rob Long is VP Partnerships at Workable. He's a former recruiter who writes mostly about hiring best practice. He tweets at @_roblong.

Get jargon-free hiring advice

Latest in this category

Grow stronger engineering teams with HackerRank and Workable

To find and hire in-demand developers with the right skill set for your team, evaluation n...

Introducing Workable 2.0 – and the future of hiring

The next time you log in to Workable, if you haven’t already, you’ll notice the enti...

Five big reasons to put employee referrals back on the radar

The benefits of employee referral programs are well-known. They’re one of the best ways of...