GDPR: Is Your Recruiting Ready? GDPR:您的招聘是否准备就绪?

作者:Randal Truong

As 2018 approaches, almost every company is wondering, does the General Data Protection Regulation (“GDPR”) apply to me, and if so how do I make sure I’m ready for it? GDPR represents the most sweeping data privacy legislation in the European Union since 1995, and compliance is a must for any company that does business in the EU. In your preparation for GDPR compliance, it’s critical to work with vendors like Lever who understand and will support your compliance needs.

The basics

What is GDPR?

GDPR, consisting of 99 Articles and 173 Recitals, is Europe’s new framework for data protection laws. It basically gives EU residents more control over how organizations collect, process, store, and share their personal data online. It requires organizations to undertake certain steps to ensure they are adequately protecting the personal data collected.

When does GDPR go into effect?

GDPR is already law, but due to the extensive new compliance requirements, organizations were given two years to become compliant. GDPR will start being enforced on May 25, 2018.

How do I know if the changes affect me?

GDPR requires compliance from any organization that collects personal data from someone in the EU. As a recruiting organization, that means you need to be compliant if you’re hiring, and therefore collecting the data of EU residents.

What happens if I ignore GDPR?

The penalties for non-compliance are high. Companies can be fined up to €20 million or 4 percent of their global revenue for non-compliance with key provisions of GDPR. Compared to the prior law, GDPR gives EU data protection authorities more investigative powers as well.

Definitions

GDPR affects three main groups who are either protected by the Regulation or obligated to comply with it: data subjects, data controllers, and data processors. It’s important to understand each group in order to understand GDPR as it relates to recruiting.

Data Subject → The candidate.

As the person giving their personal information, the candidate is the data subject.

Data Controller → You, the company who is doing the recruiting.

As the company doing the recruiting, you are the data controller because you decide the purposes for which you need to collect data and how to collect it.

Data Processor → Lever, the applicant tracking system, and all other software vendors you use in your hiring processes.

Lever processes data on behalf of its customers, making us a data processor.

Processing.

Essentially anything you do with personal data is a form of processing. It’s a broad term that includes but is not limited to collecting, recording, organizing, structuring, storing, adapting, retrieving, transmitting, disseminating, restricting, erasing, or destroying personal data.

Data controllers: Some concepts to keep in mind for GDPR compliance

As you probably have already determined, there is no silver bullet for GDPR compliance since the steps each company needs to take for compliance will vary depending on the EU personal data it processes. Furthermore, the text of GDPR establishes data privacy principles, but does not spell out every detail about how these principles should be achieved. Thus, decisions regarding how your organization achieves compliance are best made by consulting legal experts that understand how your business operates.

However, there are some key concepts you may want to keep in mind as a data controller while you prepare for GDPR.

GDPR:

  1. Establishes data privacy principles.

    The principles concern how to process personal data in a compliant way. Personal data must be (a) processed lawfully, (b) collected for specific and legitimate purposes, (c) limited to what is necessary, accurate and up-to-date, (d) kept for no longer than necessary, and (e) processed in a manner that ensures appropriate security of personal data. In light of these principles, companies may want to consider how they collect candidate data, what they use it for, and how long they store it.

  2. Creates new requirements for how to process personal data legally.

    In order for companies to process a candidate’s personal data lawfully, one of six conditions – listed in Article 6 of GDPR – must apply. The most relevant conditions for recruiting in a compliant manner are that the data subject (the candidate) has given specific consent, or that the processing is necessary for the purposes of the legitimate interests pursued by the data controller, e.g. evaluating candidates for the purpose of hiring.

  3. Increases data subjects’ rights.

    Under GDPR, candidates have more control over their personal data, like the right to access (knowing whether their personal data is being processed, and how), right to rectification (if their personal information is incorrect, candidates have the right to correction without “undue delay”), right to erasure (the right to request the deletion of their personal data), and the right to object to their data being used for specific purposes – like for a recruitment marketing newsletter. Companies will need to be prepared to respond to and honor data requests from candidates in a timely manner.

  4. Regulates the safe transfer of data to countries outside of the EU.

    Transfers of data outside of the European Economic Area (EEA) are typically not permitted if the European Commission deems that a country does not ensure an “adequate” level of data protection. GDPR outlines ways companies in countries outside of the EEA that do not have adequate levels of data protection (like the U.S.) can transfer data legally.

  5. Requires reporting of data breaches.

    Controllers will be required to report data breaches within 72 hours of determining that a data breach is likely to “result in a risk for the rights and freedoms of individuals.” They will also be required to notify their data subjects “without undue delay” after first becoming aware of a data breach.

  6. Allows Member States to make more specific rules in relation to recruitment and the processing of employees’ personal data.

    Controllers will want to be mindful of Article 88, and be sure to track any additional rules enacted by Member States in this area.

  7. Requires a Data Protection Officer (DPO) in certain instances.

    GDPR requires the appointment of a DPO in organizations whose core activities consist of large scale processing operations that require regular and systematic monitoring of data subjects or the processing of special categories of data. The data protection officer may be an employee or a contractor as long as they can fulfill the tasks detailed in Article 39, such as monitoring the company’s compliance with GDPR.

  8. Requires maintaining records.

    Finally, a critical measure of GDPR is that data controllers are required to maintain records of the processing activities relevant to each candidate, such as purposes for having a candidate’s data, logs of how you found them, and envisioned parameters for erasure. Controllers must be able to provide this data upon request. This makes recruiting in spreadsheets and multiple tools a risk for GDPR compliance. Using an ATS like Lever that stores every piece of data and every interaction your company has with a candidate in one place supports your ability to provide records and prove compliance.

Conclusion

If you’re a company that recruits and hires EU residents, you need to be aware of the requirements for processing their personal data. This may impact the way you recruit, like how you notify applicants and sourced candidates about the personal data you’re collecting from them and how you store their personal data. For full context, there’s no better resource than the text of GDPR.

As a premium applicant tracking system with global customers, data security and compliance are a top priority at Lever. Our existing best practices around information security and privacy, including our SOC 2 Type 2 compliance, provide a strong foundation for compliance under GDPR going forward. Lever is actively preparing for GDPR compliance, and is committed to working with our customers in their compliance efforts.

全文来自于:

https://www.lever.co/blog/t-minus-157-days-until-gdpr-is-your-recruiting-ready

 

以下为AI翻译,仅供参考,详细以英文为主:

随着2018年的临近,几乎每家公司都在想,“通用数据保护条例”(“GDPR”)是否适用于我,如果有的话,我如何确保我已做好准备?GDPR代表了自1995年以来欧盟最广泛的数据隐私立法,对于在欧盟开展业务的任何公司来说,遵守规定是必须的。在准备GDPR合规性时,与能够理解和支持合规需求的Lever供应商合作非常重要。

基础

什么是GDPR?

GDPR由99篇文章和173篇专题文章组成,是欧洲新的数据保护法律框架。它基本上可以让欧盟居民更好地控制组织如何在线收集,处理,存储和分享他们的个人数据。它要求组织采取某些步骤来确保他们能够充分保护收集到的个人数据。

GDPR何时生效?

GDPR已经是法律,但由于新的合规要求,组织有两年的时间才能变得合规。GDPR将于2018年5月25日开始执行。

我怎么知道这些变化是否会影响我?

GDPR需要任何从欧盟某个国家收集个人数据的机构遵守。作为一个招聘组织,这意味着如果您正在招聘,您需要符合规定,因此需要收集欧盟居民的数据。

如果我忽略GDPR会发生什么?

对违规的处罚很高。由于违反GDPR的关键条款,公司可能被罚款高达2000万欧元或占其全球收入的4%。与以前的法律相比,GDPR也为欧盟数据保护机构提供了更多的调查权力。

定义

GDPR影响受规章保护或有义务遵守的三个主要群体:数据主体,数据控制者和数据处理者。了解每个群体以了解与招聘相关的GDPR是很重要的。

数据主题 →候选人。

作为提供个人信息的人,候选人是数据主体。

数据管理员 →您,正在进行招聘的公司。

作为进行招聘的公司,您是数据管理员,因为您决定需要收集数据的目的以及如何收集数据。

数据处理员 →杠杆,申请人跟踪系统以及您在招聘流程中使用的所有其他软件供应商。

Lever代表客户处理数据,使我们成为数据处理器。

处理。

基本上,你对个人数据所做的任何事情都是一种处理形式。这是一个广泛的术语,包括但不限于收集,记录,组织,构建,存储,调整,检索,传输,传播,限制,删除或销毁个人数据。

数据控制器:要遵守GDPR合规性的一些概念

正如你可能已经确定的那样,对于GDPR合规来说没有银弹,因为每个公司需要遵守的步骤取决于其处理的欧盟个人数据。此外,GDPR文本确立了数据隐私原则,但没有详细说明如何实现这些原则的每个细节。因此,关于您的组织如何达到合规性的决定最好通过咨询法律专家来了解,这些专家了解您的业务运作情况。

但是,在准备GDPR时,您可能需要将一些重要概念作为数据控制器牢记在心。

GDPR:

  1. 建立数据隐私原则。

    原则涉及如何以合规的方式处理个人数据。个人资料必须(a)合法处理,(b)为特定和合法目的收集,(c)仅限于必要,准确和最新,(d)保存时间不超过必要,以及(e) )以确保个人数据适当安全的方式处理。根据这些原则,公司可能想要考虑他们如何收集候选数据,他们使用的数据以及他们存储候选数据的时间。

  2. 为合法处理个人数据创建了新的要求。

    为了使公司合法处理候选人的个人数据,必须申请6个条件之一 – GDPR 第6条中列出的条件。以合规的方式招聘最相关的条件是数据主体(候选人)已经给予特定的同意,或者为了数据控制人所追求的合法利益的目的而进行处理是必要的,例如为了招聘。

  3. 提高数据主体的权利。

    根据GDPR,候选人对其个人数据拥有更多的控制权,如获取权(知道他们的个人数据是否正在处理,以及如何处理),纠正的权利(如果他们的个人信息不正确,候选人有权纠正,不当延迟“),删除权(要求删除其个人数据的权利)以及反对其数据用于特定目的的权利 – 例如招聘营销通讯。公司需要做好准备,及时响应和尊重候选人的数据请求。

  4. 规定将数据安全传输到欧盟以外的国家。

    如果欧盟委员会认为一个国家没有确保“足够”的数据保护水平,则通常不允许在欧洲经济区(EEA)之外转移数据。GDPR概述了欧洲经济区以外国家没有足够数据保护水平的公司(如美国)可以合法传输数据。

  5. 需要报告数据泄露。

    在确定数据泄露很可能“导致个人权利和自由风险”的72小时内,控制器将被要求报告数据泄露事件。他们还将被要求“在没有不当延迟”的情况下通知他们的数据对象首先意识到数据泄露。

  6. 允许成员国在招聘和处理员工个人数据方面制定更具体的规定。

    管理人员会想要注意第88条,并且一定要跟踪会员国在这方面制定的任何其他规则。

  7. 在某些情况下需要数据保护员(DPO)。

    GDPR要求在其核心活动由大规模加工业务组成的组织中指定DPO,这些业务需要定期和有系统地监测数据主体或处理特殊类别的数据。只要数据保护官员能够完成第39条中详述的任务,例如监控公司对GDPR的遵守情况,就可以是员工或承包商。

  8. 需要维护记录。

    最后,衡量GDPR的一个关键指标是数据控制人员需要保存与每个候选人相关的处理活动的记录,例如有候选人数据的目的,你如何找到他们的日志以及设想的擦除参数。控制器必须能够根据要求提供这些数据。这使得在电子表格和多种工具中招聘GDPR合规风险成为可能。使用像Lever这样的ATS存储每一项数据,以及您公司与候选人在一个地方进行的每次互动,都有助于您提供记录并证明合规性。

结论

如果您是招聘和雇佣欧盟居民的公司,您需要了解处理其个人数据的要求。这可能会影响您招聘的方式,比如您如何通知申请人和采购人员关于您从他们收集的个人数据以及如何存储他们的个人数据。对于完整的背景,没有比GDPR文本更好的资源。

作为全球客户的优质申请人跟踪系统,数据安全性和合规性是Lever的首要任务。我们现有的关于信息安全和隐私的最佳实践(包括我们的SOC 2第2类合规性)为未来GDPR合规奠定了坚实的基础。Lever正在积极准备GDPR合规,并致力于与我们的客户合作。