GDPR: Is Your Recruiting Ready? GDPR:您的招聘是否准备就绪?

作者:Randal Truong

As 2018 approaches, almost every company is wondering, does the General Data Protection Regulation (“GDPR”) apply to me, and if so how do I make sure I’m ready for it? GDPR represents the most sweeping data privacy legislation in the European Union since 1995, and compliance is a must for any company that does business in the EU. In your preparation for GDPR compliance, it’s critical to work with vendors like Lever who understand and will support your compliance needs.

The basics

What is GDPR?

GDPR, consisting of 99 Articles and 173 Recitals, is Europe’s new framework for data protection laws. It basically gives EU residents more control over how organizations collect, process, store, and share their personal data online. It requires organizations to undertake certain steps to ensure they are adequately protecting the personal data collected.

When does GDPR go into effect?

GDPR is already law, but due to the extensive new compliance requirements, organizations were given two years to become compliant. GDPR will start being enforced on May 25, 2018.

How do I know if the changes affect me?

GDPR requires compliance from any organization that collects personal data from someone in the EU. As a recruiting organization, that means you need to be compliant if you’re hiring, and therefore collecting the data of EU residents.

What happens if I ignore GDPR?

The penalties for non-compliance are high. Companies can be fined up to €20 million or 4 percent of their global revenue for non-compliance with key provisions of GDPR. Compared to the prior law, GDPR gives EU data protection authorities more investigative powers as well.


GDPR affects three main groups who are either protected by the Regulation or obligated to comply with it: data subjects, data controllers, and data processors. It’s important to understand each group in order to understand GDPR as it relates to recruiting.

Data Subject → The candidate.

As the person giving their personal information, the candidate is the data subject.

Data Controller → You, the company who is doing the recruiting.

As the company doing the recruiting, you are the data controller because you decide the purposes for which you need to collect data and how to collect it.

Data Processor → Lever, the applicant tracking system, and all other software vendors you use in your hiring processes.

Lever processes data on behalf of its customers, making us a data processor.


Essentially anything you do with personal data is a form of processing. It’s a broad term that includes but is not limited to collecting, recording, organizing, structuring, storing, adapting, retrieving, transmitting, disseminating, restricting, erasing, or destroying personal data.

Data controllers: Some concepts to keep in mind for GDPR compliance

As you probably have already determined, there is no silver bullet for GDPR compliance since the steps each company needs to take for compliance will vary depending on the EU personal data it processes. Furthermore, the text of GDPR establishes data privacy principles, but does not spell out every detail about how these principles should be achieved. Thus, decisions regarding how your organization achieves compliance are best made by consulting legal experts that understand how your business operates.

However, there are some key concepts you may want to keep in mind as a data controller while you prepare for GDPR.


  1. Establishes data privacy principles.

    The principles concern how to process personal data in a compliant way. Personal data must be (a) processed lawfully, (b) collected for specific and legitimate purposes, (c) limited to what is necessary, accurate and up-to-date, (d) kept for no longer than necessary, and (e) processed in a manner that ensures appropriate security of personal data. In light of these principles, companies may want to consider how they collect candidate data, what they use it for, and how long they store it.

  2. Creates new requirements for how to process personal data legally.

    In order for companies to process a candidate’s personal data lawfully, one of six conditions – listed in Article 6 of GDPR – must apply. The most relevant conditions for recruiting in a compliant manner are that the data subject (the candidate) has given specific consent, or that the processing is necessary for the purposes of the legitimate interests pursued by the data controller, e.g. evaluating candidates for the purpose of hiring.

  3. Increases data subjects’ rights.

    Under GDPR, candidates have more control over their personal data, like the right to access (knowing whether their personal data is being processed, and how), right to rectification (if their personal information is incorrect, candidates have the right to correction without “undue delay”), right to erasure (the right to request the deletion of their personal data), and the right to object to their data being used for specific purposes – like for a recruitment marketing newsletter. Companies will need to be prepared to respond to and honor data requests from candidates in a timely manner.

  4. Regulates the safe transfer of data to countries outside of the EU.

    Transfers of data outside of the European Economic Area (EEA) are typically not permitted if the European Commission deems that a country does not ensure an “adequate” level of data protection. GDPR outlines ways companies in countries outside of the EEA that do not have adequate levels of data protection (like the U.S.) can transfer data legally.

  5. Requires reporting of data breaches.

    Controllers will be required to report data breaches within 72 hours of determining that a data breach is likely to “result in a risk for the rights and freedoms of individuals.” They will also be required to notify their data subjects “without undue delay” after first becoming aware of a data breach.

  6. Allows Member States to make more specific rules in relation to recruitment and the processing of employees’ personal data.

    Controllers will want to be mindful of Article 88, and be sure to track any additional rules enacted by Member States in this area.

  7. Requires a Data Protection Officer (DPO) in certain instances.

    GDPR requires the appointment of a DPO in organizations whose core activities consist of large scale processing operations that require regular and systematic monitoring of data subjects or the processing of special categories of data. The data protection officer may be an employee or a contractor as long as they can fulfill the tasks detailed in Article 39, such as monitoring the company’s compliance with GDPR.

  8. Requires maintaining records.

    Finally, a critical measure of GDPR is that data controllers are required to maintain records of the processing activities relevant to each candidate, such as purposes for having a candidate’s data, logs of how you found them, and envisioned parameters for erasure. Controllers must be able to provide this data upon request. This makes recruiting in spreadsheets and multiple tools a risk for GDPR compliance. Using an ATS like Lever that stores every piece of data and every interaction your company has with a candidate in one place supports your ability to provide records and prove compliance.


If you’re a company that recruits and hires EU residents, you need to be aware of the requirements for processing their personal data. This may impact the way you recruit, like how you notify applicants and sourced candidates about the personal data you’re collecting from them and how you store their personal data. For full context, there’s no better resource than the text of GDPR.

As a premium applicant tracking system with global customers, data security and compliance are a top priority at Lever. Our existing best practices around information security and privacy, including our SOC 2 Type 2 compliance, provide a strong foundation for compliance under GDPR going forward. Lever is actively preparing for GDPR compliance, and is committed to working with our customers in their compliance efforts.
















数据主题 →候选人。


数据管理员 →您,正在进行招聘的公司。


数据处理员 →杠杆,申请人跟踪系统以及您在招聘流程中使用的所有其他软件供应商。








  1. 建立数据隐私原则。

    原则涉及如何以合规的方式处理个人数据。个人资料必须(a)合法处理,(b)为特定和合法目的收集,(c)仅限于必要,准确和最新,(d)保存时间不超过必要,以及(e) )以确保个人数据适当安全的方式处理。根据这些原则,公司可能想要考虑他们如何收集候选数据,他们使用的数据以及他们存储候选数据的时间。

  2. 为合法处理个人数据创建了新的要求。

    为了使公司合法处理候选人的个人数据,必须申请6个条件之一 – GDPR 第6条中列出的条件。以合规的方式招聘最相关的条件是数据主体(候选人)已经给予特定的同意,或者为了数据控制人所追求的合法利益的目的而进行处理是必要的,例如为了招聘。

  3. 提高数据主体的权利。

    根据GDPR,候选人对其个人数据拥有更多的控制权,如获取权(知道他们的个人数据是否正在处理,以及如何处理),纠正的权利(如果他们的个人信息不正确,候选人有权纠正,不当延迟“),删除权(要求删除其个人数据的权利)以及反对其数据用于特定目的的权利 – 例如招聘营销通讯。公司需要做好准备,及时响应和尊重候选人的数据请求。

  4. 规定将数据安全传输到欧盟以外的国家。


  5. 需要报告数据泄露。


  6. 允许成员国在招聘和处理员工个人数据方面制定更具体的规定。


  7. 在某些情况下需要数据保护员(DPO)。


  8. 需要维护记录。




作为全球客户的优质申请人跟踪系统,数据安全性和合规性是Lever的首要任务。我们现有的关于信息安全和隐私的最佳实践(包括我们的SOC 2第2类合规性)为未来GDPR合规奠定了坚实的基础。Lever正在积极准备GDPR合规,并致力于与我们的客户合作。

You may also like...