How is HireHive helping customers become GDPR ready?
GDPR is coming into effect on May 25th 2018 and it affects every company doing business in the EU. This means that if you collect personal data from candidates who reside in the EU, the GDPR applies to you. HireHive is committed to helping our customers become and remain compliant with European data protection regulations.
With regards to GDPR there are some terms that are important to know:
- Data Subjects: Candidates and employees residing in the EU that complete your job application.
- Data Controllers: Your Company. Data Controllers decide the purposes for which you need to collect data subject data and the means by which you collect it.
- Data Processors: HireHive is a data processor as we process data on behalf of our customers.
Please note that while HireHive has consulted with legal professionals regarding GDPR to update our Terms of Service, create our GDPR related content and update our own product, HireHive is not a legal firm. All information we provide regarding GDPR is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.
How is HireHive helping customers become GDPR compliant?
Is HireHive adding any features that will help companies with their GDPR compliance efforts?
We have been working on this for a long time to help customers ensure that their recruitment data is GDPR compliant.
The new compliance features that we are launching will enable customers to:
- Collect consent, where appropriate, from candidates for different data processing activities during the hiring process.
- Easily and quickly email candidates to refresh their consent.
- Easily delete candidate details if they have not provided their consent.
Consent & Notice
This is one of the biggest talking points for recruiters when it comes to GDPR. So how will HireHive manage notice and/or consent for candidates?
HireHive has an aim to make recruitment as easy as possible. To ensure that this is the case we provide tools that help you manage your recruitment from start to finish. These tools will now enable customers to meet their notice and consent obligations. Companies are now required to provide notice to data subjects whenever they collect personal data from the data subject. In the notice, companies need to identify the lawful basis for processing personal data (see Article 6 of the GDPR).
HireHive is a data processor and as such we do not and cannot determine the lawful basis for processing candidate data on behalf of customers. However we do allow for customers to customise the data that they collect. Since customers determine what candidate data is collected, it is up to the customer to determine the lawful bases for processing a candidate’s personal data.
Depending on the purposes for processing, a company’s recruiting function may rely on a number of different lawful bases for processing personal data, including consent; performance of a contract or to take steps at the request of the candidate prior to entering into a contract; compliance with a legal obligation; or legitimate interests pursued by the customer.
How will HireHive help customers meet data retention requirements?
Under the GDPR, the general rule for keeping any personal data is “no longer than is necessary for the purposes for which the personal data are processed.” As this does not specify a maximum time period it is the responsibility of the data controller to determine the appropriate time period for retaining candidate data.
Some of the tools that will help HireHive customers comply with this data retention obligation will enable customers to:
- Flag and easily identify candidates that have been in the database for longer than the customer-specified retention period
- Email candidates to refresh their consent
- Delete candidates who have not provided their consent
Individual Rights Requests
GDPR extends the data subjects right to access, rectification, deletion. How will HireHive help with these rights requests?
Under GDPR, EU candidates will now have the right to know which personal data a company is processing on them; to restrict the processing of personal data; to correct incomplete or inaccurate personal data; to have their personal data deleted; to object to their data being used for certain purposes; or to have their data in a format that they may share with another company.
Companies will need to be prepared to respond to individual rights requests from candidates in a timely manner. As a processor, HireHive will support customers responding to an individual rights request via appropriate technical and organizational measures.
With HireHive it is already possible for customers to easily and quickly update candidate details if requested. For other individual rights requests, HireHive will assist customers on a case-by-case basis to respond to candidates.
Data and Security
How can HireHive customers securely process candidate data?
Article 32 of the GDPR sets out that controller companies are obligated to work with processors who can provide sufficient guarantees that they will implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data security measures should, at a minimum, allow:
- Pseudonymizing or encrypting personal data.
- Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services.
- Restoring the availability of and access to personal data, in the event of a physical or technical security breach.
- Testing and evaluating the effectiveness of technical and organization measures.
HireHive has been committed to data security from the very start and will continue to be. HireHive is deployed on Microsoft’s Windows Azure platform. We take advantage of the extensive security options available on Azure to give you confidence that the highest standards and best practices are maintained. Azure meets a broad set of international as well as regional and industry-specific compliance standards, such as ISO 27001, FedRAMP, SOC 1 and SOC 2.
We are SOC 2 compliant because we understand the sensitive nature of the data we process on our customers’ behalf.
Azure’s adherence to the strict security controls contained in these standards is verified by rigorous third-party audits that demonstrate Azure services work with and meet world-class industry standards, certifications, attestations, and authorizations.
We stringently follow industry standards to safeguard our customers’ data.
Maintaining a processing record
A final but important aspect of GDPR is that companies with more than 250 employees are required to maintain records of their processing activities (see Article 30). Companies must be able to provide this data upon request to a supervisory authority in a timely manner. Companies that manage their recruitment using spreadsheets and multiple tools may experience difficulties maintaining a record of processing which may increase their GDPR compliance risk.
With HireHive all your recruitment activities are managed in the one place which allows your company to easily provide a record for all your recruiting processing activities.
HireHive is a leading European applicant tracking system (ATS) provider with customers around the world. Data security and compliance is our number one priority. If you are a HireHive customer and have questions about GDPR, please get in touch.
If you are looking for recruitment software/ATS to help with your compliance efforts by May 25th 2018, contact us and we’d be happy to discuss your requirements.