Disclaimer: CATS Software, Inc. is not a law firm. Any statements or information from us are the results of internal research and should not be considered legal advice. Companies should seek their own legal advice regarding GDPR compliance.
On May 25th, 2018, the EU will begin enforcing a new set of data privacy and protection laws known as the General Data Protection Regulation, or GDPR. The new legislation standardizes data protection laws pertaining to all EU citizens for companies and organizations across the globe. GDPR compliance is required by any company that handles the personal or private data of individuals belonging to the EU.
The primary goal of GDPR is to protect the private data of EU citizens. This is achieved by limiting the type of personal data that can be stored by organizations, as well as how long they can hold onto that data. Under the GDPR, companies, organizations, and individuals are encouraged not to process more personal data than is necessary, or store personal data for longer than is necessary to complete a specific task.
These rules (known as data minimization) were created to ensure that companies do not collect more than what is necessary to perform their intended function, keeping the impact of breach and theft to a minimum.
All private data should not be kept past the point of necessity. Though the documents do not define a specific amount time, Article 5 of the GDPR determines that data should be promptly and thoroughly deleted upon completion of the task(s) said data was collected for.
In addition, all private data about an individual, known as the data subject, must be made available to the individual upon request.
Policies stated in the GDPR are effective retroactively, meaning any currently-stored private data on EU citizens should be reviewed to ensure compliance with GDPR before it takes effect on May 25th.
There are several key points in the GDPR framework that affect recruiters.
For starters, there are now three defined roles that are directly involved in the recruiting process: the data subject, data controller, and data processor.
In addition to understanding these roles, it is important that recruiters review the type of information they are collecting from EU citizens, as well as their current disposal methods for said information. With the GDPR comes an updated and broader definition of the term “personal data,” which may retroactively affect the data recruiters are currently storing.
Official definitions for the above roles and more can be found in Chapter 1, Article 4 of the GDPR legislative document.
We meet all the security requirements put in place by GDPR, as well as the previous law, EU Privacy Shield. We will continue to add tools to assist our customers in processing citizen’s requests for information, helping you remain compliant as well.
CATS already meets the security requirements put in place by the GDPR and other current data protection frameworks, such as the EU-US Privacy Shield agreement. CATS users do not need to worry about our compliance when the GDPR takes effect in late May 2018.
Our goal as your data processor is to assist you, also known as the data controller, in remaining compliant. While CATS is not responsible for the compliance of data controllers, we are taking steps to make data compliance quick and painless with data stored on our platform, including:
Stay ahead of the curve by implementing best practices in preparation of the GDPR. Take a look at our GDPR infographic, created to help you start off compliance right.
When will the GDPR take effect?
The GDPR will take effect in all EU countries, simultaneously, on May 25th, 2018.
If I’m using CATS, but not in the EU, does the GDPR apply to me?
Yes — compliance is required for any organization that processes personal and private information belonging to a EU citizen.
What about the data I’ve stored prior to the GDPR taking effect?
The GDPR is retroactively effective. Any personal data belonging to a EU citizen is subject to the GDPR, regardless of when it was obtained.
Does this extend to the UK?
Yes. Though the United Kingdom has planned to leave the EU, their exit does not occur until March 29th, 2019, with an additional “transition period” from March 29th, 2019 to December 31st, 2020, meaning UK citizens are covered under the GDPR until January 1st, 2021.
What happens if I’m not compliant?
Penalties for non-compliance may vary. The highest penalties amount to 4% of your company’s annual revenue or €20 million, whichever is greater. Other penalties may include warnings or reprimands.
What do I need to do to be compliant?
To be compliant, you must only store the data of a EU citizen for as long as their information is necessary to a specific task. This is typically no longer than 30 days after the position they applied for has been filled. Organizations must also comply with a citizen’s requests to view or delete their data.
Does this apply for sourced candidates?
Yes. Going forward, any candidates you source should also be notified within a reasonable amount of time. This is typically within 30 days. You may also want to notify any citizens you are currently storing data on that did not explicitly apply for a position.
Are the GDPR and Privacy Shield the same thing?
No, though both involve the concept of EU citizens’ personal data. Under Privacy Shield, the law mandates that EU citizens’ data must be stored on EU soil. Companies (like CATS) that are based in the US must comply with Privacy Shield security regulations in order to serve customers in the EU. This is known as the EU-US Privacy Shield Agreement. The GDPR, however, is a new set of regulations that pertain to the storage of private EU citizen information. Unlike the Privacy Shield, GDPR is mandatory to all organizations, regardless of location, that handle private information about a EU individual.
CATS is committed to data safety and compliance to data-protection regulations around the world. We will continue to update our platform as new responsibilities arise, ensuring that you always feel confident with CATS as your recruiting software.