In this blog, we will address some GDPR basics. This article is broken up into two parts:
The European Union (EU)’s upcoming regulation, General Data Protection Regulations (GDPR) is on the verge of creating a revolution by empowering residents of the EU with stronger control of their privacy rights. By May 25th, companies worldwide will need to be GDPR-ready. At HackerRank, we believe in a developer-first approach. And GDPR provides an opportunity for companies to take a step back and invest in providing candidates more transparency in the hiring practices—creating a truly differentiated and unbiased candidate experience.
As part of our mission to match every developer to the right job, we’re constantly working to understand, measure and evaluate developers’ skills. This invariably means collecting data about the candidates that help us make more objective decisions. Given our reach to over 1,000 customers and our community of over 3.2 million developers, we have a unique vantage point of being a Data Processor as well as a Data Controller, as defined by GDPR.
Over the next few weeks, we’ll cover the details of how GDPR affects you when hiring developers, and how to build a developer-first approach.
Starting May 25 of this year, EU citizens, including developer candidates, will have more control over personal data, including how it’s collected, stored, processed, and destroyed.
Personal data may include: name, ID number, location data, or any other factors related to and not limited to physical, genetic, mental cultural or social identity, IP addresses, and cookie strings. Simply put, GDPR is aimed at ensuring personal data of every European citizen is safeguarded and data privacy is upheld.
Since it’s impossible to hire for any role without collecting candidate personal data, GDPR-readiness is required for any technical recruiters who recruit developers in the EU.
GDPR is everyone’s responsibility at companies who recruit in the EU. As a result, employers today are drawing up a game plan with shared responsibilities between talent acquisition and engineering teams — not one or the other.
No matter where you are based across the globe, if you are assessing candidates from the EU, you will have to comply with GDPR. Any transactions that happen in the EU electronically (e.g. sending and receiving resumes) must comply with GDPR.
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). More on this here.
Whether you are hiring talent directly from the EU or outsourcing talent acquisition to an agency, here are 5 critical ways you can start embracing GDPR before May 2018:
Before collecting identifiable information, ensure that you have the candidate’s consent to use their information. You should work with your legal team to have a pre-formulated ‘Declaration of consent’ presented in an easily accessible way on your website, email, or any other means of communication with your candidates (Recital 42). Some examples of requirements of the consent, include (but are not limited to):
For more detailed information, here’s a GDPR Consent Guide from the Information Commissioner’s Office (ICO), which is UK’s independent authority set up to uphold regulations like GDPR.
As part of your request for consent for personal data, candidates would benefit from, and appreciate, having an understanding of the following information:
Under GDPR, it won’t be uncommon for a candidate to ask these questions. And the best, most prepared companies will be ready with answers to not only stay compliant but also provide a great experience.
One big component of embracing GDPR is relevancy. The regulation explicitly says that personal data shall “be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” The strongest employers will take a step back and rethink whether or not they are collecting relevant information.
One potential example: if the candidate’s job performance does not relate to the pedigree of the university he or she went to, then it may be worth removing the question: “Which university did you attend?” Focusing on collecting data that’s exclusively imperative for the job would make for cleaner data collection. If there’s no direct relation to the job at hand, you also risk introducing biases into the hiring process as well (more on hiring biases here).
An important aspect of GDPR is ‘The Right to be Forgotten’ or simply put, it’s the right for any candidate to request that all information related to him or her be erased permanently from an organization’s records. In the case of tech recruitment, once candidates complete an assessment or an interview, they can request for their data to be completely removed from your records.
An individual may also move their data from one organization to another. This requires that companies store information in formats that are portable (for example, XLS, CSV, etc.) so that data portability becomes seamless.
GDPR is coming and it’s here to stay. So, it’s imperative to upgrade your systems and process to account for this change. Compliance with GDPR is not only a matter of getting lawful consent but also involves a fair amount of technological changes. For example, systems have to be kept in place to ensure that personal data is kept in an easily accessible and editable format and consent records have to be readily made available to the authorities. There are several advantages to upgrading your systems to account for GDPR-adherence, like better candidate engagement and robust security. Here’s a brief checklist to help your tech teams get started:
If you are a recruiter looking to hire developers from the EU, then GDPR-readiness is something that you will have to take into serious consideration going into 2018. Since the fines involved for non-compliance are huge, it’s important for your team to start working with your legal counsel to create a thorough, transparent process. Taking a developer-first approach, and ensuring candidates’ fundamental right to data privacy is upheld, will be key to building better and more trustworthy relationships with candidates.
Disclaimer: The information included in this blog and at this website are for informational purposes only, are not for the purpose of providing legal advice, and do not constitute legal advice in any way. You should contact your attorney to obtain advice with respect to any particular issue including GDPR compliance. Any person or entity who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice.
Abhijit Tamhane is the VP of product management and technology leader at HackerRank where he’s on a mission to build amazing products that match every developer to the right job. Before that, he built and launched the first version of Tringo, an international calling app. He’s also built and grown technology teams at Target and Salesforce.