What we’ve learned since GDPR took effect
On May 25, the GDPR privacy regulations took effect. GDPR expands the privacy rights of EU-based individuals and places further obligations on organizations that process EU citizens’ personal data. Because of the potentially large fines of up to 4% of revenues, many companies scrambled to be ready as the regulations took effect. As May 25 passed, there have been a range of perspectives expressed. EU recruiters are mostly still not ready, but others are likening the unknown implementations to the Y2K scare. Early reporting includes many complaints and a significant number of data breaches indicating the regulations have some teeth.
Jibe is compliant with the GDPR requirements, and is certified with PrivacyShield.gov to process EU data in the United States. As a GDPR “processor”, Jibe has implemented auditable consent gathering for candidates searching for or applying to EU jobs. Jibe has also implemented an auditable self-service candidate portal for managing EU citizen rights including the right to be forgotten.
As we roll out these capabilities with our customers, we have noticed a number of trends:
- Candidate consent requests everywhere: Companies need to establish a legal basis for processing personal data including tracking cookies, pixels, and device fingerprinting. While there are six basis listed in the GDPR, the most common approach appears to be obtaining consent directly from the candidate. The downside of consent is that users can withdraw their consent at any time, and processors must provide them the ability to remove their consent.
- Legitimate interests also viable for some recruiting activities: One alternative to consent gathering is to claim legitimate interest as a legal basis for processing personal data. Gathering candidate profiles, resumes, and relevant data is clearly a legitimate interest of a company looking to evaluate and hire job candidates. These interests have to be balanced with the data privacy rights of the candidates. There are varying legal opinions on whether all recruiting activities maintain this balance given the employer/candidate relationship, but many are adopting this legal basis to limit the impact of consent overload on users.
- Sensitive personal data has its own rules: Sensitive personal data such as race, ethnicity, sexual orientation, political or religious beliefs, etc. requires explicit consent for processing, and has specific requirements for safeguarding of the data and processing. Each company/controller needs to manage sensitive data processing per these rules, and the approach may be different from other processing.
- Synchronization across processing entities is emerging: Many controllers and processors have their individual house in order relative to GDPR compliance. What still needs to be worked, however, is the coordination of the individual requests into a coherent response for the candidate. Imagine a candidate who has previously submitted a profile, and applied for a job, and now wishes to update their email address. This change needs to be propagated across multiple processors many of which use the PII email address as their unique candidate identifier. The individual processing components are there, but are not yet knit into a coherent integration for the candidate.
Jibe continues to work with its customers on enhancing the candidate experience while maintaining candidate’s privacy rights. This includes GDPR today, the pending e-Privacy updates, the EU country-specific rules that will apply to recruiting, and the reactions of other countries to the EU regulations. We anticipate an evolutionary landscape, with compliance, certification, and framework vendors already beginning to fill some of the void.