In an effort to expand EU data subjects’ control over their personal data, a landmark privacy law named General Data Protection Regulation (GDPR) went into effect on May 25, 2018 in the European Union (EU). All organizations that market, track or handle EU personal data are legally required to comply.
Introduction
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individual citizens of the European Union and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
What types of data does the GDPR protect?
Personal data relating to an identified or identifiable data subject in the EU, including:
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Other personal information like health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation, provided that the personal information can be used to identify an EU data subject
What is the scope of the GDPR?
The GDPR applies to all companies processing personal European Union (EU) data subjects, regardless of the company’s location.
Are there penalties for non-compliance with the GDPR?
Yes. Under the GDPR, organizations that fail to comply with the law may face penalties of up to €20M or 4% of global annual turnover (revenue) in fines, whichever is higher.
Key Changes Under the GDPR
Personal Rights
Individuals have the right to
Access their personal data and correct errors
Request erasure of their personal data
Object to processing of their personal data
Export their personal data
Controls and Notifications
Protect personal data using appropriate security
Promptly notify supervisory authorities and affected data subjects in the event of a personal data breach
Ensure that all processing of personal data has an appropriate legal basis under the GDPR
Keep records detailing data processing
Transparent Policies
Organizations are required to:
Provide clear notice to data subjects of personal data collection
Outline processing purposes and use cases
Define data retention and deletion policies
IT and Training
Organizations need to:
Train privacy personnel and employees on principles of GDPR compliance
Audit and update data and privacy policies
Appoint a Data Protection Officer (if required)
Create and execute compliant data processing agreements with vendors that have access to personal data
Consider GDPR Readiness
Data Subject Consent
GDPR
After speaking with the experts, we found that companies are not required to collect consent from every prospect.
Our Approach
Getting consent from prospects is not required under the GDPR. Consider does not allow prospects to upload any personal or personally identifiable information and is therefore GDPR
When it comes to our customers’ data, we are a processor. Our customers give us information about their recruiting teams and we are only authorized to use it as that team permits us to do. If that team decides to no longer be a customer of ours, we lose the permission to use their information.
The Right to be Forgotten
GDPR
EU data subjects have the “right to be forgotten”. Companies also need to erase personal data when the business no longer has a legal basis to continue storing it under the GDPR.
Our Approach
Consider allows you to:
Delete a prospect’s data in the Applicant Tracking System in use
Consider will erase a prospect’s personal data reflecting the Applicant Tracking System data erasure.
When it comes to our customers’ data, we are a processor. Our customers give us information about their recruiting teams and we are only authorized to use it as that team permits us to do. If that team decides to no longer be a customer of ours, we lose the permission to use their information.
Enhanced Rights to Notice and Access
GDPR
Companies are required to provide a variety of details at the time personal data is collected (for example, when a candidate applies to a job), including why they are collecting certain information, how long it will be stored, and where it will be sent.
The GDPR significantly enhances people’s right to access their own personal data, and companies need to provide this data to candidates upon request in an efficient and easily portable format.
Our Approach
Consider provides all personal data available about prospects by clicking on Export on a prospect’s profile. Customers can click on Export and send the data to the inquiring prospect.
Consider provides a capability to our customers to be deleted. They simply need to send an email to support@consider.com requesting to be deleted. This is also documented in detail on Consider’s FAQ page.
The Right to Object
GDPR
People have a right to restrict their personal data from being used for direct marketing purposes.
Our Approach
Consider does not provide any marketing or advertising tools to our users.
Consider and Our Sub-Processors
In an effort to provide maximum transparency, we’ve listed sub-processors Consider works with along with details on what the data collected through these sub-processors are used for.
Sub-processors with access to Candidate personal data in Consider:
Amazon Web Services
Servers and network infrastructure
Sub-processors with access to Employee PII in Consider Onboarding:
Amazon Web Services
Servers and network infrastructure
Google Analytics
Product analytics
Security and Certifications
SOC 2 Type 2 Certificate
Consider is compliant with SOC 2 Type 2
ISO 27001 Certificate
Consider is compliant with ISO 27001
Contact Us
Have more questions? If you are a current customer, contact us at support@consider.com
Free trial
Ralph Rabbat
Co-founder
Let's get your free trial started, it's quick and easy.