General Data Protection Regulation (GDPR)

In an effort to expand EU data subjects’ control over their personal data, a landmark privacy law named General Data Protection Regulation (GDPR) went into effect on May 25, 2018 in the European Union (EU). All organizations that market, track or handle EU personal data are legally required to comply.

Introduction

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individual citizens of the European Union and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

What types of data does the GDPR protect?

Personal data relating to an identified or identifiable data subject in the EU, including:

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Other personal information like health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation, provided that the personal information can be used to identify an EU data subject

What is the scope of the GDPR?

The GDPR applies to all companies processing personal European Union (EU) data subjects, regardless of the company’s location.

Are there penalties for non-compliance with the GDPR?

Yes. Under the GDPR, organizations that fail to comply with the law may face penalties of up to €20M or 4% of global annual turnover (revenue) in fines, whichever is higher.

Key Changes Under the GDPR

Personal Rights

Individuals have the right to

• Access their personal data and correct errors
• Request erasure of their personal data
• Object to processing of their personal data
• Export their personal data

Controls and Notifications

• Protect personal data using appropriate security
• Promptly notify supervisory authorities and affected data subjects in the event of a personal data breach
• Ensure that all processing of personal data has an appropriate legal basis under the GDPR
• Keep records detailing data processing

Transparent Policies

Organizations are required to:

• Provide clear notice to data subjects of personal data collection
• Outline processing purposes and use cases
• Define data retention and deletion policies

IT and Training

Organizations need to:

• Train privacy personnel and employees on principles of GDPR compliance
• Audit and update data and privacy policies
• Appoint a Data Protection Officer (if required)
• Create and execute compliant data processing agreements with vendors that have access to personal data

Consider GDPR Readiness

Data Subject Consent

GDPR

After speaking with the experts, we found that companies are not required to collect consent from every prospect.

Our Approach

• Getting consent from prospects is not required under the GDPR. Consider does not allow prospects to upload any personal or personally identifiable information and is therefore GDPR
• When it comes to our customers’ data, we are a processor. Our customers give us information about their recruiting teams and we are only authorized to use it as that team permits us to do. If that team decides to no longer be a customer of ours, we lose the permission to use their information.

The Right to be Forgotten

GDPR

EU data subjects have the “right to be forgotten”. Companies also need to erase personal data when the business no longer has a legal basis to continue storing it under the GDPR.

Our Approach

Consider allows you to:

• Delete a prospect’s data in the Applicant Tracking System in use
• Consider will erase a prospect’s personal data reflecting the Applicant Tracking System data erasure.
• When it comes to our customers’ data, we are a processor. Our customers give us information about their recruiting teams and we are only authorized to use it as that team permits us to do. If that team decides to no longer be a customer of ours, we lose the permission to use their information.

Enhanced Rights to Notice and Access

GDPR

• Companies are required to provide a variety of details at the time personal data is collected (for example, when a candidate applies to a job), including why they are collecting certain information, how long it will be stored, and where it will be sent.
• The GDPR significantly enhances people’s right to access their own personal data, and companies need to provide this data to candidates upon request in an efficient and easily portable format.

Our Approach

• Consider provides all personal data available about prospects by clicking on Export on a prospect’s profile. Customers can click on Export and send the data to the inquiring prospect.
• Consider provides a capability to our customers to be deleted. They simply need to send an email to support@consider.com requesting to be deleted. This is also documented in detail on Consider’s FAQ page.

The Right to Object

GDPR

People have a right to restrict their personal data from being used for direct marketing purposes.

Our Approach

Consider does not provide any marketing or advertising tools to our users.

Consider and Our Sub-Processors

In an effort to provide maximum transparency, we’ve listed sub-processors Consider works with along with details on what the data collected through these sub-processors are used for.

Sub-processors with access to Candidate personal data in Consider:

Amazon Web Services

Servers and network infrastructure

Sub-processors with access to Employee PII in Consider Onboarding:

Amazon Web Services

Servers and network infrastructure

Google Analytics

Product analytics

Security and Certifications

SOC 2 Type 2 Certificate

Consider is compliant with SOC 2 Type 2

ISO 27001 Certificate

Consider is compliant with ISO 27001

Contact Us

Have more questions? If you are a current customer, contact us at support@consider.com