With the new General Data Protection Regulations (GDPR) coming into force in just a few months on 25 May 2018, we have completed a detailed review of the new regulations.
In this article, we explore what the introduction of GDPR means for Tazio and our customers. We also explain the changes we're making to Tazio and the steps you will need to take to ensure you comply fully with the new regulations.
The Principles of GDPR
The GDPR sets out the main responsibilities for organisations for data protection.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Furthermore, Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
How GDPR applies to Tazio and our customers
The GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
Our understanding is that in the context of GDPR, Tazio is the processor and you, the customer and owner of the data, are the controller.
Lawful basis for processing
The GDPR states you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. In terms of Tazio, we believe that two apply to the use of our platform. These are:
Consent: the individual has given clear consent for us to process their personal data for a specific purpose, i.e. applying for a job.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The GDPR sets a high standard for consent. In terms of candidates completing an assessment, we believe providing consent requires a positive opt-in. We intend to follow ICO best practice with a layered approach, providing clear and concise statements of consent during the initial stages of the assessment process.
The screen shot below is an example:
Depending on the nature of the assessment, we believe it may be necessary to obtain additional consent from candidates. For example, the GDPR has specific provisions relating to "Rights related to automated decision making including profiling".
If your assessment is used to automatically screen candidates, or you are using a psychometric test as part of your assessment, you will need to explain that you use an automated decision-making process.
Another important provision of GDPR is that we keep evidence of consent – who, when, how, and what we told people. By including a positive opt-in at the account creation stage, and later in the assessment process, we will have accurate records of the consents given by an individual.
Right of erasure
The GDPR states that it must be easy for people to withdraw consent, also known as ‘the right to be forgotten’ and tell them how.
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
This provision raises a couple of questions where candidates are applying for jobs. For instance, is it acceptable for an employer to retain a candidate's name and email address so they know whether or not a candidate has previously applied for job?
What if a candidate completes an assessment, then asks to have there details deleted, so they can apply again having had a chance to see the questions in advance?
Tazio enables users with the relevant privileges to delete a candidate's data in the admin portal. This will permanently delete a candidates data, however, our backup policy does mean that if the data was deleted by error, it could be reinstated on request.
The GDPR does state that you can refuse to comply with a request for erasure where the personal data is processed for a number of reasons. The one relevant to recruitment is:
the exercise or defence of legal claims.
Does this mean you can retain candidate information so you can defend any potential claims from candidates? Tazio enables you to archive candidate data, so this may be acceptable as long as data is not processed in future except in the event of a legal claim.
Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. The GDPR requires that requests for rectification are responded to within one month.
Tazio enables users with the appropriate privileges to update candidate information from within the admin portal.
Therefore, we propose that any change requests are managed by the customer. Tazio will support customers that need to make changes to candidate data that cannot be updated through the admin portal.
GDPR includes the right to data portability, this allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
To comply with this requirement we will be adding a candidate data report. For any candidate that requests this information, you will be able to simply run this report, download the report as a CSV file and send it to the candidate.
Accountability and governance
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
To ensure both Tazio and our customers are aware of, and comply with, all the relevant requirements of GDPR, we have created a Data Processing Agreement which will need to be signed before the end of March 2018.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Tazio is committed to ensuring the security of customer and candidate data. We continue to adhere to industry standards of data security through our ongoing Cyber Essentials Plus and IASME Gold accreditation.
There has been a great deal written about the introduction of the GDPR, much of it exaggerated and scaremongering.
Here at Tazio, we are fully prepared and believe by working closely with customers, we are able to fully comply with both the letter and spirit of the GDPR.