Abhijit Tamhane is the VP of product management and technology leader at HackerRank where he’s on a mission to build amazing products that match every developer to the right job. Before that, he built and launched the first version of Tringo, an international calling app. He’s also built and grown technology teams at Target and Salesforce.
In this blog, we will address some GDPR basics. This article is broken up into two parts:
The European Union (EU)’s upcoming regulation, General Data Protection Regulations (GDPR) is on the verge of creating a revolution by empowering residents of the EU with stronger control of their privacy rights. By May 25th, companies worldwide will need to be GDPR-ready. At HackerRank, we believe in a developer-first approach. And GDPR provides an opportunity for companies to take a step back and invest in providing candidates more transparency in the hiring practices—creating a truly differentiated and unbiased candidate experience.
As part of our mission to match every developer to the right job, we’re constantly working to understand, measure and evaluate developers’ skills. This invariably means collecting data about the candidates that help us make more objective decisions. Given our reach to over 1,000 customers and our community of over 3.2 million developers, we have a unique vantage point of being a Data Processor as well as a Data Controller, as defined by GDPR.
Over the next few weeks, we’ll cover the details of how GDPR affects you when hiring developers, and how to build a developer-first approach.
PART 1: Quick FAQ on GDPR
A 10-second primer on GDPR:
Starting May 25 of this year, EU citizens, including developer candidates, will have more control over personal data, including how it’s collected, stored, processed, and destroyed.
Personal data may include: name, ID number, location data, or any other factors related to and not limited to physical, genetic, mental cultural or social identity, IP addresses, and cookie strings. Simply put, GDPR is aimed at ensuring personal data of every European citizen is safeguarded and data privacy is upheld.
Why does this matter to you?
Since it’s impossible to hire for any role without collecting candidate personal data, GDPR-readiness is required for any technical recruiters who recruit developers in the EU.
But whose responsibility is this?
GDPR is everyone’s responsibility at companies who recruit in the EU. As a result, employers today are drawing up a game plan with shared responsibilities between talent acquisition and engineering teams — not one or the other.
What if you don’t have any offices in the EU
No matter where you are based across the globe, if you are assessing candidates from the EU, you will have to comply with GDPR. Any transactions that happen in the EU electronically (e.g. sending and receiving resumes) must comply with GDPR.
What happens if you don’t comply?
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). More on this here.
Part 2: Now what? How to Embrace GDPR
Whether you are hiring talent directly from the EU or outsourcing talent acquisition to an agency, here are 5 critical ways you can start embracing GDPR before May 2018:
1. Prioritize Consent for Personal Data (like Skill Data)
Before collecting identifiable information, ensure that you have the candidate’s consent to use their information. You should work with your legal team to have a pre-formulated ‘Declaration of consent’ presented in an easily accessible way on your website, email, or any other means of communication with your candidates (Recital 42). Some examples of requirements of the consent, include (but are not limited to):
- Freely given: This means there has to be a clear choice given to the candidate in case they wish to deny consent.
- Unambiguous: This means that there has to be a clear and affirmative indication of consent from the candidate and that silence, inactivity, or pre-ticked boxes are unacceptable as means of consent.
- Specific: You must mention exactly what the data is intended to be used for and for how long you wish to use it.
- Informed: The candidate has to know who the data controller or processor is (the entity collecting the data), and why the information is being collected.
- Revocable: It has to be mentioned clearly that candidates have a right to withdraw their consent for use of their personal data at any point in time. [Article 7(3)]
For more detailed information, here’s a GDPR Consent Guide from the Information Commissioner’s Office (ICO), which is UK’s independent authority set up to uphold regulations like GDPR.
2. Boost Transparency in your Data Usage
As part of your request for consent for personal data, candidates would benefit from, and appreciate, having an understanding of the following information:
- How you intend to use the candidate’s personal data
- How the data is going to be stored
- The steps you will be taking to ensure that the data is secure
- The duration for which you will need to use that information
Under GDPR, it won’t be uncommon for a candidate to ask these questions. And the best, most prepared companies will be ready with answers to not only stay compliant but also provide a great experience.
3. Ensure All Data Collected is Relevant
One big component of embracing GDPR is relevancy. The regulation explicitly says that personal data shall “be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” The strongest employers will take a step back and rethink whether or not they are collecting relevant information.
One potential example: if the candidate’s job performance does not relate to the pedigree of the university he or she went to, then it may be worth removing the question: “Which university did you attend?” Focusing on collecting data that’s exclusively imperative for the job would make for cleaner data collection. If there’s no direct relation to the job at hand, you also risk introducing biases into the hiring process as well (more on hiring biases here).
4. Enable Data Portability and the Right to be Forgotten
An important aspect of GDPR is ‘The Right to be Forgotten’ or simply put, it’s the right for any candidate to request that all information related to him or her be erased permanently from an organization’s records. In the case of tech recruitment, once candidates complete an assessment or an interview, they can request for their data to be completely removed from your records.
An individual may also move their data from one organization to another. This requires that companies store information in formats that are portable (for example, XLS, CSV, etc.) so that data portability becomes seamless.
5. Upgrade Existing Systems to Account for GDPR
GDPR is coming and it’s here to stay. So, it’s imperative to upgrade your systems and process to account for this change. Compliance with GDPR is not only a matter of getting lawful consent but also involves a fair amount of technological changes. For example, systems have to be kept in place to ensure that personal data is kept in an easily accessible and editable format and consent records have to be readily made available to the authorities. There are several advantages to upgrading your systems to account for GDPR-adherence, like better candidate engagement and robust security. Here’s a brief checklist to help your tech teams get started:
- Enhance your data storage and security. Ensuring data storage is robust and secure. A data breach can have a big and material impact on organizations.
- Ensure you set up proper access control, security monitoring and audit logs. Proving compliance is key to adhering to GDPR.
- Check with your vendors and partners to see if they are in GDPR compliance. If you rely on external agencies or other third parties to process candidate data, please ensure they adhere to GDPR as well.
- Have a clear plan of action to:
- Accommodate candidate requests for modification/erasure of data
- Store data in a portable format (eg. CSV format) to account for data portability
- Communicate any instances of data breaches to the authorities within 72 hours
- Communicate any instances of data breaches to candidates
- Appoint a Data Protection Officer (DPO). If you are dealing with a lot of candidate data in the EU, it may be necessary to appoint a DPO who will be the sole point of contact between the data protection authorities and your company.
If you are a recruiter looking to hire developers from the EU, then GDPR-readiness is something that you will have to take into serious consideration going into 2018. Since the fines involved for non-compliance are huge, it’s important for your team to start working with your legal counsel to create a thorough, transparent process. Taking a developer-first approach, and ensuring candidates’ fundamental right to data privacy is upheld, will be key to building better and more trustworthy relationships with candidates.
Disclaimer: The information included in this blog and at this website are for informational purposes only, are not for the purpose of providing legal advice, and do not constitute legal advice in any way. You should contact your attorney to obtain advice with respect to any particular issue including GDPR compliance. Any person or entity who intendings to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice.