Back to posts

November 02, 2017 GDPR for Job Boards: What Does it Really Mean? Steve Kemsley, Information Security Manager

GDPR for Job Boards: What Does it Really Mean?

As you may already be aware, something called the GDPR is coming - the General Data Protection Regulation - and it’s going to affect the way your organization collects, handles and uses personal data. A lot of general guidance already exists but as we’re only 7 months away from its introduction, it’s time to understand what this all means for job boards.   

The GDPR is happening whether we like it or not and as far as personal data goes, job boards hold a pretty significant amount of it! There really are no excuses for sitting back and hoping it won’t apply to your organization.

You need to seriously consider what the new regulations mean for your job board and how to ensure your candidates data rights are being upheld come May 2018.  After all, I’m pretty sure you don’t want to be on the receiving end of a €20 million fine, right?

But fear not, we’re here to help. Read through our GDPR checklist and get to know the important steps you need to take on your journey to compliance.

Work out if the rules apply to you…

The GDPR applies to all organizations within the EU and to any outside that trade in the EU. Start by deciding if the new rules apply to your business. If you’re not in the EU, do you have interactions with any jobseekers that are? Are any of your target jobseekers in the EU? If they are, you need to comply.

Demonstrate the purpose of the data collection…

Under the GDPR, your site users should be made aware – in a clear and concise way – the purpose of the data collection and how long it will be kept. Within your privacy policy and wherever you capture data on your site you should explain the intended use of the information and your data retention period. You’ll also need to explain how individuals can obtain a copy of any data you store about them.

Make sure you ask permission…

If you are relying on consent as your basis for processing personal data, it will be your responsibility to demonstrate that individuals have given express and informed permission for you to process their data for the specified purpose.

Consent should be an active, affirmative action - pre-ticked, opt-outs and consent via silence are not allowed. You’ll also have to make sure consent is as easy to withdraw as it is to give.

Think about how consent is gained and how you can explain what this means to your users. For example, is it clearly stated on your site what each of your current marketing preferences mean?

Consider your data retention period…

You may need to review and revise your current data retention periods to ensure that personal data is kept no longer than is necessary for its purpose. Are you holding onto job application details or resume documents for users that have been inactive for prolonged periods?

Identify who your DPO officer will be, if you need one…

You need to decide whether a Data Protection Officer (DPO) is required in your organization – this is an individual with designated responsibility with regards to your data protection compliance.   

You need to consider your business as a whole and all the types of personal data you control and process. An in-house DPO may not be required however you should ensure that you have someone who is responsible and accountable for data protection requirements.

Understand your data subject’s rights…

It’s important to know what the data subject’s rights are and whether this will require you to make any operational changes. These include the right be forgotten, the right to rectify, the right to access and the right of data portability.

For example, do you have sufficient processes in place to handle requests for data to be changed? and if this needs action by a 3rd party? Under GDPR you will be responsible for ensuring these changes are passed on to the third party to action.

Think about your security processes and procedures…

Review and assess your own security processes and procedures, especially where it concerns the handling of your jobseekers information. You might want to put your staff on a data protection awareness program to ensure they are fully aware of the regulation and how it affects your organization.  

Understand the consequences…

Failure to comply with the GDPR brings significant maximum sanctions, significant enough to seriously damage even the largest of organizations.

However, the resulting penalty from the regulation authority will be based on the processes and procedures you had in place prior to a breach as well as the steps you take when an incident occurs. So, it’s in your interest to understand the regulations in full and get your house in order sooner rather than later.

Of course, it’s important for us to declare that this doesn’t constitute legal advice and you should seek proper council to double check everything for your specific business, but we hope this gives you a good starting point.

Here at Madgex we’re working with our clients to advise and support their adventures into GDPR. We wish you the best of luck, and remember, it’s all about putting the candidate first.