GDPR Compliance Guide
Disclaimer: CATS Software, Inc. is not a law firm. Any statements or information from us are the results of internal research and should not be considered legal advice. Companies should seek their own legal advice regarding GDPR compliance.
On May 25th, 2018, the EU will begin enforcing a new set of data privacy and protection laws known as the General Data Protection Regulation, or GDPR. The new legislation standardizes data protection laws pertaining to all EU citizens for companies and organizations across the globe. GDPR compliance is required by any company that handles the personal or private data of individuals belonging to the EU.
Data Storage and Disposal According to the GDPR
The primary goal of GDPR is to protect the private data of EU citizens. This is achieved by limiting the type of personal data that can be stored by organizations, as well as how long they can hold onto that data. Under the GDPR, companies, organizations, and individuals are encouraged not to process more personal data than is necessary, or store personal data for longer than is necessary to complete a specific task.
These rules (known as data minimization) were created to ensure that companies do not collect more than what is necessary to perform their intended function, keeping the impact of breach and theft to a minimum.
All private data should not be kept past the point of necessity. Though the documents do not define a specific amount time, Article 5 of the GDPR determines that data should be promptly and thoroughly deleted upon completion of the task(s) said data was collected for.
In addition, all private data about an individual, known as the data subject, must be made available to the individual upon request.
Policies stated in the GDPR are effective retroactively, meaning any currently-stored private data on EU citizens should be reviewed to ensure compliance with GDPR before it takes effect on May 25th.
What does the GDPR mean for recruiters, in particular?
There are several key points in the GDPR framework that affect recruiters.
For starters, there are now three defined roles that are directly involved in the recruiting process: the data subject, data controller, and data processor.
- The Data Controller is the company or organization that defines the type/amount of personal data required to complete a task, as well as the task itself. A data controller may be an organization or an individual (in the recruiting industry, that means it can be an agency or independent recruiter, respectively) as it’s simply whoever makes the decision on what information to gather.
The Data Subject is described as anyone whose identifiable data is involved in a process. Identifiable data means much more than personal descriptors, such as names and ethnicities. IP addresses, routing numbers, mailing/residential addresses, educational backgrounds, and anything else that can used to discover more details about a person is considered identifiable data.
In short, the data subject is primarily your candidate and/or applicant and, to a lesser extent, the recruiter(s).
- The Data Processor is the company that processes identifiable data, typically via software (i.e. applicant tracking systems, customer relationship managers, etc.), at the instruction of the data controller. For recruiters that our applicant tracking sytem, CATS is your Data Processor. Any software that stores and processes personal data for a specific task is considered the data processor, meaning it’s possible to have multiple data processors at once.
In addition to understanding these roles, it is important that recruiters review the type of information they are collecting from EU citizens, as well as their current disposal methods for said information. With the GDPR comes an updated and broader definition of the term “personal data,” which may retroactively affect the data recruiters are currently storing.
Official definitions for the above roles and more can be found in Chapter 1, Article 4 of the GDPR legislative document.
Is CATS GDPR-compliant?
We meet all the security requirements put in place by GDPR. We will continue to add tools to assist our customers in processing citizen’s requests for information, helping you remain compliant as well.
CATS and the GDPR
Our goal as your data processor is to assist you, also known as the data controller, in remaining compliant. While CATS is not responsible for the compliance of data controllers, we are taking steps to make data compliance quick and painless with data stored on our platform, including:
- Adding a feature that allows for EU citizens to grant or deny consent to store their data
- Tracking and displaying records of the date consent was given by an individual
- Adding the ability for CATS users to sort stored information by date of consent, allowing the user to easily note when records must receive renewed consent or be deleted
- Adding the ability to filter by date of consent to know when you need to contact the record again for renewed consent
- Making it easy to compile and send individuals’ private data upon their request
- Providing a tutorial and guidelines that ensure proper data deletion
- Designating a data processor compliance office, along with updating our Terms of Service (ToS)
Privacy Shield Decision
However, CATS uses AWS for all database storage. Since the Court of Justice of the European Union has validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring data outside the European Union, we can continue to rely on the SCCs included in the AWS GDPR Data Processing Addendum. For more information about AWS and the Privacy Shield Decision, you can review Amazon's EU-US Privacy Shield FAQ.
Frequently Asked Questions
When will the GDPR take effect?
The GDPR will take effect in all EU countries, simultaneously, on May 25th, 2018.
If I’m using CATS, but not in the EU, does the GDPR apply to me?
Yes — compliance is required for any organization that processes personal and private information belonging to a EU citizen.
What about the data I’ve stored prior to the GDPR taking effect?
The GDPR is retroactively effective. Any personal data belonging to a EU citizen is subject to the GDPR, regardless of when it was obtained.
Does this extend to the UK?
Yes. The GDPR is retained in UK domestic law as the UK GDPR.
What happens if I’m not compliant?
Penalties for non-compliance may vary. The highest penalties amount to 4% of your company’s annual revenue or €20 million, whichever is greater. Other penalties may include warnings or reprimands.
What do I need to do to be compliant?
To be compliant, you must only store the data of a EU citizen for as long as their information is necessary to a specific task. This is typically no longer than 30 days after the position they applied for has been filled. Organizations must also comply with a citizen’s requests to view or delete their data.
Does this apply for sourced candidates?
Yes. Going forward, any candidates you source should also be notified within a reasonable amount of time. This is typically within 30 days. You may also want to notify any citizens you are currently storing data on that did not explicitly apply for a position.
CATS is committed to data safety and compliance to data-protection regulations around the world. We will continue to update our platform as new responsibilities arise, ensuring that you always feel confident with CATS as your recruiting software.