What Is GDPR?
The General Data Protection Regulation, otherwise known as GDPR, is a broad set of rules relating to the protection, transfer and retention of EU-originated personal data. It goes into effect May 25, 2018. In this brief we will discuss the features that Newton is implementing (or already has implemented) in order to assist our customers in complying with this broad set of regulations.
Who Does it Impact?
GDPR will apply to data controllers (who collect data of EU data subjects) and data processors (who process data on behalf of a data controller). GDPR applies to both organizations within the EU, as well as those located elsewhere who are collecting or processing data on EU data subjects. Whether or not GDPR applies to you will require you to consult with your legal advisors. This blog is not intended to provide legal advice, rather it should be viewed as a document explaining what we are doing at Newton to help you in your GDPR compliance efforts.
Newton and GDPR
Newton provides several security-related processes to safeguard the data of users of our products such as:
- The pseudonymisation and encryption of personal data;
- Safeguarding confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Processors and Controllers
Under GDPR, Newton’s customers are “data controllers” for two reasons. First, you are determining the purpose for which and the manner in which any personal data is being collected. Second, you are also determining the means of the processing of personal data. For example, you are determining that data of a particular applicant should be collected for the purpose of evaluating such applicant for a particular job opportunity. Under GDPR, Newton is a “data processor” because you have selected Newton to process the applicant’s data in connection with your use of our products.
Individuals’ Consent: Other Jobs Marketed via Email
To help our customers comply with GDPR (and ePrivacy) we’re implementing two features that relate to the contact of candidates.
GDPR Feature 1: Consent to Contact for Other Positions. When a GDPR-relevant candidate applies to one of your jobs Newton will allow you to capture consent to contact the person about other jobs in your company. This will help our customers ensure that their communications are not considered “unsolicited”.
GDPR Feature 2: Do Not Re-Market. In order to prevent your recruiting team from contacting consent-lacking candidates accidentally, Newton will flag candidates as “Do Not Re-Market” and will prevent you from assigning them to new jobs. We will also take steps to warn your users whenever their contact information is presented in our user interface.
Individuals: The Right to Be Deleted (Right to be Forgotten)
Per GPDR, individuals have the right to be forgotten. In other words, candidates can contact you and ask that you remove their data from Newton (there are cases when a controller is allowed to resist such requests, but we won’t cover them here). In order to facilitate your ability to comply with this requirement, Newton has created the following:
GDPR Feature 3: Delete: Admin-level users can completely delete any candidate record in Newton. Once they do so it is not recoverable.
GDPR Feature 4: Backup cleansing: Any candidate deleted from Newton will be removed from all backups within 30 days.
Individuals: The Right to Object
Individuals can request that you cease contacting them (via email for instance).
GDPR Feature 5: Do Not Contact: In order to inform your users that they are not to contact GDPR-relevant candidates who have requested no further contact, Newton will flag candidates as “Do Not Contact”. Newton will also overwrite the candidate’s contact information with “Do Not Contact” whenever it is possible to do so.
Individuals: Data Export
GDPR requires that data controllers provide EU data subjects with their personal data upon request.
GDPR Feature 6: Data Export: Newton has facilitated your ability to comply with the request by enabling your administrators to “export” a candidate’s profile, along with all associated resumes, applications and interview scorecards.
Per GDPR, data controllers will not be allowed to store personal data beyond fulfillment of the purpose for which it was collected. In other words, data controllers should store the data for “no longer than necessary”.
Similar to the features enabling you to delete data upon a request ‘to be forgotten’ as described above, Newton has created features that assist in compliance:
GDPR Feature 7: Bulk Data Deletion: Your Newton Administrator will be able to delete candidates, in bulk, enabling you to satisfy your internal data retention policies. What is a “no longer than necessary” period to store candidate data will be defined by our customers and not by Newton.
Newton: Committed to Employer Integrity
Newton’s efforts to adhere to GDPR reflect our ongoing commitment to provide employers with simple, smart and safe recruiting software. We have always valued the integrity of our customers and we take applicant privacy very seriously. If you are a current Newton customer and have any questions, please contact firstname.lastname@example.org. If you are not a Newton customer but would like to learn more about Newton and how it relates to GDPR, please contact email@example.com.