10 Essential Interview Questions for Nonprofit Candidates: Selecting the Right Fit for Mission-driven Organizations
this is a sample of excerpt.
GDPR became enforceable on May 25th of this year. Since this is a regulation, not a directive, GDPR doesn’t require national governments to pass any enabling legislation and is directly binding and applicable. It is said that, in some circumstances, violators may be fined up to 20 million Euros or up to 4% of the annual global turnover of the preceding financial year in case of an enterprise, whichever is greater.
The General Data Protection Regulation or GDPR (EU) 2016/679 is a regulation in EU law referring to data safety and privacy for all individuals in the European Union (EU) and the European Economic Area (EEA). It also addresses the export of non-public records outside the EU and EEA areas. The primary goal of the GDPR is to give control to individuals over their personal information and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Replacing the Data Protection Directive 95/46/EC, the regulation consists of provisions and stipulations pertaining to the processing of personal information of individuals (or 1data subjects are defined in the GDPR) within the European Union, and applies to an enterprise established in the EU or—regardless of its location and data subjects’ citizenship—that is processing the 5personal data of people within the EU.
Although the key principles of data privacy from the previous directive are still visible, there have been a lot of proposed changes to the regulatory policies.
The GDPR might come off as intimidating especially to the businesses whose core business is data processing due to the regulation’s expansion on the data subject’s rights. On the other hand, we have to admit that the passage of this regulation has great advantages.
Compliance with the new regulation promotes greater transparency and accountability resulting in public trust, enhanced reputation and better relationships with existing and potential customers. The GDPR provides guidelines and measures that each organization must follow which will improve their competitive advantage, data governance, information security, and branding.
Here are some of the reasons why the GDPR is a blessing in disguise:
The GDPR is not something new. In fact, this regulation has been adopted in April 2016. However, it seemed like many companies didn’t take this seriously. Believe or not, many companies are still inquiring about GDPR 20 days before its enforcement.
One of the challenges is the accommodation of the new requirements in their internal processes. Recruitment agencies have to fully acquaint themselves to the regulations, revise existing regulations related to data processing and re-train all their staff about how they should handle 5personal data in compliance with the GDPR. Recruitment agencies are encouraged to get their data processes certified by a supervisory authority or an approved certification body. In addition, the appointment of a 4DPO is mandatory to systematically monitor and track data processes.
All these actions require a great deal of time, effort and money. This may also hinder existing or new search/es since the recruitment agency, with the assistance of the 4DPO and proper authorities, should ensure the adherence all of the documents, systems, and procedures to GDPR’s guidelines before proceeding.
Below are some of the FAQs that most recruitment agencies might have in relation to the GDPR from consent, application, candidate rights, data processing, third-party vendors and documentation:
Is the GDPR applicable to the data on hand such as existing talent pools or is it only valid for all data obtained and processed after May 25, 2018?
You can keep your existing data as long as you have consent from your candidates that can be considered valid under the GDPR. As a precaution, it is advisable to obtain consent from all your existing candidates and delete any data that, for whatever reason, you don’t have any right to keep.
Is it considered valid when a candidate gives consent by including a note stating that they agree to have their data stored and processed in their CV or application letter?
When talking about legitimate consent, which one is preferable, written or verbal?
A written declaration is highly recommended since it can serve as indisputable evidence that the candidate has consented to the processing of his or her personal data.
How do I obtain consent when I am not using an ATS?
The absence of ATS or Applicant Tracking System is a challenge especially when you have to prove that you’ve obtained consent from the candidate. Request for a written documentation signed by the candidate is strongly advised.
While obtaining consent from a candidate, is it necessary to communicate in a specified language, i.e. their national language?
How do you obtain consent from candidates who hand you their CVs or apply directly your website?
In this situation, it’s crucial to establish a process to document their consent. For example, there should be a standard form signed by all direct applicants. Make sure to keep their forms in your database and delete this data once the candidate revokes his or her consent. It’s also beneficial to use technology solutions like a secure ATS app or software in your efforts to be GDPR compliant.
You have to be as accurate as possible. You need to clearly state your purpose for processing the data, the people who will get access to the information (listing internal and third parties), the rights of the candidates, the authorities they can contact if they have complaints, etc.
How do I comply with GDPR rules for employee referrals since referrals rarely give their consent before being approached?
If a candidate applies through an ATS does this constitute consent?
It depends. If the candidate has applied via ATS and the ATS is specifically set up in a way that it can obtain and store consent, this constitutes consent. You should refer to your ATS provider to make sure that they can obtain consent in compliance with the GDPR.
If a candidate responds to a sent message does this constitute consent?
Unfortunately, no. It will be hard to store and process candidate data without obtaining explicit consent from these candidates. It only means that you will have to enter them into a process to provably obtain consent for further action.
If an applicant sends an email or a letter containing their application, does this imply consent to store and process their data?
Is it considered discrimination when giving consent to data processing becomes a necessary condition for being allowed to apply to a job that I posted?
Referring to the GDPR, the first thing recruiters should do to process personal data is to obtain a consent from the applicants. It’s standard procedure. You can’t move forward without it.
Am I still allowed to accept applications by letter or email?
Yes, you are. However, as reiterated, you need to obtain consent from these candidates to store and process this data so you still have to enter them into a process to provably obtain consent for further action.
How do I obtain consent from candidates who apply through an advertisement on a job board?
How do I obtain consent from candidates who apply through my own careers page?
Will active sourcing stay possible under the GDPR?
Yes, it will, but you have to watch out for a few conditions. Before approaching the candidate, you and the candidate should share a “legitimate interest” as a lawful basis for approaching a candidate. For example, you have a “legitimate interest” in expanding your business by approaching a potential candidate for a role and in turn, the candidate has a “legitimate interest” in being approached by your recruitment agency. After the contact, you still have to obtain their consent before processing their personal data.
In tracking passive candidates, is it allowed to store candidate data in the ATS before getting their consent?
No. However, pragmatically speaking, you can claim “legitimate” interest when approaching them and immediately ask their consent for further data processing.
How do I ask passive candidates for consent (for example on LinkedIn)?
Again, to have a lawful basis for approaching a candidate, you can claim that you have a so-called “legitimate interest” in growing your business by approaching a talent for a role as well as the candidate has a “legitimate interest” in being approached by your company. You can ask the candidate’s consent after the initial contact before processing their personal data.
Hypothetically speaking, if the candidate has public profiles indicating that he or she is actively looking for job opportunities, is it still necessary to ask for their consent?
Is it allowed to approach candidates whose profiles you found using a search engine?
Yes only if it is a public profile with a business background. If that is the case, it’s permissible to assume “legitimate interest” when contacting a potential candidate.
Do I have to publicly advertise a job opportunity before approaching a candidate?
Not necessarily. The important thing here is to have a “legitimate interest” (i.e. real job opportunity).
If a candidate accepts my request to connect on a business network like LinkedIn where their contact information is visible, am I allowed to contact them?
Is it still allowed to use sourcing tools that reveal candidates’ personal email addresses or phone numbers?
Can we store data that is publicly available, i.e. on a company’s homepage?
Will I still be able to export candidate profiles from LinkedIn into my ATS?
Is it permissible to store data of actively sourced candidates in an Excel sheet?
Yes, as long as you have “legitimate interest” for each sourced candidate (i.e. a job opportunity) and consent are documented for each one of them.
What are the ways that I can do to ensure that candidates can access their data?
There are two ways:
1) You can appoint a designated contact for any candidate requests and sharing their contact information. Any candidate requests to access, amend, or erase their data need to be heeded within a narrow timeframe and compliance must be documented.
2) You can employ an ATS or CRM that will allow candidates to log onto their profiles and make any necessary adjustments by themselves. This option has the added bonus of making it easy to retain and log any occurring changes.
When a candidate states that they are not interested in a job opportunity, can I still keep their name in my database?
You can if the candidate gives you the authorisation to do so. You should inform the candidate what you will do with the data after rejection.
Let’s say that a recruiter approaches a candidate whom he or she has actively sourced, but the candidate doesn’t want their data stored and are not interested in the role, how can a recruiter ensure that his or her colleagues won’t contact them again?
If the candidate refuses to have their data store and expresses disinterest, you have to honor the candidate’s request and ensure that this information is disseminated across the organization. If possible, you should talk personally to every employee and tell them to delete such information. Since this is quite hard to achieve, it is advisable to ask for consent to keep the contact information in order to document the opt-out.
When appointing an individual as a contact for candidate requests regarding their data, what exactly are the contact data that needs to be?
You have to disclose the contact’s direct email address and a postal address.
Is it allowed to store candidate data on personal laptops, for example by hiring managers?
It’s allowed as long as the candidate knows about such storage.
Is it allowed to share candidate data with colleagues who will take part in job interviews?
Do I need to make the candidates aware of the fact that their data has been shared, for example with a hiring manager?
How long am I allowed to store candidate data?
If we are going to strictly interpret GDPR, you are only allowed to keep candidate data for as long as it serves the purpose that you mentioned when obtaining the data. After serving its purpose, you are obliged to delete it. However, you can phrase the purpose in a way that will give you some leeway on how long you will be able to keep the data. For example, you can tell candidates that you will keep their data for as long as they are interested in positions within your organization. In this case, you should have proof that this candidate is, indeed, interested in staying in your talent pool.
Is it okay to ask candidates to renew their consent in order to retain their data?
Yes, it is. If the candidate gave you consent to store and process their data and they haven’t explicitly forbidden you from contacting them, you may approach them to renew their consent.
Is there a maximum limit for how long I am allowed to store candidate data?
You should check the local legislation applicable to such cases.
When receiving applicant data from recruitment agencies, should there be an agreement between the recruitment agency and the company data processing?
Yes. There is a need for a so-called Data Processing Agreement (DPA).
Is there an official GDPR seal of quality for compliant vendors?
Right now, there is no seal for GDPR compliance. Based on the regulation, it’s possible to acquire official certification from either a national data protection authority or from a competent private data protection authority.
When sourcing candidates through job boards, who is responsible for GDPR-compliance?
Who is responsible for GDPR-compliance when sourcing candidates through CV databases?
In general, if the CV database is hosting the candidate profiles, it is their responsibility (as the 1data controller) to ensure GDPR compliance and to have all the necessary consent to share the candidate profiles with you. However, once the candidate profiles are duplicated within your systems, you will become the 1data controller. Clearly, it is advisable to contact your vendors and check on their efforts to become GDPR-compliant.
Who’s in control of determining whether the candidate data is truly deleted or not from the systems?
It’s important to prove your compliance to the candidate’s request of removing their data from the systems in case of an audit. You can appoint a Data Protection Officer (DPO) within your company, who would be tasked with running internal audits and ensuring GDPR compliance.
For more information, you can refer to the original document found on this link: https://eur-lex.europa.eu/eli/reg/2016/679/oj
GDPR in respect to the recruiting function: