The EU will be implementing a new data privacy and protection related regulation, General Data Protection Regulation (GDPR) starting May 25, 2018. GDPR outlines the main responsibilities for organizations, with the aim of ensuring that private individuals’ data is processed transparently and only for the specific purposes for which they hold the data.
The scope of this regulation has far-reaching consequences from data storage and encryption to the rights of individuals on managing their data. It seeks to unify data privacy regulations under the EU umbrella with the goal to ease international business processes while dealing with EU residents. The regulation applies globally to all businesses dealing with data subjects in the EU. There is no grandfathering and all businesses have a mandate to comply by the deadline, May 25, 2018.
At iMocha, we take compliance very seriously. For GDPR, we are working diligently to ensure that we are compliant with the rules laid out by the law and provide product functionality that enables our customers to remain compliant. In the following sections, we have outlined iMocha’s approach to comply with the regulations outlined in the law.
During the course of recruiting, an organization needs to collect personally identifiable data from candidates. This information is crucial to build a profile of the candidate. At iMocha we help our customers perform an automated evaluation of these candidates by using our assessment platform.
Because we process candidates on behalf of our customers, according to GDPR, we are considered a Data Processor and our customers are regarded as Data Controllers. In the capacity of a Data Processor, all the candidate information we receive or collect will be handled securely with adequate data protection. We will also ensure that we have an incident response plan to address an unforeseen incident that can put customers’ candidates’ personal information at risk, in accordance with the Article 32 of the GDPR regulation.
As a processor, we require candidates to sign up using their emails to access our tests. In addition, when candidates take a test, we allow our customers to collect additional information including a resume of the candidate. Any profile information requested for collection by our customers (the data controllers) will come under the purview of GDPR. Such information would be data elements like name, education, location, gender, resume information, etc., that can identify an individual.
According to Article 5 of the regulation, personal data can be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘lawfulness, fairness and transparency’)”.
In addition, according to Article 6 of GDPR, lawful reasons to process are any of the following:
Given that the processing should be fair, iMocha will ensure that we obtain consent from candidates. We will update the terms & conditions with messaging that clearly states how we process information in a fair and transparent manner.
While GDPR requires that a data subject can revoke their consent at any time, pursuant to above stipulations in Article 6, it also allows this request to be declined if the processing of this information is required for legitimate interests pursued by the data controller. In other words, customers can decide whether to accept or deny the request from the candidate. We will take action based on the customer’s direction on how to proceed with any such request.
This following section details exactly how we manage and process the data once we obtain it. It can be further broken down into 3 sections:
Under Article 46 of the regulation, data can be transferred outside EU borders, if the processor has appropriate security measures in place, and if the customer (data controller) and iMocha (data processor) have entered into a contract that includes contractual clauses specified by EU. iMocha has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR. Article 49 provides additional basis for such a transfer. Transfer of data is allowed where “necessary for the performance of a contract between the data subject and the data controller.”
GDPR also stipulates that personally identifiable data should not be stored indefinitely. iMocha will provide the flexibility to customers (data controllers) to define how long their candidates’ personal data will be stored and when it will be deleted.
According to Article 25 of GDPR, processing should be done using appropriate security measures. All the data is accessible using secured email id and password only, we also secure and encrypt candidate data at rest. Customers should be assured that we take data security very seriously and have controls in place to make sure we are compliant to global standards.
GDPR provides broad rights for data subjects on how to manage their personal data. These can be further broken down into:
As discussed, per Article 5, we established that the information needs to be collected, stored and processed since there is legitimate interest for the controller to make the system fair. So, the customer (data controller) can determine if the candidate’s (data subject’s) request is valid and can be fulfilled. Customers can also deem the request as invalid and not fulfill, according to their agreed upon terms with the data subject. As a processor, iMocha will empower its customers with configurable tools that give them the flexibility to determine their data policies, which offer rights to their candidates. This will include:
According to Article 30 of GDPR, each controller’s representative needs to maintain a record of all activities pertaining the personal information of a data subject.
iMocha maintains a detailed audit log of all the activities. As part of compliance, iMocha will add any additional activities that customers need to be recorded. Customer need to contact iMocha to retrieve these logs.
Article 33 says that for any potential data breach, the supervisory authority must be notified within 72 hours of occurrence. iMocha has sufficient data monitoring mechanisms in place to become aware of any such breach. On discovery of a breach, iMocha intends to notify the customer (controller) of the occurrence immediately, not exceeding 24 hours after the occurrence. The communication will be sent as per the guideline mentioned in Article 33. This will give sufficient time for our customers to convey the breach to the respective authorities.
At iMocha our customers’ security, defensibility, and compliance is the utmost priority. We are taking all the required steps ahead of time to ensure that we are compliant and, in turn, our customers are GDPR-compliant as well.