Data is one of the most valuable assets a company can own today.
Businesses are collecting a wide range of customer data to understand and serve their consumers better. Consequently, it’s more important than ever for companies to do everything in their power to ensure their customer data is protected.
As a tech company with AI at its heart, Curious Thing’s core competency is its data. Our AI voice interviewing tool offers valuable information about candidates, empowering recruiters to make strategic, data-driven hiring decisions.
Information security and privacy has always been a top priority for our team. And so, we’re excited to announce that Curious Thing is officially compliant with the GDPR.
But what is the GDPR and why does it matter?
The GDPR or General Data Protection Regulation is a set of laws regulating how businesses collect and process the personal data of European Union (EU) citizens.
Personal data or personally identifiable information (PII) is any data that can be used to identify an individual.
Like many industries, the recruiting field is highly reliant on personal data. Information used to place a candidate can include their name, email address, phone number or indirect identifiers such as their IP address or applicant number.
In essence, GDPR laws give EU citizens, in this case candidates, greater control and transparency over their personal data by placing checks on how their data is collected, used and stored.
The GDPR involves three main parties - data subjects, data controllers and data processors.
Data subjects are individuals who share their personal data. In the recruiting industry, these are candidates that are EU citizens who share PII data as part of their job applications.
Data controllers are the employers or recruiting teams who determine the reason for collecting data from these candidates.
Data processors are recruitment software and service providers like Curious Thing who process data regarding EU candidates on behalf of the employers in accordance with set guidelines.
Recruiting teams are privy to highly confidential candidate information that doesn’t belong to them. Ensuring data protection and privacy is crucial to building candidate trust and promoting data security.
GDPR compliance is mandatory for recruiters who are based in the EU or control data of EU citizens. Although not compulsory for other recruiters, it gives them a chance to shape employer perception and enhance the wider candidate experience beyond just the hiring process.
Recruiters need to abide by seven core principles to be compliant with the GDPR.
Do you have a justified purpose for collecting personal data?
Are you using candidate data only for the specified purpose?
Collect and use data only for the initial purpose you’ve disclosed to your candidates and for which you’ve received consent from them. Make sure to include this information in your privacy guidelines.
Are you collecting only job-related information that is necessary for your recruitment process?
Collect the least required data from candidates. That way, in case of an unfortunate breach, unauthorised access to information is minimised.
Is your candidate data accurate and kept up to date?
To comply with the GDPR, every reasonable step must be taken to correct any data inaccuracies and keep information updated.
If candidates ask for incorrect or incomplete personal data to be rectified or erased, you have 30 days to action this request.
Are you retaining data for the necessary limited period only?
Outline, justify and follow the retention period for your candidates’ personal data. Once you use the data for the intended purpose, delete the information. If you’re allowed to hold on to the data by law for statistical purposes, it needs to be anonymised first.
Candidates can also ask for their personal data to be erased or withheld from processing.
Are you ensuring data security?
Candidates’ identity and information must be safeguarded. This means data needs to be properly deidentified, stored or deleted as per regulations. You can also get an ISO 27001 accreditation to increase systems and information security.
Are you able to demonstrate compliance with the GDPR?
Define and document every step in your data management process. Under the GDPR, your company is responsible for who you partner with and can be held accountable if they fail to comply with the law.
By choosing GDPR compliant vendors, your recruiting team can share data security responsibilities and make sure the tools and practices you use to hire candidates abide by the guidelines.
Note: All information stated above is general information only and is not intended to address specific requirements. Organisations should seek independent legal advice regarding their own data protection requirements.