Lytmus and the General Data Protection Regulation (GDPR)
With data privacy making headlines daily, it’s timely that the EU will begin enforcing its General Data Protection Regulation (GDPR) at the end of May.
In today’s post, we’ll give a brief overview of GDPR and share how Lytmus is ensuring its compliance before May 25, 2018.
GDPR in a nutshell
GDPR is a new data privacy and protection regulation that will be implemented by the EU, starting May 25, 2018. The regulation is intended to protect personal user data for EU citizens and ultimately give those users final say in how their data is used. Organizations that collect or manage this data will face steep penalties if they don’t comply with the regulation.
Personal data is anything that can directly or indirectly identify an individual, including contact information, social profiles, IP data, location information, and much more.
How this impacts you
If there’s even a remote chance that a candidate from the EU would apply for a role, then adhering to GDPR is critical. It’s important to note that it doesn’t matter where your offices are located but rather, if the candidate is located within the EU. If you’re interacting with a candidate and they’re sharing information with you from the European Union, you must comply with GDPR.
GDPR identifies three parties impacted by the law:
- Data Subject: The individual sharing their personal information
- Data Controller: The company performing the recruiting which collects and stores the Data Subject’s information
- Data Processor: Any system or software vendor that processes data on behalf of its customers (e.g. applicant tracking systems or platforms like Lytmus)
Penalties for non-compliance
The penalties for non-compliance to GDPR are severe. Companies that ignore the regulation face stiff fines, up to 4% of its global revenue or up to €20 million, whichever is greater.
Lytmus will be GDPR compliant before May 25, 2018
Here’s what we will be doing to assure we’re safeguarding the privacy of candidates using our platform, and in turn, giving our customers peace of mind that we comply with GDPR.
As a Data Processor, we will securely manage all candidate information we collect with sufficient data protection. We will also have a plan in place to address any unforeseen incidents that could put candidate information at risk, in accordance with Article 32 of the GDPR guideline.
Lytmus will be certified and in compliance with the EU-US and Swiss-US Privacy Shield frameworks to the U.S. Department of Commerce and will be added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications will confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
This goes beyond the GDPR requirements and provides our customers with an even better data transfer mechanism than the former U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. Lytmus moved quickly to adopt the Privacy Shield principles as part of our ongoing commitment to privacy and protecting our customers’ data.
Data Subject consent
Candidates are required to provide their email address and phone number before accessing an assessment. During the registration process, we also provide them with the opportunity to share additional information such as their resume or LinkedIn profile.
All this information falls under the protection of GDPR and will be treated accordingly on our end to ensure its protection and compliance with the law.
Article 5 of the regulation states that data must only be collected for a specific purpose, and can’t be used in any other “manner that is incompatible with those purposes.” This means that the information we collect can and will only be used for the purposes of candidate assessment.
Additionally, an important piece of the regulation is consent. According to Article 6 of the regulation, it will be legal to process personal information if one of the following requirements is met:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the Data Subject is party, such as an employment application
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the Data Subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
It’s also important to note that, while GDPR requires that a Data Subject may retract their consent at any time, there are certain circumstances in which that request may be declined. If certain information is required for legitimate reasons by the Data Controller (customer), then Lytmus will defer the decision on granting the request to the Data Controller.
Data management and processing
According to the regulation, personally-identifiable information should not be stored indefinitely. Lytmus will offer the flexibility to its customers to determine how long their candidates’ personal information should be stored, and at which point it should be erased from our system.
Secure data processing
We take data security seriously, and already have controls in place to ensure we are in compliance with Article 25, that all candidate information is handled with appropriate security measures.
Rights of the Data Subject
In addition to the requirement for Data Subject consent, are the rights of the Data Subject.
These can be summarized as:
- Right to access
- Right to rectification
- Right to be forgotten
- Right to data portability
- Right to object
As noted above, Lytmus will ensure that all personal information collected from candidates will be in accordance with Article 5, and any objections to sharing information will be followed in accordance with Article 6, as discussed above.
As a Data Processor, Lytmus affords its customers with the ability to outline their own data policies as it relates to the rights of their candidates, including:
- The ability to export candidate information
- The ability to delete a candidate’s personal information, and anonymize any non-personal information
- The ability to edit a candidate’s information
Maintaining a record
As a Data Processor, Lytmus will adhere to Article 30 of the regulation and maintain a detailed record and Audit Log of all applicable activities involving candidate’s personal information.
Data breach and mitigation process
Lytmus takes data security seriously and is diligent about responding to any potential breaches in data, as outlined in Article 33, and have systems in place to enable us to notify any impacted customer (Data Controller) within the first 72 hours after occurrence.
Leveling the playing field for privacy
One of our core missions at Lytmus is to level the playing field for candidates, empowering employers to discover the best talent faster and easier than ever. Our commitment to this mission extends far beyond the transaction of an interview.
Our candidates and customers deserve the highest level of security and the confidence in knowing they can entrust their information with our team, and that we’ll always be dedicated to continually raising the bar when it comes to their information security.
We look forward to meeting the needs of our customers and candidates as we become GDPR compliant before May 25, 2018, and beyond.