The General Data Protection Regulation (“GDPR”) is a privacy law that went into effect on May 25, 2018, creating a unified data protection legislation across all EU member states. Based on the premise that privacy is a fundamental human right, the GDPR regulates how organizations can collect, use, and store personal data. It gives EU citizens and residents control over their personal data and provides a clear set of regulatory guidelines for businesses operating in the EU.
GDPR adds new requirements regarding how companies should protect the personal data they collect and process, including raising the stakes for compliance by increasing enforcement and imposing greater fines for any breaches. We at Gem agree with the principle that individuals should have the right to own their personal data, and have put in place security and privacy practices that meet and exceed the requirements contained within the GDPR.
The Data Protection Principles included in the GDPR include the following requirements:
The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.
Businesses can take on a number of roles within the framework of GDPR as defined by Article 4. This is how Gem views those roles and their associated responsibilities:
The ‘data controller’ is the party that determines the purposes and means of the processing of personal data. While using Gem, you are the data controller in that you are determining the purpose (recruiting the candidate) and the means (using Gem) of processing the individual’s personal data. You own all of the data that you add to your Gem account.
Gem is the data processor, in that we process data on your behalf. We do not own the data in your account, nor do we determine its purpose.
Here is an overview of how Gem meets the new regulatory requirements:
Data Processing Addendum
We offer a data processing addendum (DPA) in accordance with GDPR Article 28 for our customers who collect data for candidates in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. In turn, Gem processes or stores all personal data with fully vetted vendors with whom we have a DPA in place.
Individual data subjects’ rights – data access, portability and deletion
Risk assessment (Data Protection Impact Assessments)
A requirement of GDPR is having a managed data protection impact assessment (DPIA) process. A DPIA process is a way to help identify and minimize the data protection risks of a project by ensuring that proper security and privacy due diligence is conducted when choosing tools and making implementation decisions. Gem has always developed our services with the goal of mitigating any risk to data privacy or security so we have and will continue to meet these obligations.
In order to ensure that your handling of data is compliant with GDPR, you should verify that your internal data processes and all of your data vendors meet the following criteria:
Lawfulness of processing
Articles 6 and 7 require that data controllers ensure that they have a lawful basis for processing personal data from a data subject within the EU. This could be through the receipt of consent from the data subject or processing based on the controller’s legitimate interests. Gem believes that because (1) you have a legitimate interest in contacting the candidate regarding a role at your company, (2) you are not offering sales or services, and (3) there is no alternative method to contacting them that would not involve processing their personal information, your use of Gem to reach out to potential candidates is covered by the legitimate interest provision. Reaching out to someone regarding a job opportunity is also to their benefit and supports their right to freedom of employment.
Providing information to end users (Article 15)
Under the GDPR, the data subject has the right to obtain from any data controller certain information about how their personal data is processed and by whom. You should update your privacy policies and practices to ensure you can provide this information to data subjects when requested. To fulfill these requests, you can direct any individual to contact Gem directly at firstname.lastname@example.org and we can explain how we process and store their data.
Support for data access and deletion requests (Articles 16-23)
The GDPR gives data subjects the right to request access to, correction of, or deletion of their personal data in certain circumstances. Within Gem, your recruiters can individually comply with this request by deleting the candidates’ data from your Gem account. We do not delete the metadata associated with an individual during this process so that we can keep a record of their request to be deleted. We believe this fulfills the requirements of the GDPR provision while meeting the expected behavior of the individual. If we also deleted the metadata associated with their data, you could potentially source and contact them again in the future as we would have no record of the deletion request. For individuals who want to access the personal data you keep on them, all of the relevant data can be exported from your Gem account in a computer-readable CSV format for any candidate in your projects. Gem can also assist you in responding to these data requests by providing all of the information within your account for any individual in a computer-readable CSV format per the GDPR requirements.
Data protection by design and by default (Article 25)
Under the GDPR, controllers must consider the principles of data minimization and privacy by design, and must consider minimizing their data collection to the amount necessary to accomplish a given task. Gem believes we are effectively helping you meet this obligation by limiting the data collected for a candidate to only the information relevant to their suitability for your roles and that which you would need to effectively engage with them. If your interpretation of this article also includes an expectation that data should be deleted within a specific time period, we can support those requests. However, we believe that candidates would reasonably expect you to remember your interaction with them about a potential job opportunity, and thus retaining records of your interaction is appropriate, even after several years.
Records of processing activities (Article 30)
Under the GDPR, processors are required to keep records of their processing activities, including those activities conducted by their subprocessors. Gem maintains proper processing logs to comply with this provision and can supply them upon request.
Data breach notifications (Articles 33-34)
Under the GDPR, controllers and processors are required to provide notifications of data breaches without undue delay. Our policies and timeframes for breach notifications based on severity can be found in our MSA and meet industry standards.
Security (Articles 40-43)
Security is a key principle under the GDPR. Controllers should ensure that their personal data is processed by vendors who have implemented appropriate security standards, and Gem has implemented what we believe to be an industry-leading security and compliance program for our product infrastructure.
Cross-border data transfers (Articles 44-50)
When transferring data outside the EU, controllers should ensure that their personal data is protected by the legal requirements substantially similar to those set by the EU. To help meet the legal requirements to transfer data from the EU and Switzerland to the U.S., Gem has certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related data.