chapter four

The Impact of GDPR

Who does it impact?

The GDPR expands the scope of data privacy regulations to almost every company in every industry that conducts business in the EU, regardless of its location.

All Companies that Conduct Business in the EU — Unlike its predecessor the Data Protection Regulation (DPR), the newly-enacted GDPR goes much further in its governance of data privacy with an expanded scope of jurisdiction that includes all businesses based in the EU, and/or conducting business in the EU. This means whether you are a company located and operating in the EU, or, alternatively, outside the EU but provide goods and services to EU citizens – you must comply with the GDPR.

Data Subjects, Controllers and Processors — The GDPR identifies and governs three classifications that fall within business transactions, that either have personal data rights or, alternatively, personal data obligations under this law. These groups are classified as Data Subjects, Data Controllers, or Data Processors.

Data Subjects — At its very core, the GDPR is centered on strengthening and protecting the rights of individuals – called DataSubjects in the GDPR – which are essentially “natural persons,” or rather citizens residing in the EU who supply their personal data for some sort of business transaction. In SmartRecruiters, Data Subjects are your Applicants and Candidates, who express interest, supply a resume, complete an application, etc., when pursuing employment opportunities with your organization.
Data Controllers — According to GDPR language, Data Controllers are defined as the entity that determines what type of personal data is required, in addition to the purpose for how and why personal data is used. As a SmartRecruiters customer, YOU are the Data Controller because you determine the purpose, the reason, and type of information collected from your applicants and candidates. Essentially, this information is the data you need for evaluating one’s skills and experience necessary for making a hiring decision.
Data Processors — The GDPR identifies Data Processors as those entities that process data on behalf of the data controller, and as directed by the data controller. Remember, the definition of “data processing” is quite broad and includes actions such as collecting, recording, organizing, storing, retrieving, etc. Here, SmartRecruiters is your Data Processor, as our platform serves to process the data you control and instruct us to collect as part of your hiring process.

Accordingly, SmartRecruiters and its Customers are both subject to the GDPR. That said, our obligations under the GDPR will differ based on our role as Data Processor and Data Controller, respectively. We’ll cover these specific obligations a bit later.

What data does it cover?

While the GDPR is extensive in its reach of who is impacted, its focus is more narrow in terms of what is impacted.

Data Processing — The GDPR only applies to the act of data processing, albeit the actual definition of what activity constitutes data processing is quite broad. For example, companies performing any sort of activity that in any way or shape involves or affects the personal data of another, such activity qualifies as data processing – and may only continue if performed in a manner that is compliant with the provisions of the GDPR.

Specifically, the GDPR defines data processing “as any operation performed on personal data,” whether or not by automated means, and includes (but is not limited to) the collection, use, recording, organization, storage, etc., of personal data. Thus, any time a business or organization does virtually any activity – electronic or manual – that touches or involves personal data, the GDPR applies.

Relevant to your recruiting processes, the activity of requesting information from an applicant or candidate when he or she applies to a job posting, and/or you require as part of your job application process, whether manually collected or, alternatively, leveraging a tool like SmartRecruiters, qualifies as data processing activity under the GDPR.

Personal Data — While the GDPR applies to data processing activities, its provisions are only enforceable where the data processing activities involve personal data. Personal data is also broadly defined in the GDPR as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly to identify the person.”

To provide some perspective, most U.S. companies are familiar with the term P.I.I., which stands for Personally Identifiable Information, and is generally defined to cover very specific and very personal pieces of information like ‘Date of Birth’ or ‘Social Security Number,’ etc., or rather highly-sensitive personal information that warrants a particular duty of care by a Data Controller.

Different, the European Commission simply speaks in terms of “personal information,” which encompasses a great deal more than the U.S. definition of PII. In other words, you would be hard-pressed to find an example of information that does not qualify as “personal data” under the GDPR.

As this relates to your hiring process, most, if not all, of the information you collect or request from an EU applicant or candidate in your hiring process, including whatever personal information you collect leveraging the SmartRecruiters platform, falls within this broadly-defined concept of personal data. For these reasons, many of our customers may want to restrict access to who on their hiring team has access some of this data. To accommodate this request, SmartRecruiters offers role-based security configurability so your Admin users may control permissions and access of your users within the platform.
Understanding what activity is specifically covered by the GDPR – as discussed above – only serves to reinforce the applicability of the GDPR to your EU recruiting activities where personal information is involved.