Whether you are being proactive, or more reactive to recent regulations like the California privacy laws (CCPA), which will go into effect January 2020 for companies who have touchpoints with California, now is the time to reevaluate your policies and processes.
The California consumer data rights laws are the first wave reaction to the EU’s General Data Protection Regulation (GDPR) in the United States, and I expect the rest of the country to eventually follow suit with their own versions of CCPA.
With the possibility of numerous state and federal laws to comply with as well as international regulations, companies need to gear up for data privacy, fast.
Companies that process consumer data must remain diligent on how to comply with regulations by prioritizing the safeguard of consumer data rights.
For example, our software processes 3 million jobs and 75 million applications per year and supports 238 million candidate users – that surmounts to a lot of sensitive consumer data, and the rightful storage and usage of it should be taken seriously.
If you have a single candidate – or customer – from California, then the new CCPA laws apply to your company. The Act provides the right for Californians to:
(1) Know what personal information is being collected about them
(2) Know whether their personal information is sold or disclosed and to whom
(3) Say no to the sale of personal information
(4) Access their personal information
(5) Equal service and price, even if they exercise their privacy rights
While California is the first America state to impose a lawful act, consumer’s private information is both a national and a global data concern, and understanding data rights is paramount to the future of all companies. No one will be able to disappear through legal loop holes with this. Data rights is about protecting consumers from data breaches, and in the wake of so many big named ones, people are paying attention.
Here are some quick actions employers can take to set themselves up for success on the recruitment front:
Provide Compliant Candidate Rights
- Provide candidates with easy-to-understand consent terms.
- Allow candidates to opt-out of messages and retract consent. This includes email communications, phone calls and text messages.
- Notify candidates of any potential breaches, quickly (GDPR requires a 72-hour notification window).
- Provide candidates with their data upon request.
Follow GDPR Best Practices for All Net New Data Laws (in addition to new regulations)
- Choose a Data Rights Lead: Identify who will be accountable for ensuring your HR team meets all existing and net new data laws. Consider whether this should be someone in your legal department, IT department, or someone else who is qualified to lead this effort.
- Review Your Policies and Processes: Ensure your application processes and recruitment privacy policies are complaint with data rights with CCPA and GDPR. As a starting point, check to see if your company has created data maps of California residents, to identify what type of information your organization collects, why you do it, where it is held, with whom it is shared, and how it is transferred. From there, you should make sure your company has the following in place:
- Has a “Do Not Sell My Personal Information” option on your site
- Allows users to easily request access, change, move or delete their personal data
- Provides evidence of valid consent for every applicant
- Conduct an Audit of Outside Vendors: If your company uses outside services for background screens, reference checking, assessments or drug testing, then those service must also be compliant. Confirming that they meet privacy standards will save your company from a huge headache down the road. Take Target as an example where the huge retailer’s data breach a few years ago actually resulted from a compromised third-party vendor. Not only do employers need to consider their own compliance and privacy protocols, but those of their third-party vendors, as well. Whether vetting new vendors or evaluating existing vendors, ensure that all third-parties take data usage, privacy and security at the same standard that you do.
- Document Everything: Make sure your team has a clear understanding of data processes, such as where candidate data is stored, as well as what type of data your storing and how long you must keep it .At iCIMS, some steps we have taken to ensure our teams have a clear understanding of data rights processes includes ensuring all employees participate in mandatory training courses. In addition, iCIMS pushes employee data processes by assigning specific security levels for various employees, forcing secure passwords that change every 30 days, and confirming all personal cell phones that are linked to company platforms have strong passwords.
If your company ensures that they are always thinking first of the consumer’s rights and then of how to lawfully abide by those rights, then you will have success with CCPA and GDPR. To have long-term success, brands will need to build relationships and trust with consumers by giving them control of their data and being transparent about the usage and storage. In the end, if consumers trust a brand, they may be more likely to consent and offer up even more data to have a better experience with that product/service, which will then contribute to the future success and improvements of said brand.
For more information on iCIMS’s data policies and procedures, please visit iCIMS General Counsel site.