Hire and GDPR requirements
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
You can count on the fact that Google is committed to GDPR compliance across Google Cloud services, including Hire. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.
Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you can consider when assessing Hire services.
Providing Users Notice
Customers may want to provide candidates with statements on recruitment data privacy and procedures. Two potential ways of giving notice to candidates using Hire include:
- Use job postings or descriptions: consider either adding data practices and rights directly into the job description or including a link to a page with this information.
- Email templates: companies can create an email template to automatically inform applicants when they submit an application about the data collected and how it will be used. Learn how to “Edit the Thanks (for applying) email” template.
Hire allows all customers to, at any time, export the data they have entered into the system. Learn more about how to Export all data in Hire.
User Data Return
Hire administrators can generate a candidate pipeline report that includes key elements of candidates’ information in Hire. This functionality can be used to download a .csv with that key information and share subsets of it with the candidate, as deemed appropriate by the administrator.
User Data Deletion
Hire also provides the ability to manually delete candidate records and related data. This can be used to delete personal data upon request from a candidate.
To delete data after a certain time period, an organization can do two things:
- Hire allows administrators to create a report using candidate created-date, and manually delete old candidates.
- Or, Hire users can set reminders to follow up and delete candidates after the specified time period.
Learn how to delete a candidate.
Hire does not directly help you manage requests. Organizations could create an email address or alias with G Suite to capture requests. And, they will likely want to include documentation for the process in their recruitment data privacy statement.
Standards and Certifications
Our customers may expect independent verification of security, privacy, and compliance controls. Hire undergoes several independent third-party audits on a regular basis to provide this assurance.
ISO 27001 (Information Security Management)
ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers that make up our shared Common Infrastructure. Learn more about ISO 27001.
ISO 27017 (Cloud Security)
ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been certified compliant with ISO 27017 for Hire. Learn more about ISO 27017.
ISO 27018 (Cloud Privacy)
ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified compliant with ISO 27018 for Hire. Learn more about ISO 27018.
Data transfers outside the EU
Google offers a data processing amendment and EU model contract clauses in order to facilitate customer compliance with applicable regulatory requirements regarding international data transfers when using Hire. Google’s certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks includes Hire. Please see the Cloud compliance site for more information on Google Cloud products and GDPR as well as our white paper on EU data transfer mechanisms available here.
Terms of Service & Contracts
By the GDPR effective date, Hire will offer customers revised Terms of Service, including the option to accept the G Suite and Complementary Products Data Processing Amendment (DPA) and Model Contract Clauses (MCC). For more information on how to accept the DPA and MCC, please follow the online process here. Note that the contents of the DPA and MCCs may be subject to change.