header-laptop-dark

General Data Protection Regulation (GDPR)

Introduction

Here we outline at a high-level how Clinch will be compatible with the European Union General Data Protection Regulation (GDPR).

The GDPR significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organizations.

The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organizations. The GDPR also imposes corresponding and greatly increased obligations on organizations that collect this data.

Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

The GDPR is based on the core principles of data protection which exist under the current law. These principles require organizations and businesses to:

  • collect no more data than is necessary from an individual for the purpose for which it will be used;
  • obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
  • retain the data for no longer than is necessary for that specific purpose;
  • to keep data safe and secure; and
  • provide an individual with a copy of his or her personal data if they request it.

Under the GDPR individuals have the significantly strengthened rights to:

  • obtain details about how their data is processed by an organization or business;
  • obtain copies of personal data that an organization holds on them;
  • have incorrect or incomplete data corrected;
  • have their data erased by an organization, where, for example, the organization has no legitimate reason for retaining the data;
  • obtain their data from an organization and to have that data transmitted to another organization (Data Portability);
  • object to the processing of their data by an organization in certain circumstances;
  • not to be subject to (with some exceptions) automated decision making, including profiling.

There are seven areas of interest with GDPR that this document will outline:

  • Personal Information Data and Security
  • Privacy By Design
  • Obligations of Data Controllers/Data Processors
  • Candidate Consent
  • Right to be forgotten
  • Reporting, breach notification and fines
  • Data Protection Officer

The regulation is due to come into effect on May 25th, 2018.

Personal Information Data and Security

  • Clinch acknowledges that GDPR broadens the definition of personally identifiable information to include any information relating to an identified natural person.
  • Online identifiers such as IP addresses and location data are now deemed to be personally identifiable information.
  • All candidate data on Clinch is encrypted both while it is in transit and at rest.
  • Clinch protects this data in a number of ways as outlined in our Security Architecture document which can be downloaded from https://www.clinchtalent.com/security.html
  • Candidates can request their data from their own personal “My Settings” page. This data will be provided to the candidate by a link emailed to their registered email address. The data will include any of the following information that may be stored against the candidates CRM record:
    • First Name
    • Last name
    • Email
    • List of devices the candidate is active on
    • List of IP addresses associated with the candidate
    • Contents of any forms submitted
    • Any binary files (such as resumés)
  • This information will be provided in a common machine readable format (JSON) and the binaries in whatever format the candidate provided them. They will be packaged into a single zip file.

Privacy by design

  • At Clinch data privacy is engineered across the life cycle of our product/service.
  • All candidate data on Clinch is encrypted both while it is in transit and at rest.
  • Support for GDPR compliant consent and processes – i.e. cookie banners and calls-to-action – is built into the core product.

Obligations of Data Controllers/Data Processors

  • Clinch is a data processor under GDPR.
  • Our customers are data controllers under GDPR.
  • Alongside being a compliant data processor, Clinch provides the tools to allow our customers as data controllers to behave and operate in a compliant manner.
  • All data captured by the Clinch platform on behalf of our customers is fully owned by the customer.
  • It is sandboxed to the customers account on the platform and can not be accessed or used by any other entity, including Clinch themselves.
  • Clinch never uses the data for any other purpose other than that intended by our customers (the data controller). This is how Clinch remains a data processor under GDPR legislation.

Candidate consent

  • Under GDPR a candidate must provide a statement or a “clear affirmative action”, which may include ticking a box on a website.
  • However, pre-ticking of boxes or similar inactivity is deemed to be an unacceptable form of consent.
  • Clinch uses three cookies:
    • A one-time (for each page view) session cookie to provide protection against a security attack called “Cross-site scripting (XSS)”. This cookie is mandatory, short lived (one page interaction) and contains no candidate personally identifiable information. This cookie does not fall under GDPR regulations.
    • A permanent long lived cookie that is associated with the candidate (known or unknown). This is used to associate individual candidate behavior with their CRM record. This cookie does fall under GDPR regulations.
    • A temporary session cookie (lasts for 20 minutes after last interaction) that is associated with the candidate (known or unknown). This is used to associate candidate behaviors into “visits or sessions” and is recorded against their CRM record. This cookie does fall under GDPR regulations.
  • On initial visit to a Clinch hosted page, a GDPR compliant cookie consent message will be shown, requesting consent for use of all three cookies.
  • The content of the GDPR compliant cookie consent message is configurable by the customer in their Company Admin Settings section. The following options are available:
    • Control the wording presented to candidates. As a data controller, customers are responsible for ensuring that any messages are compliant with regulations.
    • When candidate hasn’t yet indicated consent preference, show cookie consent message:
      • Always
      • When visitor is originating from a EU registered IP address
      • Never (if a customer determines they don’t require a cookie consent)
  • If consent is not granted by the candidate, the Clinch hosted website will continue to work. However, no candidate tracking will take place. The visit will not be recorded against the candidate’s CRM record.
  • If a candidate has Do Not Track (DNT) enabled on their browser, this will be interpreted (in compliance with GDPR) as actively not consenting to tracking cookies. The Clinch hosted website will operate as if consent was denied by a candidate from a cookie consent message.
  • The option to ignore DNT is available to customers, either all the time, or for traffic not originating from the EU.
  • Candidates can view and adjust their consent preferences from their “My Settings” page at any time.
  • Candidates who don’t provide consent to tracking cookies will get a deteriorated experience, in accordance with the regulations. For example, Job recommendations based on their viewing habits will not be available to them.
  • The current consent preference of a candidate is easily viewable from their CRM record.
  • Call-to-action forms have a consent element to them, allowing the capturing of consent for recording and processing the information provided by the candidate in the form.
  • Candidates who have not consent to tracking cookies can still independently fill out call-to-action forms. For example, a candidate who has not consented to the placing of tracking cookies can still apply to a job. They will individually consent (as part of the form) to the processing of the application and the form details will be added to their CRM record.
  • Candidates who are European Union citizens, who are manually imported into Clinch CRM from an external source, will be imported with their “consent setting” defaulting to “not consented”.
  • A user will not be able to run a Email or SMS Campaign against these candidates until they give their consent to be contacted. A user won’t be able to individually communicate with the candidate unless its for the purpose of acquiring consent.
  • Clinch will provide dedicated tools to acquire candidate consent in these scenarios. If consent is not provided, the imported CRM record automatically runs through the “right to be forgotten” process.
  • From a marketing experience, the use of cookies should be presented clearly but in a positive manner, indicating the benefits – a better customized experience – of opting in.
  • Candidates interacting with a Clinch hosted website want to find and apply for interesting and applicable job vacancies and opting in gives them the greatest opportunity and experience to enable them to be successful.

Right to be forgotten

  • Under GDPR regulations a candidate can withdraw consent at any time.
  • On Clinch a candidate can view and adjust their consent preferences from their “My Settings” page at any time.
  • If a candidate requests all personally identifiable data to be destroyed then the platform will comprehensively do this by removing the following information from their CRM record:
    • First Name
    • Last Name
    • Email address(es)
    • IP addresses
    • All stored cookies
    • All binary files (i.e. resumés, etc)
    • List of devices the candidate is active on
    • Contents of any forms submitted
  • Additionally, the (now blanked CRM record), will be archived and removed from any lists.
  • If in the future, the candidate re-interacts with the Clinch, they will get the same experience of a brand new candidate. None of their activity performed before issuing “Right to be forgotten” is retrievable, in compliance with the regulations.

Reporting & Breach Notifications

Clinch has significant resources and business operations in Republic of Ireland, a EU country with a strong tech presence. All of our engineering activities operate under our Irish registered company. Clinch in Ireland is registered with the Irish Data Protection Commissioner. This body has extensive experience regulating technology companies and for example, is responsible for Google, Facebook, Microsoft and many more within the European Union.

Under GDPR Clinch has a legal obligation to report any breach of security leading to the release of identifiable PII data being disclosed, destroyed, lost, altered or stolen to the Irish Data Protection Commissioner no later than 72 hours after we become aware of it.

As a data processor we will notify our impacted customer or customers to enable them to fulfill their roles as data controllers.

You can read a more detailed account of how we tackle and coordinate activities on becoming aware of a security incident in our “Security Incident Response Guide.pdf”.

Data Protection Officer

Clinch has appointed a dedicated Data Protection Officer:

Patrick Doyle <patrick@clinchtalent.com>