Your enterprise HR systems are painstakingly designed to be secure. However, some of the candidate and employee experience enhancements you want to make could compromise that security – and put you at risk of failing to meet a number of compliance requirements.

Sound serious? It can be. The consequences of being non-compliant can include fines that total up to 4% of your organization’s annual global revenue!

Avoid these hefty penalties by familiarizing yourself with the compliance landscape. The information in this blog will help you to remain compliant while you upgrade your candidate or employee experience.

But, before we jump in, let’s define a few common compliance terms and regulations to make sure we’re all on the same page.

 

First things first, what is PII and why does it matter?

PII is short for “Personally Identifiable Information,” and it refers to any data that can be used to identify a specific individual. That data might include an individual’s:

  • Full name
  • Social security number
  • Date of birth
  • Medical information
  • Education history
  • And more

Given that this type of information is often collected by companies during the recruitment and application process, HR and IT teams need to ensure they safeguard their candidates’ and employees’ PII.

 

What is GDPR and why does it matter?

GDPR is short for the General Data Protection Regulation 2016/679. Rolled out in 2018, it is a regulation of the European Union on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas and has become the gold standard for privacy legislation around the world.  Globally, many countries have instituted domestic privacy legislation that is compatible with GDPR, to permit the transfer of PII to companies within their borders.

Under GDPR, companies are responsible for:

  • Explaining why data is being collected and how it will be stored
  • Asking for consent before collecting personal data
  • Providing people with the ability to delete stored personal data at any time
  • Notifying the EU if there is a personal data breach within 72 hours of it happening

(Source: WIRED)

And although GDPR applies to the EU specifically, according to Business Edge, it now needs to be part of every company’s governance, risk, and compliance framework,  regardless of whether or not they are situated in Europe. The nature of business today is global, and if there is any chance your company will interact with or receive applicants from Europe, this is something you need to ensure your team is adhering to. And in North America, there is a patchwork of legislation that effectively imposes privacy standards that are comparable to those of the GDPR, even if you are not importing PII from the EU or EAA.

It is simply not possible to avoid the privacy and security obligations applicable to PII any longer. And compliance with GDPR should be your baseline. Non compliance with GDPR has some pretty serious ramifications as the fines are quite high: up to 20 Million euros or 4% of your global annual revenue!

 

How does candidate and employee PII data become compromised?

PII can become compromised along many exposure points along the candidate journey and employee life cycle, including your careers site, email system, Applicant Tracking System (ATS), or Human Capital Management (HCM) system.

A few specific examples include: if a candidate’s resumé is forwarded around to a number of parties by email during the hiring process, if your ATS does not encrypt user passwords, if your ATS provider is not using a secure hosting service, and much more (Source: SHRM).

Further to that, if you’re considering using an add-on solution that integrates with your ATS or HCM system to improve your candidate experience, this creates a series of new exposure points and additional pitfalls to watch for.

 

What compliance pitfalls do you need to avoid while upgrading your candidate or employee experience?

Pitfall #1 – Relying on a web service or app that requires an API integration

When you provide a typical tech vendor with an API integration into your ATS or HCM, they will gain access to the PII data that’s stored in those systems. Since you won’t have visibility into how they are storing and using this data, you lose the ability to confirm your GDPR compliance status.

Pitfall #2 – Working with a vendor that relies on their own database to deliver their solution

Most vendors rely on their own databases to provide the type of candidate or employee experience updates that enterprise ATS or HCM systems are lacking. These databases will typically create a duplicate log of your candidates’ or employees’ PII or GDPR regulated information, putting you at risk of losing control over how that information is handled.

Pitfall #3 – Allowing any PII data to be stored outside of your systems of record

Even if a vendor isn’t using an API integration or their own database, you will want to confirm that they are not storing any sensitive data – including log-in passwords – outside of your systems of record. If they are not able to confirm this, it’s better to walk away than to potentially provide sensitive PII data to a third-party with uncertain security and privacy standards.

Pitfall #4 – Creating highly privileged system accounts

Integrations that use highly-privileged system accounts run the risk of giving some employees access to PII data that they would not otherwise be able to see – and which they might unknowingly store or manage in a way that is not GDPR compliant. Choose a solution that manages how much access and visibility privileged system accounts are able to have; or better yet, that does not permit the creation of these system accounts in the first place.

 

A simple solution: Improve your candidate and employee experience, maintain your compliance

If you want to avoid these compliance pitfalls, the InFlight Employee Experience Platform (EXP) can transform your candidate and employee experience without compromising your information security. Our solution does not store any PII data, which ensures that we will not impact your GDPR compliance.

In contrast with many other solutions, our technology ensures you retain complete control over your PII data because the InFlight EXP does not rely on a database or API integration to improve your user interface. This means everything stays within your system of record, ensuring you keep control of how your data is stored, accessed, and managed.

The InFlight EXP also ensures your GDPR compliance isn’t compromised by preserving user audit trails or storing passwords; and it does not require the creation of privileged service accounts for integration.

 

The takeaways

In order to upgrade the out-of-the-box candidate and employee experience provided by most enterprise ATS and HCM providers, organizations often have to consider working with an add-on employee experience solution that could jeopardize the integrity of their GDPR compliance.

Since non-compliance can have serious financial consequences, it’s important to choose the right technology partner to ensure your GDPR compliance is not undermined as you upgrade your employee experience. The InFlight Employee Experience Platform (EXP) enables you to preserve the integrity of your compliance protocols, while simultaneously transforming your candidate or employee experience!

 

Want more information? Take a look at our candidate experience page and employee experience page to learn about the candidate and employee experience improvements the InFlight Employee Experience Platform can provide – all while ensuring you remain GDPR compliant.
Copy link