Abhijit Tamhane is the VP of product management and technology leader at HackerRank where he’s on a mission to build amazing products that match every developer to the right job. Before that, he built and launched the first version of Tringo, an international calling app. He’s also built and grown technology teams at Target and Salesforce.
The EU will be implementing a new data privacy and protection related regulation, General Data Protection Regulation (GDPR) starting May 25, 2018. GDPR outlines the main responsibilities for organisations, with the aim of ensuring that private individuals’ data is processed transparently and only for the specific purposes for which they hold the data. The scope of this regulation has far-reaching consequences from data storage and encryption to the rights of individuals on managing their data. It seeks to unify data privacy regulations under the EU umbrella with the goal to ease international business processes while dealing with EU residents.
The regulation applies globally to all businesses dealing with data subjects in the EU. There is no grandfathering and all businesses have a mandate to comply by the deadline, May 25, 2018.
At HackerRank, we take compliance very seriously. We are an ISO27001 certified organization that validates the controls we have put in place for Information Security and Management. For GDPR, we are working diligently to ensure that we are compliant with the rules laid out by the law and provide product functionality that enables our customers to remain compliant.
In the following sections, we will outline HackerRank’s approach to comply with the regulations outlined in the law.
The Pathway to Compliance
During the course of recruiting, an organization needs to collect personally identifiable data from candidates. This information is crucial to build a profile of the candidate. At HackerRank, we help our customers perform an automated evaluation of these candidates by using our assessment platform.
Because we process candidates on behalf of our customers, according to GDPR, we are considered a Data Processor and our customers are regarded as Data Controllers. In the capacity of a Data Processor, all the candidate information we receive or collect will be handled securely with adequate data protection. We will also ensure that we have an incident response plan to address an unforeseen incident that can put customers’ candidates’ personal information at risk, in accordance with the Article 32 of the GDPR regulation.
Data Subject Consent
As a processor, we require candidates to sign up using their emails to access our tests. In addition, when candidates take a test, we allow our customers to collect additional information including a resume of the candidate. Any profile information requested for collection by our customers (the data controllers) will come under the purview of GDPR. Such information would be data elements like name, education, location, gender, resume information, etc., that can identify an individual.
According to Article 5 of the regulation, personal data can be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘lawfulness, fairness and transparency’)”.
In addition, according to Article 6 of GDPR, lawful reasons to process are any of the following:
- Data subject has given consent;
- Processing is necessary for the performance of a contract to which the data subject is party; (example, job application)
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Given that the processing should be fair, HackerRank will ensure that we obtain consent from candidates. We will update the terms & conditions with messaging that clearly states how we process information in a fair and transparent manner.
While GDPR requires that a data subject can revoke their consent at any time, pursuant to above stipulations in Article 6, it also allows this request to be declined if the processing of this information is required for legitimate interests pursued by the data controller. In other words, customers can decide whether to accept or deny the request from the candidate. We will take action based on the customer’s direction on how to proceed with any such request.
Data Management and Processing
This following section details exactly how we manage and process the data once we obtain it. It can be further broken down into 3 sections:
Under Article 46 of the regulation, data can be transferred outside EU borders, if the processor has appropriate security measures in place, and if the customer (data controller) and HackerRank (data processor) have entered into a contract that includes contractual clauses specified by EU.
HackerRank has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR. Article 49 provides additional basis for such a transfer. Transfer of data is allowed where “necessary for the performance of a contract between the data subject and the data controller.”
GDPR also stipulates that personally identifiable data should not be stored indefinitely. HackerRank will provide the flexibility to customers (data controllers) to define how long their candidates’ personal data will be stored and when it will be deleted.
Secure Data Processing
According to Article 25 of GDPR, processing should be done using appropriate security measures. HackerRank is ISO 27001 compliant. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS) as established by International Organization for Standardization. This certificate is an assurance for our customers that we have put sufficient Asset Control and Access Management controls in place to safeguard customer and candidate data. We also secure and encrypt candidate data at rest. Customers should be assured that we take data security very seriously and have controls in place to make sure we are compliant to global standards.
Rights of the Data Subject
GDPR provides broad rights for data subjects on how to manage their personal data. These can be further broken down into:
- Right to Access
- Right to Rectification
- Right to be Forgotten
- Right to Data Portability
- Right to Object
As discussed, per Article 5, we established that the information needs to be collected, stored and processed since there is legitimate interest for the controller to make the system fair. So, the customer (data controller) can determine if the candidate’s (data subject’s) request is valid and can be fulfilled. Customers can also deem the request as invalid and not fulfill, according to their agreed upon terms with the data subject.
As a processor, HackerRank will empower its customers with configurable tools that give them the flexibility to determine their data policies, which offer rights to their candidates. This will include:
- Ability to set a routine data deletion process at a cadence determined by the customer.
- Ability to export information regarding a candidate.
- Ability to delete information regarding a candidate. The personal data will be removed and the non-personal data will be anonymized.
- Ability to edit candidate information.
Maintaining a Record
According to Article 30 of GDPR, each controller’s representative needs to maintain a record of all activities pertaining the personal information of a data subject.
HackerRank maintains a detailed Audit log of all the activities. As part of compliance, HackerRank will add any additional activities that customers need to be recorded. These logs are easily retrievable via HackerRank APIs.
Data Breach and Mitigation Process
Article 33 says that for any potential data breach, the supervisory authority must be notified within 72 hours of occurrence. HackerRank has sufficient data monitoring mechanisms in place to become aware of any such breach. On discovery of a breach, HackerRank intends to notify the customer (controller) of the occurrence immediately, not exceeding 24 hours after the occurrence. The communication will be sent as per the guideline mentioned in Article 33. This will give sufficient time for our customers to convey the breach to the respective authorities.
This is just the beginning. Our customers’ security, defensibility, and compliance is the utmost priority at HackerRank. We recognize the spirit of the law and we are getting ahead of GDPR to ensure that we are compliant and, in turn, our customers are GDPR-compliant as well. We will relentlessly focus on improving our product’s adaptability to the increasingly heightened compliance laws.