Accelerate hiring key talent to deliver care and exceed patient satisfaction.
Attract skilled candidates, speed up hiring and grow expertise in your workforce.
Simplify recruiting finance and banking talent with a platform for hard-to-fill roles.
Build a talent pipeline that engages and drives your business forward.
See how diverse and global enterprises use iCIMS to employ millions, drive innovation and connect communities worldwide.
Learn how a beloved restaurant hires 40,000+ annually with a great candidate experience.
Uncover unique market insights, explore best practices and gain access to talent experts across our library of content.
View press releases, media coverage, the latest hiring data and see what analysts are saying about iCIMS.
Streamline your tech stack and take advantage of a better user experience and stronger data governance with ADP and iCIMS.
The combined power of iCIMS and Infor helps organizations strategically align their business and talent objectives.
Our award-winning partnership with Microsoft is grounded in a shared desire to transform the workplace and the hiring team experience.
Our partnership with Ultimate Kronos Group (UKG) supports the entire talent lifecycle by bringing frictionless recruiting solutions to UKG Pro Onboarding.
February 1, 2018 
2 min read
We all know by now that one of the key underpinnings of the General Data Protection Regulation (GDPR) is data subject rights, including requirements for obtaining consent from data subjects. In our industry, that includes consent from job candidates.
Companies building their GDPR compliance programs are making choices about how the consent requirements apply to their specific businesses and operations. In December 2017, the Article 29 Working Party published draft guidance on the rules for valid consent under the GDPR. The 30-page guidance document underscores rigorous requirements that can vary from how consent is frequently handled by companies in the U.S. and other non-EU countries.
The draft provides guidance on what is necessary to satisfy each element of the definition of consent under the GDPR, including requirements that for consent to be valid it must be “freely given”, “specific”, “informed” and an “unambiguous indication of the wishes” of the data subject. The guidance points to the following factors that may impact whether a consent is, in fact, freely given for GDPR purposes:
The guidance also makes clear that some means of obtaining consent, such as pre-checked boxes or other opt-out methods, will not constitute valid consent under the GDPR. The guidance also cautions that blanket consent to terms and conditions that include consent language will not constitute consent.
The guidance examines the interplay between consent as a controller’s legitimate basis for processing and other lawful grounds for processing. Under the guidance a controller that asks for a data subject’s consent to process personal data “in principle” should not be able to rely on other lawful bases for processing as a “back up” if the controller cannot demonstrate that valid consent has been obtained or if consent has been withdrawn.
With respect to withdrawal of consent, the draft guidance discusses the requirement that it must be just as easy for a data subject to withdraw consent as it is for the data subject to grant consent in the first instance. The Working Party opines that it would not be valid, for example, for a company that obtains consent online to require a data subject to call the controller in order to be able to withdraw consent.
It is unclear when final guidance will be issued by the Working Party. Given, however, that GDPR compliance is required by May 25th – and much of the draft guidance is based on earlier opinions from the Data Protection Authorities – organizations may find the draft guidance useful as they formulate their approaches to consent.
About the Author: Neal Dittersdorf, iCIMS General Counsel, Privacy Officer & Corporate Secretary
Neal Dittersdorf joined iCIMS in 2016 as general counsel and corporate secretary. In his role, Dittersdorf oversaw the company’s legal, compliance, information security and risk management functions. He also was responsible for corporate governance, serving the Board of Directors as corporate secretary.
