Learn the basics of GDPR and how it affects recruitment in this compliance guide. Discover what recruiters, talent professionals and HR teams need to know to be compliant.
Nikoletta holds an MSc in HR management and has written extensively about all things HR and recruiting.
Starting from May 2018, organisations that collect personal data of EU residents must become compliant with the General Data Protection Regulation (GDPR.) The GDPR is a new law that aims to strengthen people’s rights to privacy and protect their personal data.
GDPR places the burden of ensuring compliance on your entire organisation, especially functions like recruiting which rely heavily on collecting candidates’ personal data. What should employers do to ensure GDPR compliance when they find candidates online or collect candidate data in their talent pools?
To help you on the journey towards GDPR compliance, we prepared this recruitment guide:
Please note: while Workable has consulted with legal professionals both in the creation of this guide and updates to our own product features, Workable is not a law firm. All information in this guide is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.
The GDPR applies to companies that process data of EU residents. This covers EU organisations and non-EU companies that offer goods or services to EU residents or monitor their behavior. All these organisations should become compliant when the law takes effect on 25 May 2018. If they don’t, they risk being fined up to 4% of their annual global turnover (revenue) or €20 million, whichever is greater. Companies may also see their reputation hurt by fines or reprimands.
UK organisations must comply with the GDPR until Brexit is completed, and possibly afterwards too.
Navigate local and international regulation - including GDPR and EEOC/OFCCP - with automated tools and reports that take the effort out of compliance, wherever you’re hiring.
In respect to the recruiting function, the GDPR refers to:
Our hiring specialists can answer all of your questions about GDPR and the Workable GDPR Feature Pack. Request a free demo to learn how Workable’s all-in-one recruiting software can keep candidate data secure while making your hiring process more efficient.
Here are a few key directives of GDPR that affect the daily work of recruiters and hiring teams:
Also, you are obliged to comply when candidates exercise their rights under GDPR:
One of the first things that your company must do to prepare for GDPR is to conduct a companywide data audit. This process will show what kind of data your organisation collects, how, why and from where.
As far as recruiting data goes, you must be clear about where and how you find and store candidate names and contact details, as well as other identifying information. Here are some questions you should be able to answer when the data audit is completed:
Your company must have a transparent privacy policy in place explaining how it collects, processes and protects data and giving instructions to data subjects on how to ask your company to delete and rectify their data. In addition to this privacy policy, your company may find it useful to have a privacy notice for recruitment. This note will address candidates directly and should include all information required by GDPR Article 13 and Article 14 as well as a recount of your company’s actions to ensure data protection:
Sourcing is an essential function for organisations that want to find great people. However, sourcing requires finding and storing personal candidate data so complying with GDPR all the way is critical.
First, keep in mind that you need legitimate interest to source candidates and process their personal data. Ensure that you:
Create a template text that you can add to your sourcing emails. If you have a recruitment-specific policy in place, you can provide your organisation’s name and contact details, say that you intend to keep data for recruitment purposes only and link to your recruitment privacy policy to convey the rest of the necessary information.
If you don’t have a recruitment privacy notice yet, you need to include all information required by GDPR Article 14 (explained above) in your email. Here’s a sample email text with placeholders:
Acme, Inc. [address, phone number, email) has collected and stored your resume and contact details.
We process this data for recruitment purposes only. We found this data on [Linkedin] when looking to fill an open position at our company. We are storing this data in our Applicant Tracking System, [which stores data in the U.S and is fully compliant with EU data protection laws], and we will not share it with anyone else.
We would like to keep this data until our open role is filled. [We can not estimate the exact time period, but we will consider this period over when a candidate accepts our job offer for the position for which we are considering you.] When that period is over, we will either delete your data or inform you that we will keep it in our database for future roles.
Here’s a link to our privacy policy. In this policy, you will find information about our compliance with GDPR (data protection law.) You can find how to send us a request to let you access your data that we have collected, request us to delete your data, correct any inaccuracies or restrict our processing of your data.
You have the right to lodge a complaint about the way we handle your data with [supervisory authority] or you can contact our [DPO] at [contact details] for more information or concerns.
When candidates fill out your job application forms, they provide you with their personal data. Because job applications correspond to actual job openings, you have legitimate interest in processing this data and you do not need to ask for explicit consent. But, to be fully compliant with GDPR, ensure you:
Sometimes you have more than one great applicant for a role. If you can’t hire all of them, you may want to keep the ones you didn’t hire on file for future roles. To remain compliant with GDPR, you need to make sure that you will not keep this data for a longer period than the one you originally mentioned to candidates. If, for example, you told candidates in your sourcing email that you would keep their data for a year after they apply, you don’t need to send them another email until that year has passed. Conversely, if you told candidates you would keep their data until you filled this particular position, then you need to inform them again that you want to keep the data you had collected.
Do this with your rejection email. Add a few sentences to:
If they ask you to delete their data, you must comply.
Often, you will find yourself possessing personal candidate data through means other than job applications or online sourcing. Candidates may give you their CVs at a career fair or a networking event. Or they may ask you to contact them with job opportunities. All these scenarios are lawful under the GDPR, but you need to be able to demonstrate that you have been transparent.
You can do this by preparing standard forms that provide all information required by GDPR and ask candidates to sign. Or you can email them afterwards with your recruitment privacy notice and the rest of the necessary information.
GDPR covers personal data that your company has collected in the past. This means that you must review your talent databases, spreadsheets and other files where you store candidate data before the law comes into effect in May.
This is a good opportunity to make sure your talent database is updated and relevant. Determine which candidates may be good matches for future open roles in your company and which are not:
If you store candidate data in your ATS, it’d be easy to delete the data of those who were disqualified. Take a quick look at all candidate profiles to see if there are candidates who are promising or whom you wanted to contact in the future. You could mass-delete the rest.
For candidates that you want to keep in your database, prepare an email to give them necessary information. This email should be similar to the email you would send to sourced candidates in that it must include all information about what data you hold and where. These emails should also include links to your privacy policies. Your ATS may have bulk email functions that will make sending this email much easier.
Data processors have full access to your candidates’ data. This is why GDPR expects you to be certain that your partners protect this data the same way you do.
Your most important vendor in recruitment is your ATS provider. Your ATS is the place where you will store almost all candidate data, send emails and delete or modify information. If your ATS complies with GDPR, it will be a great ally in ensuring your company complies as well.
If you aren’t using an ATS, consider investing in one before GDPR comes into effect. Spreadsheets, which are the most common alternative to software vendors, may expose you to risks concerning GDPR compliance as they provide a poor audit trail, access controls and version control. One of the key benefits of spreadsheets is also one of their key flaws, in that they can be easily duplicated, modified and disseminated without the owner’s knowledge. And, they are a cumbersome method of erasing and correcting data.
As a first step, arrange a meeting with your ATS provider or several if you’re planning on purchasing an ATS. Ask:
A big part of remaining compliant with GDPR is to be able to help candidates exercise their rights under this law. To do this, you must provide guidelines and processes to:
Ensure you communicate these processes clearly on your website and/or your terms and conditions.
Related:
