Recruitment has gone high-tech, making it easier to find the perfect candidates for your team. But with great power comes great responsibility, especially when it comes to handling people's personal data. The General Data Protection Regulation (GDPR) is here to make sure we do it right.
In this blog post, we'll show you the ropes for GDPR in recruitment, keeping it simple and clear.
What’s the Point With the GDPR?
Since May 2018, organizations handling the personal data of EU residents have been required to adhere to the General Data Protection Regulation. This comprehensive manual was introduced to replace outdated data protection laws from 1998, adapting to the evolving landscape of data management tools and practices. GDPR's primary goal is to strengthen individuals' privacy rights and safeguard their personal information, includinng the recruitment field.
More About Principles of GDPR
GDPR and recruitment are interconnected since this regulation makes sure all companies that collect data (including candidates' info) are following a single list of rules.
The 5 key elements of GDPR are:
1. Extended jurisdiction
GDPR in recruitment isn't picky about location—it applies to all organizations, whether they're in the EU or not. In simple terms, if you deal with data from EU residents, you've got to follow GDPR rules. This includes EU companies and non-EU ones that offer stuff to folks in the EU. So, even if your company isn't based in the EU but you're hiring EU candidates, you need to update your recruitment process to play by GDPR's rules.
Before you collect and use any data, you've got to ask for permission from the candidate to use their info.
3. Right to access
If someone gives you their data, they have the right to see what you have on them. Candidates can ask what data about them you have and how you use it, and you've got to show it.
4. Right to be forgotten
If someone wants you to erase their info from your records, you've got to do it.
5. Data protection officer
To make sure everyone follows the data protection rules, companies should have a data protection officer. Usually, the HR or Recruitment manager takes on this role.
GDPR and recruitment
In respect to the hiring function, the GDPR for recruitment refers to:
Candidates or “data subjects.”
Candidates are the data subjects because they can be identified through the personal data they give to companies. For example, their resumes may include their names, physical addresses, or phone numbers. The GDPR exists to protect this kind of data.
Employers or “data controllers.”
Employers, or recruiters who serve as their company’s main representatives to candidates, determine the purpose of collecting candidate personal data. This makes them the data controllers who are fully responsible for protecting candidate data and using it lawfully.
Applicant Tracking Systems (ATS) and other recruitment software/services or “data processors.”
Your ATS is a data processor because it processes candidate data on behalf of your company, following your company’s instructions. Data processors often have “sub-processors” managing the GDPR recruitment process
Ensure your hiring is processed in accordance with local and international law.
Axterior ATS guarantees following global security and data protection standards.TRY FREE TRIAL
How GDPR Protects Candidates
Recruitment teams handle lots of candidate data, like names, contact info, and even sensitive stuff like criminal history. GDPR has 8 key rules to keep it all safe and protect candidates. Here they are:
The right to information
It stipulates that a data subject has the right to request information about the type of data a data controller processes and the reason why.
The right of access
The right of access grants the data subject the ability to view the personal data you process about them.
The right to rectification
When candidates believe the information they submit is wrong or outdated, they have the option to update or correct it.
The right to erasure
The right to request that their data be deleted immediately from your organization’s data files.
The right to restriction of processing
Individuals have the right to request that their data be handled in a particular manner under certain conditions. Immediately cease processing their data as asked.
The right to data portability
Under certain conditions, the person has the right to obtain personal data maintained by your organization in a frequently used format, transfer it to another controller, or use it for personal purposes.
The right to object
Individuals have the right to object to their processed data, including profiling, under certain conditions.
The right to avoid automated decision-making
The right to avoid legal repercussions from a judgment based solely on computerized processing, including profiling.
What GDPR Means for Recruiting?
GDPR affects different types of recruitment. There are mainly two different ways to perform recruitment. First, you have the traditional individual job posting and passive hiring. Second, is by applying active search and sourcing.
Individual job posting
When someone applies for a job posting, GDPR requires clear consent, information sharing, and the option to withdraw consent. Don't include sensitive data in your application, and let candidates know you might store their data for future roles.
Headhunting (active search)
When actively seeking candidates, you can use legitimate interests but must respect their job availability. Contact candidates for consent and share info about data collection, retention, and more.
A rule of thumb is to communicate within the same channel as you found the CVs – such as LinkedIn Recruiter, or LinkedIn. Do not export the data into your own CRM or email program and continue the recruitment process without the candidate’s consent. Stick to the same platform where you found their CV, and only collect essential data.
For an external Search to be compliant with GDPR, it cannot include more data than what is strictly necessary and relevant to the job offer. You must inform the data subject about the processing. Also, you must give the data subject the opportunity to object to it.
Social media sourcing
The Data Protection Working Party has released an Opinion on exactly how social media can and should be used by employers throughout the hiring process when EU applicants are involved. It states the following:
- Employers must notify job applicants before viewing their social media profiles, even if they’re already set to public.
- Employers must have a “legal ground” to access this information.
- Employers may only view social media profiles when the information found on them is “relevant to the performance of the job which is being applied for.”
Managing the references
In recruitment, we often use references, which typically involve names and contact info, like phone numbers. It's the applicant's job to let their references know we're using their data. But recruiters should also remind applicants about this responsibility to inform their references.
What Should Recruitment Teams Do to Comply With GDPR?
Map your recruiting data
To get ready for GDPR, start with a companywide data check:
- What Data Do We Collect? Look at where we get candidate info, like from job ads or application forms.
- Do We Really Need It All? Check if we collect more info than we actually use. Make sure every piece of data has a job in our hiring process.
- How Do We Use Data? See how we use candidate info to screen and decide who gets interviews.
- Where Is Data Stored? Who Can See It? Find out where we keep data (like spreadsheets or an ATS) and who gets to look at it.
- How Does Data Move Around? Track how candidate info goes from sourcers to hiring managers and team members who contact them.
- Sharing, Transferring, Changing, Deleting? Check how we fix mistakes or share info, especially if we use spreadsheets.
- The name and contact details of your organization. If you have appointed a Data Protection Officer (DPO), include their contact details as well.
- A statement that any data requested will be used for recruitment purposes only. You need to explain your legitimate interest too.
- The types of information about a candidate that reside in your company’s files. These could be contact details, social and professional profiles, education, and work experience.
- Who you will share the data with. For example, if you are a recruitment consultant, you may share this data with your clients.
- Where you find candidate data. It’s important that you mention you use your sources lawfully.
- Where the processing is based and where you store data. This is especially important if you transfer data outside the EU.
- How long your organization intends to store each candidate’s data. If this isn’t possible, you need to explain with what criteria you determine this period.
- The candidates’ rights. These include the right to be forgotten, to rectify or access data, to restrict processing, to withdraw consent, to be kept informed about the processing of their data.
- Instructions on how candidates can take action on the processing of their personal data. Let them know how to access their data or request that you delete, rectify or restrict processing of their data.
Ensure your job application process complies with GDPR
When candidates fill out your job application forms, they provide you with their personal data. Because job applications correspond to actual job openings, you have legitimate interest in processing this data and you do not need to ask for explicit consent. But, to be fully compliant with GDPR, ensure you:
- Ask only for personal data you need. The Working Party 29 (the collection of data protection authorities) states that the data you collect from candidates must be “necessary and relevant to the performance of the job which is being applied for.”
- Be transparent. In your job ads, let candidates know that you intend to use their data for recruitment purposes only and how long you may need to keep this data. If you plan to gather more information about candidates (for example, by reviewing their social media profiles) as part of your screening process, you need to say that explicitly and explain how and why.
Prepare to inform candidates of data processing whenever you receive their data
Often, you will find yourself possessing personal candidate data through means other than job applications or online sourcing. Candidates may give you their CVs at a career fair or a networking event. Or they may ask you to contact them with job opportunities. All these scenarios are lawful under the GDPR, but you need to be able to demonstrate that you have been transparent.
You can do this by preparing standard forms that provide all information required by GDPR and ask candidates to sign. Or you can email them afterwards with your recruitment privacy notice and the rest of the necessary information.
Review existing talent pipelines
GDPR covers personal data that your company has collected in the past. This is a good opportunity to make sure your talent database is updated and relevant. Determine which candidates may be good matches for future open roles in your company and which are not:
- If you determine that a candidate is unlikely to be qualified for future roles or is no longer relevant or you obtained their information too long ago, then you must delete their data.
- If you store candidate data in your ATS, it’d be easy to delete the data of those who were disqualified. Take a quick look at all candidate profiles to see if there are candidates who are promising or whom you wanted to contact in the future. You could mass-delete the rest.
- If you’d like to keep a candidate in your talent pipelines, reach out to them to inform them that you are processing their data.
- For candidates that you want to keep in your database, prepare an email to give them necessary information. This email should be similar to the email you would send to sourced candidates in that it must include all information about what data you hold and where. These emails should also include links to your privacy policies. Your ATS may have bulk email functions that will make sending this email much easier.
Ensure your software vendors are compliant
Data processors have full access to your candidates’ data. This is why GDPR expects you to be certain that your partners protect this data the same way you do.
- Your most important vendor in recruitment is your ATS provider. As a first step, arrange a meeting with your ATS provider or several if you’re planning on purchasing an ATS. Ask:
- Whether GDPR applies to them as processors. If they aren’t an EU company, they should either be part of the Privacy Shield (for U.S. companies) or be ready to sign effective data processing agreements that oblige them to follow GDPR’s guidelines.
- How they plan to become GDPR compliant. They should also be able to tell you where they store their data and how they ensure this data is protected.
- Whether they use compliant vendors. They should have data processing agreements in place with those subcontractors.
- Whether they have clear privacy policies. Review their privacy policies to ensure they comply with GDPR and can adequately protect candidate data.
Keep your candidate database clean
You should collect candidate data for recruitment purposes only. Don’t use it for anything else. Your ATS can help ensure that only relevant candidate data is collected.
If you no longer consider a candidate fit for the role, you should remove their data from your system. In case you have old records of candidate data without the candidates’ consent, you should ask them for their consent.
Be prepared to grant candidate requests
A big part of remaining compliant with GDPR is to be able to help candidates exercise their rights under this law. To do this, you must provide guidelines and processes to:
- Let candidates access their personal data upon request.
- Delete candidates’ personal data or restrict processing upon their request.
Rectify candidate data
Ensure you have processes to control different versions of candidate data. For example, you should not correct the same candidate data on one spreadsheet and not in another. Having an ATS in place can save you this trouble.
Let candidates withdraw consent (in case you decided to use consent as the legal basis for processing). Compare this process to the process of giving consent. GDPR requires that the processes of giving and withdrawing consent should be equally easy and simple.
Ensure you communicate these processes clearly on your website and/or your terms and conditions.
Thus, the new GDPR rules have had a significant impact on how recruitment handles personal data. Firstly, GDPR safeguards personal data, including sensitive info like health or criminal records, ensuring candidate privacy. Secondly, it sets clear rules for data collection, processing, and storage, boosting accuracy and security.
Additionally, GDPR promotes responsible data handling, enhancing the reputation of recruiters and employers.
Remember that compliance with GDPR is not only a legal obligation but also a valuable asset for the recruitment industry.