Search
Close this search box.

Recruiting In The Age Of GDPR

Sarah Kaminski

Ever since GDPR came into effect back in 2018, organizations need to be very careful with collecting, processing, and storing sensitive personal data of EU citizens and residents.

This law has affected the recruitment process, which means that failure to comply will result in hefty fines for your company. The reason for this is obvious — as an employer, you will store and have access to your applicants’ data.

Here are some tips to help you identify and hire top talent without violating the GDPR.

Understand the Basic GDPR Terms

When implementing GDPR, different industries use different terminology, so it’s important to define the language specific to the context of recruiting.

  • Data subjects

This term refers to your candidates since they provide sensitive personal data based on which they can be identified. For example, recruiters, business managers, or data controllers will have access to candidates’ resumes containing personal information such as their address, phone number, date of birth, etc.

  • Data controllers

In this case, employers and recruiters are data controllers because they determine for which purpose and how candidate data will be processed. It’s their responsibility to ensure this data is properly handled and protected.

  • Data processors

These are third-party services or software that will process candidate data on your behalf, so you have to make sure that they’re GDPR compliant. For example, an applicant tracking system (ATS) is the software you can use to streamline your recruitment and hiring process.

Obtain and Document Candidate Consent

According to GDPR, companies are required to ask potential candidates for consent when collecting, processing, and storing their personal data. It’s essential to document candidate consent in a written or digital form and keep it as evidence.

Inform each candidate about who will have access to their data, how you will process and store it, as well as for how long. They also have to provide consent for each of these instances. Transparency is crucial for staying GDPR compliant, so make sure to provide full disclosure regarding where you store candidate data. Also, explain that you won’t retain it for longer than necessary.

Remember that personal data is a huge liability.

Besides that, candidates have the right to access your records and check what data you have about them.

Finally, if a candidate withdraws their consent, you must act on this request and delete their data immediately.

How to Obtain Consent

Regarding initial consent, you should create an online form and ask your candidates to check the box that they have read your privacy policy and that they give you consent to process their data.

Implement this form on your careers page and job boards where you post your job ad. Make sure that these job boards are also GDPR-compliant.

Even if you’re collecting resumes in person, you need to ask your candidates to fill out a form and give permission to manage their personal data.

What About Passive Candidates?

Targeting passive candidates is an effective recruitment tactic, and you can still take advantage of it despite GDPR constraints.

The only thing you need to prove is that you have a legitimate interest in them, meaning that you genuinely believe they could be the right fit for a position in your company.

In that case, ask for their consent immediately after you reach out to them.

Do You Need a Second Approval?

When you obtain consent for processing candidate personal data, it’s valid only for that particular job application. In other words, once they get a rejection letter, you are supposed to delete their data.

However, if you want to store their data for future use, that is, for another round of hiring, you need a second approval that will allow you to keep their CV in your database.

Polish Your Recruitment Data Privacy Policy

A well-structured and informative privacy policy will help you stay compliant and avoid potential legal issues.

Leave nothing to chance and address all the potential questions and dilemmas your might candidates have in your privacy policy.

  • Provide the name and contact details of your company and your appointed Data Protection Officer (if you have one.)
  • Include a statement informing your candidates that your company collects their personal data for recruitment purposes only and expressing a legitimate interest in them.
  • Explain what types of data you will store in your company files.
  • List all those who will have access to their data.
  • Outline the timeline for how long you will store this data.
  • Discuss strategies you will use to secure candidate data.
  • Instruct candidates on how they can take action and request that you rectify or delete certain information from your files.

Make this policy visible and easily accessible by including a link in your job ad or careers page.

Conduct a Data Audit

It’s worth mentioning that data collected before May 2018 is also subject to GDPR.

This means you should revisit your recruitment files or company databases, check candidate data, and make necessary changes in a manner that reflects GDPR requirements.

First of all, list all the sources you use to collect data. If you obtained personal data unlawfully, delete it and improve your sourcing process.

Then, evaluate whether all the data you collected prior to 2018 was absolutely essential for the recruitment process. If not, delete it.

Rethink data access and, if necessary, revoke permissions so only relevant people can have insight into candidate files.

Finally, reevaluate your data map, that is, how the data moves through your company’s different departments and how it is modified or deleted.

This audit will allow you to ensure GDPR compliance and establish whether candidates from your existing talent pool are still a good match. If you’re no longer interested in certain candidates, then there’s no reason why you should retain their data.

In Closing

Provide your active and passive candidates with all the information they need to be sure that your organization processes personal data in a GDPR-compliant manner. By educating your candidates about their rights and your responsibilities, you’ll be able to protect your reputation, avoid expensive penalties, and run smooth recruitment and hiring processes.

Image source: https://www.pexels.com/photo/crop-faceless-multiethnic-interviewer-and-job-seeker-going-through-interview-5699475/

HR Future Staff Writer

Other suggested insights ...

Business hours

We are open:

Mon – Fri: 8:00 am – 4:30 pm

Saturday, Sunday and Public Holidays: closed

Contact us

If you have a question or would
like to get in touch with us,
contact us on +27 11 888 8914 or [email protected]

Facebook-f X-twitter Linkedin Envelope

Helpful Links

Newsletter

Join our newsletter to receive all the latest news in the HR space!
0
    0
    Your Cart
    Your cart is emptyReturn to Shop
    Continue Shopping
      Calculate Shipping
      Apply Coupon
      Unavailable Coupons
      half Get 50% off
        Products you might like
        Products you might like