Just those 4 letters are enough to have eyes rolling, panic setting in, and/or confusion swirling around the brain: GDPR. But what is GDPR? Who does it apply to? And how does GDPR specifically impact recruitment?
By now you have undoubtedly heard and read a lot about Europe’s privacy laws and their impact on the way businesses handle consumer data.
That’s all well and good, but little has been discussed about the consequences of GDPR for recruitment.
As recruitment processes involve a lot of data processing, you’ve probably put two and two together and have a hunch that you need to do some digging. You probably know that your recruitment processes will be highly affected by GDPR. But what you might not know is how, why, and to what extent.
So, we’ve come to the rescue! In this article, we’ll help you understand how you can make your recruitment GDPR compliant.
Before we dive into GDPR in recruitment, let’s take a look at GDRP as a whole.
What is GDPR?
GDPR stands for General Data Protection Legislation. The European Union brought the law into effect in May 2018. GDPR as a whole governs and protects people’s data by amending the way others can collect, use, process, store, and remove personal data. This personal data refers to any data that can identify a living person.
GDPR functions and thrives due to its key principles:
- Transparency, fairness, and lawfulness
- Using the data for the lawful purpose that it was collected
- Only accumulating data that is needed
- Making sure the data is accurate
- Confidentiality
- Integrity
- Accountability
While GDPR can cause a few eye rolls, it’s often down to grappling with what it means for organizations.
GDPR is important because it makes sure all companies that collect data are following a single set of rules.
Plus, it empowers people and gives them control over how their data is actively used.
Consider that, before GDPR was put into motion, the European Commission discovered that only 15% of citizens felt like they had total control over their data that they provided online.
That’s a huge proportion who felt out of control, and that has a direct link to mistrust. Now that GDPR is a legal requirement, this statistic is likely to improve.
The key elements of GDPR are:
1. Extended Jurisdiction
Essentially, this means that GDPR applies to organizations of all sizes, both inside and outside of the EU.
2. Consent
All data must be given with clear, specific consent.
3. Right to Access
Anyone who has given their data has the right to view their personal information, and an organization must do so.
4. Right to be Forgotten
If anyone who has provided their data decides they want their information destroyed, the company must comply.
5. Data Protection Officer
To make sure that data protection rules are being met, companies are now expected to have a data protection officer on their team.
6. Penalties
The ICO (Information Commissioner’s Office) can fine an organization up to 4% of their global turnover or up to 20 million euros - whichever is highest - if there’s a data breach.
What is GDPR for recruitment?
Data collection is important in recruitment. From collecting and processing candidate data to cold emailing, we rely on communication and data is fundamental to this.
By using different tools and search engines, you can easily scrape the web for CVs and the email addresses of potential candidates. There are also many websites where recruiters can buy an entire database of CVs that fit their search criteria.
Candidate data has become the currency of the recruitment industry. For the most part, this is without the consent or even the knowledge of the candidates themselves.
Or, so it was. Enter GDPR.
GDPR profoundly shook up businesses that capitalized on personal data such as those in the recruitment industry. It applies to all the candidate data you’ve ever collected, not just the data you collected after GDPR went into effect.
Who knew GDPR in recruitment could be such a headache to rectify, huh?
But don’t panic. To help you get started, we’re going to cover some of the most important points of GDPR in recruitment and talent acquisition.
Important Definitions:
Of course, GDPR’s implementation will mean different things across different industries and specific companies. Naturally, we will apply certain terms in GDPR to the context of recruitment.
So, with that in mind, the term “data subjects” refers to your job candidates and “personal data” is any information that can be used to identify the data subject. This could, for example, be a name, email, or phone number.
“Controllers” are the entities that decide what and how personal data is processed. Employers and recruitment agencies are some examples of controllers.
“Processors” are applicant tracking systems or any legal bodies that process personal data on behalf of a controller.
“Processing” refers to any action that can be performed on personal data, such as collecting, recording, organizing, storing, using, and erasing.
Generally speaking, GDPR aims to give power to the data subjects – the candidates – by bringing strict guidelines to both the controllers and the processors.
What does GDPR mean for candidates?
For candidates, GDPR means, in simple terms, that they have a lot more control over their data. Personal data can not be traded anymore without their consent or knowledge.
Previously, we looked at the key aspects of GDPR as a whole. Now, let’s consider each of them in the recruitment world:
1. Right of access by the data subject: Candidates can request to be informed of what you’re going to do with their data or even request a record of their personal data you collected.
2. Right to rectification: Candidates can request you to correct or update their data in your candidate database.
3. Right to erasure (“right to be forgotten”): Candidates can request you to delete their data from your candidate database.
4. Right to the restriction of processing: Candidates can request you to suspend their data from being processed in your candidate database.
5. Right to data portability: Candidates can request you to export all their data from your candidate database.
6. Right to object: Candidates can request you to stop processing their data indefinitely.
To comply with the rights of the candidates, you as the controller will need to thoroughly review your recruitment toolbox and revamp your entire recruitment process.
What does GDPR mean for employers and recruitment agencies?
Essentially, GDPR revolves around one thing: the data subject’s consent. You, as the data controller, will need your candidates’ permission to 1) obtain their data and 2) process that data for recruitment purposes (for the processor acting on your behalf).
You’ll need to make it as straightforward and obvious as possible for candidates to withdraw their consent as well. Once that happens, you must stop processing their data and remove it upon their request.
GDPR recruitment process
It’s clear that GDPR in recruitment is a large shift for all hiring managers and recruiters. In fact, the pivot is felt by all industries.
However, how does GDPR specifically impact the recruitment process?
1. When you obtain candidate data for yourself as the controller
When candidates apply for your jobs, you should provide all the information below.
- The name and contact details of your company or your company’s representative.
- The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
- If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?
When you receive candidates’ applications, you should provide some additional information.
- How long you will store the candidate data. If it’s hard to give a precise timeframe, you need to provide some general information about this. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
- How candidates can request access, correct, or erase their data.
- How candidates can withdraw their consent to the processing of their data.
- Who candidates can contact in case they want to file a complaint regarding the processing of their data.
- The necessity of the data provided by the candidates. Why do you need such data from candidates?
- If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of this automation for the candidates. Could the candidates be disqualified based on the results of the automation?
- If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.
In case you source candidates from the web or obtain their data via other indirect means, you should provide all the information below.
- The name and contact details of your company or your company’s representative.
- The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
- The categories of the sourced candidate data. Is it employment history, contact details, or something else?
- How long you will store the candidate data. If it’s hard to give a clear timeline, you need to provide some criteria for the period. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
- How candidates can make a request in case they want to access, correct, erase, or restrict their data’s processing.
- How candidates can withdraw their consent to the processing of their data.
- Who candidates can contact in case they want to file a complaint regarding the processing of their data.
- The source where you obtained the candidate data and whether it is publicly accessible.
- If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of the automation for the candidates. Could the candidates be disqualified based on the results of the automation?
- If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.
- If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?
If you don’t plan to reach out to the sourced candidates all of the information above has to be given to the candidates within one month from the moment you obtain it and when you contact them at the latest.
If you’re a recruitment agency, the information above has to be given to the candidates when you first share their data with your clients at the latest.
2. When the processor processes candidate data on your behalf
Only after getting the candidates’ consent based on the information you provided above can you then process their data. During that process, candidates can make requests within their rights under GDPR and you need to act accordingly within one month.
1. Right of access by the data subject
When a candidate requests, you will send them a copy of their data along with the information you provided above regarding their consent.
2. Right to rectification
When a candidate informs you that their data is incorrect or incomplete, you will verify and update that data in your database right away.
3. Right to erasure (‘right to be forgotten’)
You will delete candidate data from your database when one of the points below applies.
- The candidate data is no longer relevant to your recruitment process. This happens when you are not hiring for a particular role anymore for example. You will then need to delete all the data of the candidates that applied for that role.
- The candidates withdraw their consent to the processing of their data.
- The candidates object to the processing of their data (more details in point 6 below).
- You obtained the candidate’s data unlawfully.
If by any chance, you have made the candidate data public and the candidate requests you to erase the data, you will not only have to remove it from your database but get it removed from the databases of the controllers that got the data from you.
4. Right to the restriction of processing
You have to stop processing candidate data when one of the points below applies.
- The candidates say that their data is not accurate. In this case, you can resume processing the candidate data after verifying its accuracy.
- You got the candidate data without their consent, but they just want you to not process it instead of removing it entirely from your database. In this case, you can put the candidates in a talent pool and reach out to them when a suitable position opens.
5. Right to data portability
You will export candidate data for the candidates on request. The exported files should be readable so that the candidates can use them for other employment opportunities.
6. Right to object
When candidates request you to stop processing their data, you are obliged to comply with their request. Apart from all the points above, if your company has more than 250 employees, you will need to maintain a written record of the following:
- The name and contact details of your company or your company’s representative.
- The purpose of processing the candidate data.
- A description of the categories of the data subjects (candidates) and their personal data (candidate data).
- The categories of the recipients you have shared the candidate data with.
With so much to take into account regarding GDPR in recruitment, the last thing you want is a processor who is clueless or non-compliant. It’s fundamental, then, that you only collaborate with the right processors.
What does GDPR mean for applicant tracking systems (ATS)?
Most ATS’s are classified as processors according to GDPR. They process candidate data on behalf of the employers or recruitment agencies.
To make sure that you are GDPR compliant, ATS’s need to have all their processing activities governed by a contract under the EU’s law. That contract will demand the ATS to:
- Process candidate data only according to documented instructions from the controller(s).
- Implement necessary measures to safeguard the candidate data, including: the encryption or pseudonymization of candidate data; the ability to maintain a high-quality processing system and service; the ability to restore access to candidate data quickly in case of incidents; regular testing and evaluating the measures to ensure the security of the processing.
- Delete or return all candidate data to the controller(s) on request.
- Demonstrate the ATS’ compliance with GDPR to the controller(s).
If the ATS integrates with other processors, they’ll also need to comply with GDPR.
GDPR for recruitment agencies tips
The most important part of complying with GDPR is setting up an infrastructure for your recruitment process. It should be able to handle candidate data properly and be GDPR compliant.
But what does that look like in recruitment agencies? Here are some of our suggestions to ensure positive GDPR compliance in recruitment:
1. Ask for a second approval
Usually, candidates consent to have their data processed only once when they apply for a job. Companies, however, often store candidate data for future hiring as well.
To avoid any issues, we highly recommend you ask for a second approval from your applicants when you want to save their CVs in your database for future hiring.
For instance, when you send a rejection email to a candidate, ask for their consent for storing their data. This way you know for sure whether candidates are okay with you putting them in your talent pool.
Make sure your message clearly explains that you’d like to use their data to keep them informed of any vacancies that may crop up in the future that would suit them. Clarity is key.
2. Adjust your terms for applicants
Make sure you update your privacy policy and outline the process of data handling in your recruitment process.
You need to be 100% transparent about what kind of data you collect and why. It would be wise to include the six rights of candidates in your terms. They should be presented clearly and separately from other information.
3. Make a data-sharing agreement (GDPR compliant) with partners
Are you a recruitment agency sharing candidates with clients? Or do you share candidates among different companies under one umbrella organization? You should put a data-sharing agreement in place regarding GDPR.
4. Contract with processors based in the EU
Every company doing business with the EU will have to comply with GDPR, even when you process just one candidate from the EU. As the controller, you can only use processors that provide sufficient measures to meet GDPR’s requirements.
5. Contract with processors with a strong privacy policy
Choose an ATS that encrypts all candidate data. At Recruitee, we go the extra mile and encrypt all your confidential messages and your login information. This is to guarantee the highest level of security to the data you entrust us with.
6. Keep your candidate database clean
You should collect candidate data for recruitment purposes only. Don’t use it for anything else. Your ATS can help ensure that only relevant candidate data is collected.
If you no longer consider a candidate fit for the role, you should remove their data from your system. In case you have old records of candidate data without the candidates’ consent, you should ask them for their consent.
Who knows, you might end up building a great relationship with the talent and transforming your company as you know it.
7. Stay compliant while sourcing
Sourcing is still going to play an essential role in recruitment. Just make sure that you follow all the appropriate steps according to GDPR. Provide all the information the candidates need to know the first time you reach out to them or the first time you share their data with a client.