What is GDPR and why?

A big part of recruitment is collecting candidate data and cold emailing. With a search engine like Google and other tools, you can easily scrape the web for any CVs and email addresses. If sifting through CVs for hours is not something you enjoy, you can go to websites selling access to CV databases neatly organized according to your criteria.

Candidate data has become the currency of the recruitment industry for decades, without any consent from the candidates themselves.

As you’re reading this, your CV might possibly be in a transaction somewhere. You have no idea who is doing that and what they’re up to with your personal data.

To prevent such processes, the European Union (EU) has introduced the General Data Protection Regulation (GDPR). Coming into effect on May 28th 2018, the GDPR is not only for EU citizens and businesses, but also for any businesses processing EU citizens’ data. Failing to pay heed to the GDPR can get you penalties of up to €20 million.

Download our GDPR handbook for recruitment here.

The GDPR will deeply shake up businesses capitalizing on personal data such as those in the recruitment industry. It will apply to all the candidate data you’ve ever collected, not just the data you get after the GDPR goes into effect. To help you get started, we’re going to cover some of the most important points of the GDPR relating to recruitment and talent acquisition.

*Disclaimer: The following information should only act as guidelines. They mostly represent our point of view. It’s best to get your legal team’s aid on this matter. We will not assume legal liability for the accuracy of any information provided in whole or in part within this article.

But first, let’s get the definitions right…

We will apply certain terms in the GDPR to the context of recruitment.

“Data subjects” would mean candidates in general. And “personal data” would be any information that can be used to identify the data subject. This can range from candidates’ names, emails, phone numbers, to IP addresses.

“Controllers” decide the purpose of processing personal data (e.g. for an open position) and the means to do that. Controllers could be employers or recruitment agencies.

“Processors” would be applicant tracking systems or any legal bodies that process personal data on behalf of a controller.

“Processing” would mean any actions performed on personal data, such as collecting, recording, organizing, storing, using, and erasing.

Generally speaking, the GDPR aims to give power to the data subjects – the candidates – by bringing strict guidelines to both the controllers and the processors.

What does it mean for candidates?

No more personal data traded behind their backs. Candidates will have a say in what happens to their data.

Here are the six rights each data subject has, as listed under the GDPR.

1. Right of access by the data subject: Candidates can request to be informed of what you’re going to do with their data or even request a record of their personal data you collect.

2. Right to rectification: Candidates can request you to correct or update their data in your candidate database.

3. Right to erasure (“right to be forgotten”): Candidates can request you to delete their data from your candidate database.

4. Right to restriction of processing: Candidates can request you to suspend their data from being processed in your candidate database.

5. Right to data portability: Candidates can request you to export all their data from your candidate database.

6. Right to object: Candidates can request you to stop processing their data indefinitely.

To comply with these rights, you as the controller will need to revise your recruitment toolbox and revamp your entire recruitment process.

What does it mean for employers and recruitment agencies?

Essentially, the GDPR revolves around one thing – the data subject’s consent. You as the data controller will need candidates’ consent to 1) obtain their data (for yourself as the controller) and 2) process that data for recruitment purposes (for the processor acting on your behalf).

You will have to make it as easy as possible for candidates to withdraw their consent as well. Once that happens, you must stop processing their data and remove it on their request.

1. When you obtain candidate data for yourself as the controller

When candidates apply for your jobs, you should provide all the information below.

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
  • If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?

When you receive candidates’ applications, you should provide more information.

  • How long you will store the candidate data. If it’s hard to give a clear timeline, you need to provide some criteria for the period. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
  • How candidates can make a request in case they want to access, correct, erase, or restrict their data’s processing.
  • How candidates can withdraw their consent to the processing of their data.
  • Who candidates can contact in case they want to lodge a complaint regarding their data’s processing.
  • The necessity of the data provided by the candidates. Why do you need such data from candidates?
  • If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of the automation for the candidates. Could the candidates be disqualified based on the results of the automation?
  • If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.

In case you source candidates from the web or obtain their data via other indirect means, you should provide all the information below.

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
  • The categories of the sourced candidate data. Is it employment history, contact details, or something else?
  • How long you will store the candidate data. If it’s hard to give a clear timeline, you need to provide some criteria for the period. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
  • How candidates can make a request in case they want to access, correct, erase, or restrict their data’s processing.
  • How candidates can withdraw their consent to the processing of their data.
  • Who candidates can contact in case they want to lodge a complaint regarding their data’s processing.
  • The source where you obtained the candidate data and whether it is publicly accessible.
  • If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of the automation for the candidates. Could the candidates be disqualified based on the results of the automation?
  • If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.
  • If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?

If you don’t plan to reach out to the sourced candidates, all of the above information has to be given to the candidates within one month from the moment you obtain it.

If you plan to reach out to the sourced candidates, all of the above information has to be given to the candidates at the latest when you contact them for the first time.

If you are a recruitment agency, all of the above information has to be given to the candidates at the latest when you first share their data with your client(s).

2. When the processor processes candidate data on your behalf

Only after getting the candidates’ consent based on the information you provided above can you process their data. During that process, candidates can make requests within their rights under the GDPR and you need to act accordingly within one month.

1. Right of access by the data subject

When a candidate requests, you will send them a copy of their data along with the information you provided above regarding their consent.

2. Right to rectification

When a candidate informs you that their data is incorrect or incomplete, you will verify and update that data in your database right away.

3. Right to erasure (‘right to be forgotten’)

You will delete candidate data from your database when one of the points below applies.

  • The candidate data is no longer relevant to your recruitment process. For example, your business changes and you don’t need a specific role anymore, so you need to delete all candidate data collected for that role.
  • The candidates withdraw their consent to the processing of their data.
  • The candidates object to your processing of their data. (We will go into detail in number 6 “right to object” below.)
  • The candidate data was obtained unlawfully – you got it without the candidates’ consent.

If by any chance, you have made the candidate data public and the candidates request it to be erased, you will not only remove it from your database but also inform other controllers who are also processing that candidate data to remove it as well.

4. Right to restriction of processing

You will stop processing candidate data when one of the points below applies.

  • The candidates say that their data is not accurate. In this case, you can resume processing the candidate data after verifying its accuracy.
  • You got the candidate data without their consent, but they just want you to not process it instead of removing it entirely from your database. This means you can put the candidates in a talent pool and reach out to them later when a suitable position opens.

5. Right to data portability

You will export candidate data for the candidates on request. The exported files should be readable so that the candidates can use them for other employment opportunities.

6. Right to object

When a candidate requests, you will stop processing their data. Maybe they already accepted a job offer elsewhere. Or they just don’t want to be in your company’s candidate database.

Besides all of this, if your company has more than 250 employees, you’ll need to maintain a written record with the following information.

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data.
  • A description of the categories of the data subjects (candidates) and their personal data (candidate data).
  • The categories of the recipients you have shared the candidate data with.

With so much to take into account for the GDPR, the last thing you would want is a processor who is clueless or non-compliant. Contract with the right processors and more than half of the burden would be lifted from your shoulders.

What does it mean for applicant tracking systems (ATS)?

Most ATS would be classified as processors according to the GDPR. They process candidate data on behalf of the employers or recruitment agencies. In order to stay compliant, they need to have all their processing activities governed by a contract under the EU’s law. That contract will especially demand the ATS to:

  • Process candidate data only according to documented instructions from the controller(s).
  • Implement necessary measures to safeguard the candidate data, including:
    •  The encryption or pseudonymization of candidate data.
    • The ability to maintain a high-quality processing system and service.
    • The ability to restore access to candidate data quickly in case of incidents.
    • Regular testing and evaluating the measures to ensure the security of the processing.
  • Delete or return all candidate data to the controller(s) on request.
  • Demonstrate the ATS’ compliance with the GDPR to the controller(s).

If the ATS integrates with other processors, they will need to comply with the GDPR as well.

GDPR tips from Recruitee

The most important part of complying with the GDPR is setting up an infrastructure for your recruitment that can handle candidate data properly. Here are some of our suggestions.

1. Ask for a second approval

Usually, candidates consent to have their data processed only once when they apply for your jobs. But it’s not rare for companies to store candidate data for future hiring activities. To avoid any issues, we advise to ask your applicants for approval when you want to save their CVs in your database after closing your job openings. For instance, when you send a rejection email to a candidate, ask in the email if their data can be stored for later. With this, you can get an explicit second approval from the data subject.

2. Adjust your terms towards applicants

Make sure to update your privacy statements and outline the process of data handling in your recruitment process. You need to be transparent about what kind of data you collect and why. It would be wise to include the six rights of candidates in your terms. They should be clearly presented and separated from other information.

3. Make a data-sharing agreement (GDPR compliant) with partners

Are you a recruitment agency sharing candidates with clients? Or do you share candidates among different companies under one umbrella organization? You should put a data-sharing agreement in place regarding the GDPR.

4. Contract with processors based in the EU

Every company doing business with the EU will have to comply with the GDPR, even when you process just one candidate from the EU. As the controller, you can only use processors that provide sufficient measures to meet the GDPR’s requirements. For example, it’s best to contract with an ATS hosting and handling data within the EU like Recruitee. We and our data centers are ready to fully comply with the GDPR.

5. Contract with processors with a strong privacy policy

Choose an ATS that encrypts all candidate data. At Recruitee, we go the extra mile and encrypt all your confidential messages as well as login information. This is to ensure the highest level of security to the data you entrust us with.

6. Keep your candidate database clean

Collect candidate data for recruitment purposes only. Don’t use it for anything else. Your ATS can help ensure that only relevant candidate data is obtained. For example, the application form Recruitee offers has fields relating to recruitment only like “cover letter” and “CV”.

Remember to inform candidates of the extent of their data’s processing and how long it will be stored. For example, with Recruitee, employers can put their terms and conditions for applicants in all job descriptions. When a candidate applies, they can give their consent by simply checking the box next to the terms and conditions.

If you no longer consider a candidate’s candidacy, you should remove their data from your system. In case you have old records of candidate data without the candidates’ consent, it’d be best to contact them asking for their consent and providing all the information we list above. (We will offer all of our clients the means to do so in 2018.) Who knows, you might end up building a great relationship with the talent!

7. Stay compliant while sourcing

Sourcing is still going to play an important role in recruitment. Just make sure that you follow all the appropriate steps according to the GDPR. Provide all the information the candidates need to know the first time you reach out to them or the first time you share their data with a client. Candidates always appreciate an employer’s candor and you might just score a great start in their candidate experience journey.

Conclusion

It’s only around 200 days left until the moment the GDPR takes effect. The final countdown on the official website of the GDPR is ticking. You will need to have everything in place, from your own terms to your partners’ and the processors you choose before May 2018. Here at Recruitee we’re all set for the GDPR and we’re more than happy to help you lessen the burden. Want to get cutting-edge recruitment technology while staying compliant with the GDPR? Try Recruitee for free and let us know your needs!

gdpr download - Recruitee recruitment software

Read more: