GDPR and recruitment

GDPR - A recruiter's guide

With GDPR around the corner, recruiters will need to take a look at their data handling processes and recruitment guidelines. Many aspects of businesses will be affected by the incoming legislation; buying thousands of contacts for sales and marketing purposes for e.g. will no longer be permitted, this also extends to 3rd party data collection which is a big part of the recruitment process when scouting for candidates.

GDPR will come into effect on the 25th of March; as unaffected by Brexit, the UK will automatically undertake the new regulations with the rest of Europe. With only 30% of the global workforce being active jobseekers, and 70% being passive talent waiting to be ‘scouted’, GDPR protocols may very well put a strain on talent acquisition. 92% of recruiters are currently using social media to find talent, and 37% claim to find their best talent through job board ‘speccing’, it is therefore imperative for companies in the recruitment sector to be aware of the dos and don’ts of GDPR; avoiding policy violations and security breaches.

What recruiters need to know:

Inform - It might be a given but it can easily be overlooked; everyone in the company that is involved with the recruitment process or data handling activities needs to be informed about the new legislation. It is advisable to gather all relative employees and explain what GDPR is, when it will come into effect and how the new regulations will affect their role. Not everyone is going to have the same goals and hiring methodology, therefore, it is crucial to make sure every employee is clued up on what they can carry on doing and what they need to change. This will go a long way in avoiding security breaches and protocol violations, which can lead to being investigated by a governing body.

Rights - Client/Candidate rights have changed. A candidate has the right to request information on personal data held on them by a company, this means it is mandatory to share why, where and how you are using their details, as well as how you obtained them. They are also entitled to ask for access to any/all data held on them or that it be deleted upon demand. This is a significant change in the new data protection act and serves to protect customers from the fast-growing, easy-access digital database that has been created over the past decade through the facilitation of the internet.

Consent - From the dawn of the internet, candidate information has been obtained through ‘implied consent’ whether it’s been through social media, job boards, universities or other 3rd party organisations. When GDPR sets in, however, consent will have a completely different meaning. Recruiters will have to wait for direct permission before they can store, use or share information gained through online CV profiles.

More often than not, recruiters will examine a candidate’s social media profile, as long as the personal information that is inspected through social media is related to the job in question, there are no legal restrictions against it. It may be advisable to think twice before doing so, however, as if the applicant is rejected and learns their social media was reviewed, they could argue that the basis of rejection was on discriminatory grounds. Additionally, employers are only allowed to use and store candidate data (after consent), if the information acquired is relevant to the assessment and performance of the applicant, therefore, acquired consent for recruitment use does not extend to consent for other purposes, candidates must opt in to SMS or email marketing by the same company.

Fines – Recruiters need to be aware of the hefty fines they could incur if they don’t follow the new GDPR protocols. Security breaches need to be reported within 72 hours to the ICO (Information Commissioner’s Office) in the UK, after this time you could face a €10million fine or 2% of the company’s global gross revenue for record keeping violations, or a €20million fine or 4% of the company’s global gross revenue for violation of legal justification of data processing, consent or transfer.

What recruiters need to do:

Data mapping – In order to identify all potential data security risk, recruiters are advised to complete a data mapping exercise. This entails identifying, processing, and mapping out all the data flows of the company from obtainment to use. Clarifying the journey that the candidates’ data takes will ensure transparency at each stage of the recruitment process, avoiding any mishaps in data handling.

Centralised system – Creating a centralised system to store all your candidate’s information will also contribute to transparency and ease of data management. Keeping all your contacts in one location will facilitate record keeping, and aid in monitoring data handling activity. As data viewing requests will need to be mandatorily complied to, it is vital for such information to be readily available and easily accessible, having a centralised storage system will ensure you comply to candidate rights and avoid any ‘lost-data’ distress within the company.

Paper-trail – One of the most important steps recruiters need to take is to document, document, document! From every stage of the candidates’ journey, all activity, data processes, interactions, and held information needs to be documented. As lengthy as this may sound, it will go a long way in protecting both company and recruiter alike. With a paper-trail created of all data movement; oversights will be minimised, accountability will be clear, and If issues should arise, or data handling processes are questioned; evidence and support will be conveniently tracked and stored. ATS/recruitment software activity will also need to be recorded as well as on boarding processes.

Privacy Notice – Your privacy notice will need to be reviewed and possibly updated, it should also be accessible to candidates on your careers’ website as this will be a legal requirement. Your privacy notice(s) should clearly state what personal data you will be collecting, why, and how you will be using it. Any 3rd party handling, or transfer, the length of time you will store the data and candidate’s rights will also need to be outlined, along with your company’s identity, contact details and any automated management systems in place. If you use 3rd parties to share personal information such as RPO, umbrella or payroll companies for salary payments, then you must have a GDPR-compliant data sharing agreement prepared.

Following all these guidelines before GDPR takes effect will ensure a smoother transition with fewer mistakes, recruitment is at the heart of data collection with masses of personal data being handled on a daily basis, it is, therefore, essential that everyone involved in the hiring process has a full working knowledge of the new regulations. So, to recap; promote awareness within the business, understand new candidate rights and consent requirements, review and re-organise your data processing structure into one centralised system, and create a paper-trail of any data movement internally and externally. As long as you have all your ducks in a row there’s no need to panic; GDPR may bring about a few changes to give candidates greater control over personal information that has been flying around the internet unregulated, but the new policies in place will serve to protect your company too.

If you would like to find out more about GDPR and recruitment, download our free eBook guide below: 

New Call-to-action

Sources:

Osborne Clarke legal practices

Information Commissioner's Office 

 

BE THE FIRST ONE TO COMMENT

Your e-mail address will not be published. The compulsory fields are indicated with *

Get our HR updates and news by email

Don't wait to innovate, take our free trial to test our pre-recorded video interviewing solution !

Our latest articles

Our HR resources (LB, eBook, ...)

New Call-to-action