GDPR is now 1 year old...happy birthday you administration nightmare! Ask yourself: Is your recruitment process GDPR compliant?
As of May 2018, any company that collects data of EU residents must comply with the General Data Protection Regulation (GDPR). This is a law that helps people protect their personal data, and since its creation, it has affected major recruitment trends.
This is because employers can face major fines, as well as impact company reputation, if they do not meet these GDPR standards when collecting, processing and storing candidate data. This law was, and still is, a seemingly impossible task to overcome when recruiting, especially considering the potential number of individuals involved when hiring.
Read our five simple steps to help you ensure your entire recruitment process is efficient, streamlined and GDPR compliant.
Disclaimer: This is BidRecruit's opinion and advice and is not legal advice or requirement.
1. Always Ask for and Document Candidate Consent
GDPR requires you to always ask for consent in a clear and intelligible way when collecting or processing candidate data. Additionally, if the candidate withdraws their consent or asks you to delete their data, you are required to comply.
In order to demonstrate that your company is GDPR compliant, you should keep either written or digital records of how and when candidates gave their consent, as well as what recruitment process they gave their consent for. Each candidate must consent to where you store their data, who will have access to their data and how you will process their data.
Even if candidates hand you CVs or directly apply at recruiting events such as job fairs, you must document their consent by creating standard forms for the candidate to sign, or by using recruitment technology that automatically collects consent.
You can still source passive candidates if you have “legitimate interest” in them. This means that you genuinely want to consider them for a position at your company. However, you are still required to ask for consent for obtaining and processing their data immediately after initiating contact with them.
An example of this are candidates that your hiring team sourced on LinkedIn, social media, or candidates that were recommended to you through employee referrals.
You can also attract passive candidates on your careers page with an expression of interest form and a consent box, allowing you to build up a talent pool with consent.
- The name and contact details of your company, including the contact details of any Data Protection Officer your may have appointed
- A statement explaining that any data requested by candidates will only be used for recruitment purposes, and that you have a “legitimate interest” in this data
- An outline of what candidate information will reside in your company’s files, such as contact details, social and professional profiles, and previous work experience
- The names or titles of who you will share the data with, such as the department manager or any colleagues who are direct participants in the hiring process
- A timeline for how long your company plans to store the candidate’s data
- A statement explaining how you will protect the candidate’s data
3. Stay Transparent With Candidates Throughout the Entire Recruitment Process
Throughout the recruitment process, you must explicitly inform the candidates every time you collect and process their data. You should also explain how and why you are doing so.
All candidates should also have the opportunity to consent for data processing in a transparent way--that means clear check boxes or signatures, rather than auto opt-ins.
For example, if you tell a candidate that you are keeping their information until the position is filled, you need to inform the candidates once that has happened. If you decide not to hire the candidate but still want to hold on to their data for future recruitment purposes, you can keep them up to date in your rejection email. In this email:
- Explain why you want to continue to store the candidate’s data
- Provide a timeline for how long you plan to keep their information
4. Perform a Data Audit
GDPR also applies to any data that your company collected before May of 2018. This means that you should review any files or databases where you currently store candidate data in order to ensure that it is up to standards. You can do this by conducting an official and thorough data audit.
When conducting a data audit, ask:
- What sources do we use to collect candidate data? These could be anything from direct application forms to LinkedIn profiles.
- What kind of data do we use, and candidate data do we not need? All the data you collect should be necessary for recruitment; otherwise you shouldn’t take it.
- How do we use candidate data during recruitment? This could be during screenings or when contacting candidates for interviews.
- Where do we store candidate data, and who has access to that data? If you use recruitment technology, you may have the ability to give only specific colleagues access to the database.
- Where does data move throughout our company during or after the recruitment process? You may transfer the data of your top candidates to the department that is hiring so those managers can contact them.
- How do you modify, delete or transfer candidate data? This could be over email, or it could be centralised on a digital platform.
During the audit, you should determine which candidates are still good matches for future roles at your company. If a candidate is unlikely to be a good fit for your company, or is no longer relevant to the positions you are hiring for, then you must delete their data. If you do decide to keep information about a candidate in your database, reach out to that candidate and inform them that you are still processing their data and obtain their consent, deleting all data if consent is not given.
5. Use an Applicant Tracking System that is GDPR Compliant
An Applicant Tracking System (ATS) or recruitment software can be a lifesaver when it comes to GDPR compliance. This is because certain recruitment technology has the ability to:
- Store all of your candidate data in one place, making it easier to delete or modify information if a candidate withdraws their consent
- Easily automate the process of obtaining and storing candidate consent
- Set the duration for storage of candidate data, the system will automatically delete all data once the date retention period lapses
- Provide a secure and compliant place for HR and hiring managers to review CVs and provide feedback on candidates
- Include data processing and hiring policies on the candidate application form. Collect candidate permissions to process data on application
Recruitment software is much more secure and reliable than traditional forms of data storage and processing, such as manual spreadsheets. This is because manual alternatives can be easily deleted without backup or duplicated and modified without the owner’s knowledge along with the risk of sharing data without consent.
Ask your ATS/recruitment software provider if they are GDPR compliant and how they ensure that your data is protected. You should also look for recruitment software that uses the cloud. According to Gartner, 60% of companies that implement appropriate cloud tools experience one third fewer security failures.
Want to get on track and ensure that you stay GDPR compliant throughout the entire recruitment process? BidRecruit is here to help!
Book a demo with one of our product experts today and start hiring smarter.