Ensure GDPR Compliance When Recruiting in 5 Steps

As of May 2018, any company that collects data of EU residents must comply with the General Data Protection Regulation (GDPR). This is a law that helps people protect their personal data, and since its creation, has a major effect on recruitment processes.

This is because employers can access and store candidate data. This law was, and still is, a seemingly impossible task to overcome and can carry major fines, as well as the potential impact to a company reputation if they do not meet these GDPR standards when collecting and processing candidate data, especially considering the potential number of individuals involved when hiring.

Read our five simple steps to help you ensure your entire recruitment process is efficient, streamlined and GDPR compliant. ‍

Disclaimer: This is Occupop's opinion and advice and is not legal advice or requirement.
‍

‍

1. Always ask for, and document candidate consent

GDPR requires you to always ask for consent in a clear and intelligible way when collecting or processing candidate data. Additionally, if the candidate withdraws their consent or asks you to delete their data, you are required to comply.

In order to demonstrate that your company is GDPR compliant, you should keep either written or digital records of how and when candidates gave their consent, as well as what recruitment process they gave their consent for. Each candidate must consent to where you store their data, who will have access to their data and how you will process their data.

Active candidates:

You can obtain consent from candidates who apply through job boards or your careers page by asking them to check a box or give a digital signature stating that they have read your privacy policy and allow you to use their data. You should also ensure that the job boards you use are GDPR compliant.

Even if candidates hand you CVs or directly apply at recruiting events such as job fairs, you must document their consent by creating standard forms for the candidate to sign, or by using recruitment technology that automatically collects consent.

Passive candidates:

You can still source passive candidates if you have “legitimate interest” in them. This means that you genuinely want to consider them for a position at your company. However, you are still required to ask for consent for obtaining and processing their data immediately after initiating contact with them.

An example of this are candidates that your hiring team sourced on  LinkedIn, social media, or candidates that were recommended to you through employee referrals.

You can also attract passive candidates on your careers page with an expression of interest form and a consent box, allowing you to build up a talent pool with consent.

2. Perfect your recruitment privacy policy

The best way to ensure compliance and transparency is with an informative privacy policy. Your privacy policy must clearly explain how your company collects, processes and protects candidate data. It should also explain the candidate’s right to withdraw their consent and rectify, delete or access their data.

It’s useful to have a recruitment privacy note that directly addresses the candidate in your privacy policy. This note should include:

• The name and contact details of your company, including the contact details of any Data Protection Officer your may have appointed
• A statement explaining that any data requested by candidates will only be used for recruitment purposes, and that you have a “legitimate interest” in this data
• An outline of what candidate information will reside in your company’s files, such as contact details, social and professional profiles, and previous work experience
• The names or titles of who you will share the data with, such as the department manager or any colleagues who are direct participants in the hiring process
• A timeline for how long your company plans to store the candidate’s data
• A statement explaining how you will protect the candidate’s data

This privacy policy should be easily accessible to candidates during every stage of the recruitment process. Consider linking it in your job advertisements, on your careers page and LinkedIn page. This note should also be sent to any EU candidates that are currently in your system, even if you collected their data before May of 2018.

INSERT-CTA

3. Stay transparent with candidates throughout the entire recruitment process

Throughout the recruitment process, you must explicitly inform the candidates every time you collect and process their data. You should also explain how and why you are doing so.

All candidates should also have the opportunity to consent for data processing in a transparent way--that means clear check boxes or signatures, rather than auto opt-ins.

While your privacy policy will be the main place that you do this, you need to continue to update candidates as these policies change. If you want to do anything with the candidate’s data that is not explicitly stated in your privacy policy or consent form, such as running an assessment test, you need to obtain consent first. Similarly, if you wish to process a candidate’s data past the time that you provided in your privacy policy, you must ask candidates to renew their consent for your data processing activities.

For example, if you tell a candidate that you are keeping their information until the position is filled, you need to inform the candidates once that has happened. If you decide not to hire the candidate but still want to hold on to their data for future recruitment purposes, you can keep them up to date in your rejection email. In this email:

• Explain why you want to continue to store the candidate’s data
• Provide a timeline for how long you plan to keep their information
• Add a link to your privacy policy and describe how the candidate can ask you to delete their data at any time

‍

4. Perform a data audit

GDPR also applies to any data that your company collected before May of 2018. This means that you should review any files or databases where you currently store candidate data in order to ensure that it is up to standards. You can do this by conducting an official and thorough data audit.

When conducting a data audit, ask:

• What sources do we use to collect candidate data? These could be anything from direct application forms to LinkedIn profiles.
• What kind of data do we use, and candidate data do we not need? All the data you collect should be necessary for recruitment; otherwise you shouldn’t take it.  
• How do we use candidate data during recruitment? This could be during screenings or when contacting candidates for interviews.
• Where do we store candidate data, and who has access to that data? If you use recruitment technology, you may have the ability to give only specific colleagues access to the database.
• Where does data move throughout our company during or after the recruitment process? You may transfer the data of your top candidates to the department that is hiring so those managers can contact them.
• How do you modify, delete or transfer candidate data? This could be over email, or it could be centralised on a digital platform.

During the audit, you should determine which candidates are still good matches for future roles at your company. If a candidate is unlikely to be a good fit for your company, or is no longer relevant to the positions you are hiring for, then you must delete their data. If you do decide to keep information about a candidate in your database, reach out to that candidate and inform them that you are still processing their data and obtain their consent, deleting all data if consent is not given.

5. Use an applicant tracking system that is GDPR compliant

An Applicant Tracking System (ATS) or recruitment software can be a lifesaver when it comes to GDPR compliance. This is because certain recruitment technology has the ability to:

• Store all of your candidate data in one place, making it easier to delete or modify information if a candidate withdraws their consent
• Easily automate the process of obtaining and storing candidate consent
• Set the duration for storage of candidate data, the system will automatically delete all data once the date retention period lapses
• Link to your privacy policy when posting job descriptions or application forms
• Ask for consent for different data processes during recruitment that aren’t stated in your privacy policy
• Provide a secure and compliant place for HR and hiring managers to review CVs and provide feedback on candidates
• Include data processing and hiring policies on the candidate application form. Collect candidate permissions to process data on application

Recruitment software is much more secure and reliable than traditional forms of data storage and processing, such as manual spreadsheets. This is because manual alternatives can be easily deleted without backup or duplicated and modified without the owner’s knowledge along with the risk of sharing data without consent.

Ask your ATS/recruitment software provider if they are GDPR compliant and how they ensure that your data is protected. You should also look for recruitment software that uses the cloud. According to Gartner, 60% of companies that implement appropriate cloud tools experience one third fewer security failures.

INSERT-LINE

Want to get on track and ensure that you stay GDPR compliant throughout the entire recruitment process? Occupop is here to help!

We are a recruitment software company that wants to make your hiring easy, stress-free and compliant. Occupop automatically post your job descriptions to 20+ job boards and easily link your privacy policy/consent to each advertisement. Further to this we also offer auto-delete and a secure place for your hiring managers to review candidates only relevant to their roles. Our software helps you to stay GDPR compliant, so let us take care of the administrative tasks while you focus on what really matters: recruiting the best talent for your company.

Book a demo with one of our product experts today and start hiring smarter.