Candidate Experience More Posts

GDPR for recruitment: Putting candidates in the driver’s seat

November 10, 2017

author:

GDPR for recruitment: Putting candidates in the driver’s seat

13 min read

By now you have probably heard and read a lot about Europe’s new privacy laws and its impact on the way businesses handle consumer data. Little has been discussed however about the consequences of GDPR for recruitment. As recruitment processes involve a lot of data processing, it will also be highly affected by GDPR. In this article, we’ll help you understand how you can make your recruitment GDPR compliant.

What is GDPR for recruitment?

Collecting and processing candidate data and cold emailing are important parts of a recruitment process. By using different tools and search engines, you can easily scrape the web for CVs and email addresses of potential candidates. There are also many websites where recruiters can buy an entire database of CVs that fit their search criteria.

Candidate data has become the currency of the recruitment industry. For the most part, this is without the consent or even the knowledge of the candidates themselves.

To prevent such processes, the European Union (EU) has introduced the General Data Protection Regulation (GDPR). Coming into effect on the 28th of May 2018, GDPR will affect all businesses that process data of EU citizens, even when not located in the EU. Failing to comply with the regulation can result in a fine starting at €20 million.

Download our GDPR handbook for recruitment here.

GDPR will profoundly shake up businesses capitalizing on personal data such as those in the recruitment industry. It will apply to all the candidate data you’ve ever collected, not just the data you get after GDPR goes into effect. To help you get started, we’re going to cover some of the most important points of GDPR relating to recruitment and talent acquisition.

*Disclaimer: The following information should only act as guidelines. They mostly represent our point of view. It’s best to get your legal team’s aid on this matter. We will not assume legal liability for the accuracy of any information provided in whole or in part within this article.

Important Definitions:

We will apply certain terms in GDPR to the context of recruitment.

The term “data subjects” refers to your job candidates and “personal data” is any information that can be used to identify the data subject. This could, for example, be a name, email or a phone number.

“Controllers” are the entities that decide how and what personal data is processed. Employers and recruitment agencies are some examples of controllers.

“Processors” are applicant tracking systems or any legal bodies that process personal data on behalf of a controller.

Processing” refers to any action that can be performed on personal data, such as collecting, recording, organizing, storing, using, and erasing.

Generally speaking, GDPR aims to give power to the data subjects – the candidates – by bringing strict guidelines to both the controllers and the processors.

What does GDPR mean for candidates?

For candidates, GDPR means that they have a lot more control over their data. Personal data can not be traded anymore without their consent or knowledge.

Here are the six rights each data subject has, as listed under GDPR.

1. Right of access by the data subject: Candidates can request to be informed of what you’re going to do with their data or even request a record of their personal data you collected.

2. Right to rectification: Candidates can request you to correct or update their data in your candidate database.

3. Right to erasure (“right to be forgotten”): Candidates can request you to delete their data from your candidate database.

4. Right to the restriction of processing: Candidates can request you to suspend their data from being processed in your candidate database.

5. Right to data portability: Candidates can request you to export all their data from your candidate database.

6. Right to object: Candidates can request you to stop processing their data indefinitely.

To comply with the rights of the candidates, you as the controller will need to thoroughly review your recruitment toolbox and revamp your entire recruitment process.

What does GDPR mean for employers and recruitment agencies?

Essentially, GDPR revolves around one thing; the data subject’s consent. You as the data controller will need your candidates’ permission to 1) obtain their data and 2) process that data for recruitment purposes (for the processor acting on your behalf).

You will have to make it as easy as possible for candidates to withdraw their consent as well. Once that happens, you must stop processing their data and remove it upon their request.

The main things that you have to keep in mind are:

1. When you obtain candidate data for yourself as the controller

When candidates apply for your jobs, you should provide all the information below.

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
  • If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?

When you receive candidates’ applications, you should provide some additional information.

  • How long you will store the candidate data. If it’s hard to give a precise timeframe, you need to provide some general information about this. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
  • How candidates can request access, correct or erase their data.
  • How candidates can withdraw their consent to the processing of their data.
  • Who candidates can contact in case they want to file a complaint regarding the processing of their data.
  • The necessity of the data provided by the candidates. Why do you need such data from candidates?
  • If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of this automation for the candidates. Could the candidates be disqualified based on the results of the automation?
  • If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.

In case you source candidates from the web or obtain their data via other indirect means, you should provide all the information below.

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data. It should be clear that the data will only be used for recruitment purposes.
  • The categories of the sourced candidate data. Is it employment history, contact details, or something else?
  • How long you will store the candidate data. If it’s hard to give a clear timeline, you need to provide some criteria for the period. For example, the candidate data will be stored as long as the candidates are interested in career opportunities in your company.
  • How candidates can make a request in case they want to access, correct, erase, or restrict their data’s processing.
  • How candidates can withdraw their consent to the processing of their data.
  • Who candidates can contact in case they want to file a complaint regarding the processing of their data.
  • The source where you obtained the candidate data and whether it is publicly accessible.
  • If there is automated decision-making, including automated assessing of candidates’ employment ability, in your recruitment process, you will need to explain the logic behind such automation and the consequences of the automation for the candidates. Could the candidates be disqualified based on the results of the automation?
  • If you intend to use the candidate data for other purposes than recruitment, you will need to inform them before processing their data further.
  • If you’re a recruitment agency, you must disclose the recipients of the candidate data to the candidates. Which client(s) are you going to share the candidate data with?

If you don’t plan to reach out to the sourced candidates all of the information above has to be given to the candidates within one month from the moment you obtain it and when you contact them at latest. If you’re a recruitment agency, the information above has to be given to the candidates when you first share their data with your clients at latest.

2. When the processor processes candidate data on your behalf

Only after getting the candidates’ consent based on the information you provided above can you process their data. During that process, candidates can make requests within their rights under GDPR and you need to act accordingly within one month.

1. Right of access by the data subject

When a candidate requests, you will send them a copy of their data along with the information you provided above regarding their consent.

2. Right to rectification

When a candidate informs you that their data is incorrect or incomplete, you will verify and update that data in your database right away.

3. Right to erasure (‘right to be forgotten’)

You will delete candidate data from your database when one of the points below applies.

  • The candidate data is no longer relevant to your recruitment process. This happens when you are not hiring for a particular role anymore for example. You will then need to delete all the data of the candidates that applied for that role.
  • The candidates withdraw their consent to the processing of their data.
  • The candidates object to the processing of their data (more details in point 6 below).
  • You obtained the candidate’s data unlawfully.

If by any chance, you have made the candidate data public and the candidate requests you to erase the data, you will not only have to remove it from your database but also get it removed from the databases of the controllers that got the data from you.

4. Right to the restriction of processing

You have to stop processing candidate data when one of the points below applies.

  • The candidates say that their data is not accurate. In this case, you can resume processing the candidate data after verifying its accuracy.
  • You got the candidate data without their consent, but they just want you to not process it instead of removing it entirely from your database. This means you can put the candidates in a talent pool and reach out to them later when a suitable position opens.

5. Right to data portability

You will export candidate data for the candidates on request. The exported files should be readable so that the candidates can use them for other employment opportunities.

6. Right to object

When candidates request you to stop processing their data, you are obliged to comply with their request.

Apart from all the points above, if your company has more than 250 employees, you will need to maintain a written record of the following:

  • The name and contact details of your company or your company’s representative.
  • The purpose of processing the candidate data.
  • A description of the categories of the data subjects (candidates) and their personal data (candidate data).
  • The categories of the recipients you have shared the candidate data with.

With so much to take into account regarding GDPR in recruitment, the last thing you would want is a processor who is clueless or non-compliant. It is very important that you only collaborate with the right processors.

What does GDPR mean for applicant tracking systems (ATS)?

Most ATS’s are classified as processors according to GDPR. They process candidate data on behalf of the employers or recruitment agencies. To make sure that you are GDPR compliant, ATS’s need to have all their processing activities governed by a contract under the EU’s law. That contract will demand the ATS to:

  • Process candidate data only according to documented instructions from the controller(s).
  • Implement necessary measures to safeguard the candidate data, including:
    • The encryption or pseudonymization of candidate data.
    • The ability to maintain a high-quality processing system and service.
    • The ability to restore access to candidate data quickly in case of incidents.
    • Regular testing and evaluating the measures to ensure the security of the processing.
  • Delete or return all candidate data to the controller(s) on request.
  • Demonstrate the ATS’ compliance with GDPR to the controller(s).

If the ATS integrates with other processors, they will need to comply with GDPR as well.

GDPR for recruitment tips

The most important part of complying with GDPR is setting up an infrastructure for your recruitment that can handle candidate data properly. Here are some of our suggestions.

1. Ask for a second approval

Usually, candidates consent to have their data processed only once when they apply for a job. Companies, however, often store candidate data for future hiring as well. To avoid any issues, we highly recommend you to ask for a second approval from your applicants when you want to save their CVs in your database for future hiring. For instance, when you send a rejection email to a candidate, ask for their consent for storing their data. This way you know for sure whether candidates are okay with you putting them in your talent pool.

2. Adjust your terms for applicants

Make sure to update your privacy policy and outline the process of data handling in your recruitment process. You need to be transparent about what kind of data you collect and why. It would be wise to include the six rights of candidates in your terms. They should be presented clearly and separate from other information.

3. Make a data-sharing agreement (GDPR compliant) with partners

Are you a recruitment agency sharing candidates with clients? Or do you share candidates among different companies under one umbrella organization? You should put a data-sharing agreement in place regarding GDPR.

4. Contract with processors based in the EU

Every company doing business with the EU will have to comply with GDPR, even when you process just one candidate from the EU. As the controller, you can only use processors that provide sufficient measures to meet GDPR’s requirements.

5. Contract with processors with a strong privacy policy

Choose an ATS that encrypts all candidate data. At Recruitee, we go the extra mile and encrypt all your confidential messages as well as login information. This is to ensure the highest level of security to the data you entrust us with.

6. Keep your candidate database clean

Collect candidate data for recruitment purposes only. Don’t use it for anything else. Your ATS can help ensure that only relevant candidate data is collected.

If you no longer consider a candidate’s a fit for the role, you should remove their data from your system. In case you have old records of candidate data without the candidates’ consent, you should ask them for their consent. Who knows, you might end up building a great relationship with the talent!

7. Stay compliant while sourcing

Sourcing is still going to play an essential role in recruitment. Just make sure that you follow all the appropriate steps according to GDPR. Provide all the information the candidates need to know the first time you reach out to them or the first time you share their data with a client.

Get more details on GDPR for recruitment

For further details on how the new GDPR regulations will affect recruiters, see our GDPR handbook. Ready to start taking your next steps? Read up on the changes we have made to protect your recruitment data.

 

Perry Oostdam is the co-founder of Recruitee. With a passion for tech and scaling teams, he has been active in the SaaS space as a founder, advisor and investor. Perry believes in the power of HR tech to help revolutionize the way companies and teams grow.
Leave a comment

Your email address will not be published. Required fields are marked *