The GDPR is an EU policy that aims to protect people’s personal data from misuse by others, especially organizations. It requires those who collect personal data to comply with stringent regulations. This law has profound implications for recruitment activities as they depend on the firms to manage massive amounts of personal data. So what does GDPR mean in recruitment?
The GDPR affects all organizations that collect and process personal data within the EU, including all European organizations and the non-EU firms that operate in the EU or collect data from EU residents. The European Union required all these organizations to be compliant with the law by 25 May 2018. Firms that fail to comply with the GDPR will incur a fine of up to 4% of annual turnover or revenue for global operations, or €20 million. Firms can also have their reputation damaged by fines and reprimands related to non-compliance.
What does GDPR mean in recruitment? The GDPR considers employment candidates to be “data subjects.” Recru. For instance, resumes often contain names, email addresses, phone numbers, and physical addresses. The GDPR aims to protect against the misappropriation of this data. The employer or their employees are “data controllers,” meaning that they determine the objective of collecting personal data. They are fully responsible for the safety of the candidates’ data and complying with the law when using it. The technology or agency that the recruiter uses to collect and process candidate data is also part of the “data processors” because they process candidate data on behalf of the company.
The GDPR requires employers to collect candidate data with explicit, specific, and legitimate reasons. This means that recruiters can only compile job-related data to contact the candidate within 30 days or less. Recruiters must get the candidates’ consent to obtain and process sensitive personal data. Recruiters must get permission from candidates when processing biometric, disability, cultural, and background data. When collecting such data, the recruiter must seek consent clearly and inform the candidate of the right to withdraw consent. Firms must be transparent and create clear privacy policies. They must disclose to the candidates their intention to store the data and clarify that it is to be used for recruitment purposes only. Recruiters must demonstrate the ability to comply with the GDPR and that all the third parties they are working with are compliant and accountable in their use of personal data.
Third parties who manage the company’s recruitment information have access to all the candidates’ information. That is why you should ensure that all your vendors comply with all the GDPR policies regarding data protection. Ensure that your Applicant Tracking Systems (ATS) provider is fully compliant because they handle candidate data, modify information, and send emails to candidates. Learn more about Loxo’s GDPR compliance promise. It is prudent to have an ATS for secure data management. Spreadsheets lack security and are at risk of breach due to their weak audit trails and insufficient access controls. Further, spreadsheets can be copied, modified, and shared without your knowledge.
Only ask candidates for personal data that is necessary and relevant to the job they are seeking. When writing job adverts, let prospective candidates know that you will only use the recruitment data only and explain how long you will keep the data. If you intend to gather more information about the candidate during the screening process, state your intentions explicitly, and justify this action. When communicating with candidates, provide links to your privacy policies. Further, inform the candidate that they can request you to stop using, modifying, or sharing their private data. Once the preferred candidates are identified, you should delete the candidates’ data that didn’t cut. However, if you retain the data, inform the candidates of your intention.
GDPR covers all personal data the company holds, including collected before the law was introduced. This means that recruiters have to review their databases and files that store candidate data for compliance. Recruiters should update their talent databases and make sure the information they have accumulated is relevant and accurate. Further, they should determine the candidates whose profiles match current and future recruitment needs. They should delete the files of those unqualified candidates or who are no longer relevant to the organization’s current needs. If you retain a past candidate in the database, contact them, and inform them of your intention to keep and process their data. Send them an email explaining all the data you hold about them and where you have stored it. The email should also include links to company privacy policies.
Recruiters must be ready to delete and stop processing the candidate’s data if they exercise the right to be forgotten. The recruiter must delete that data within one month after getting the request. Recruiters must be willing to reveal the type of data they hold about a candidate and accept rights to rectify inaccuracies. The recruiter must comply with the requests within a month and give the candidate a free electronic copy of the records. The GDPR has had a profound effect on recruitment practices. Loxo has a fully automated GDPR feature that reduces the legal complexity of recruiting. Click here to learn more about how Loxo helps companies remain compliant.