Starting from May 2018, organisations that collect personal data of EU residents must become compliant with the General Data Protection Regulation (GDPR.) The GDPR is a new law that aims to strengthen people’s rights to privacy and protect their personal data.
GDPR places the burden of ensuring compliance on your entire organisation, especially functions like recruiting which rely heavily on collecting candidates’ personal data. What should employers do to ensure GDPR compliance when they find candidates online or collect candidate data in their talent pools?
To help you on the journey towards GDPR compliance, we prepared this recruitment guide:
Please note: while Workable has consulted with legal professionals both in the creation of this guide and updates to our own product features, Workable is not a law firm. All information in this guide is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.
Who must comply with GDPR and what are the penalties for non-compliance?
The GDPR applies to companies that process data of EU residents. This covers EU organisations and non-EU companies that offer goods or services to EU residents or monitor their behavior. All these organisations should become compliant when the law takes effect on 25 May 2018. If they don’t, they risk being fined up to 4% of their annual global turnover (revenue) or €20 million, whichever is greater. Companies may also see their reputation hurt by fines or reprimands.
UK organisations must comply with the GDPR until Brexit is completed, and possibly afterwards too.
What are the basic GDPR terms and how do they relate to recruiting?
In respect to the recruiting function, the GDPR refers to:
- Candidates or “data subjects.” Candidates are the data subjects because they can be identified through personal data they give to companies. For example, their resumes may include their names, physical addresses or phone numbers. The GDPR exists to protect this kind of data. Members of hiring teams are also considered data subjects under GDPR, but their own data will not be processed in the same extent that candidate data will.
- Employers or “data controllers.” Employers, or recruiters who serve as their company’s main representatives to candidates, determine the purpose of collecting candidate personal data. This makes them the data controllers who are fully responsible for protecting candidate data and using it lawfully.
- Applicant Tracking Systems (ATS) and other recruitment software/services or “data processors.” Your ATS is a data processor because it processes candidate data on behalf of your company following your company’s instructions. Data processors often have “sub-processors” (e.g. Workable uses a cloud platform to deploy its system.)
Our hiring specialists can answer all of your questions about GDPR and the Workable GDPR Feature Pack. Request a free demo to learn how Workable’s all-in-one recruiting software can keep candidate data secure while making your hiring process more efficient.
How does the GDPR affect recruiting?
Here are a few key directives of GDPR that affect the daily work of recruiters and hiring teams:
- You need legitimate interest to process candidate data. GDPR obliges you to collect data only for “specified, explicit and legitimate purposes.” This means, for example, that you can source candidate data as long as you collect job-related information only and you intend to contact sourced candidates within 30 days.
- You need to have candidate consent to process sensitive data. GDPR requires you to ask for consent when you want to process data like disability information, cultural, genetic or biometric information or information gathered for the EEO survey or a background check. In these cases, you must ask for consent in a clear and intelligible way and provide candidates with clear instructions on how to withdraw their consent should they wish to.
- You need to be transparent about processing candidate data. Companies must have clear privacy policies and recruiters are obliged to make those policies available to candidates. You must also disclose where you store candidate data (e.g. your ATS) and state that you will use this data for recruitment purposes only.
- You need to assume responsibility for compliance (accountability.) Your company needs to be able to demonstrate compliance with the GDPR. For example, under GDPR, your company is responsible for who it does business with (e.g. an ATS provider or sourcing services.) If your contractors fail to comply with the law, your company is accountable as well.
Also, you are obliged to comply when candidates exercise their rights under GDPR:
- Candidates have the “right to be forgotten.” Candidates have the right to ask you to delete and stop processing their personal data. You must locate every place that you keep their information (e.g. spreadsheets) and delete it within one month after receiving the candidate’s request.
- Candidates have the right to access their data and ask you to rectify it. Candidates have the right to ask what data of theirs you hold. They can also request that you make corrections to any inaccuracies (rectify.) You must grant both requests within one month and provide candidates with a free, electronic copy of their own personal data.
What should employers do to comply with GDPR?
Map your recruiting data
One of the first things that your company must do to prepare for GDPR is to conduct a companywide data audit. This process will show what kind of data your organisation collects, how, why and from where.
As far as recruiting data goes, you must be clear about where and how you find and store candidate names and contact details, as well as other identifying information. Here are some questions you should be able to answer when the data audit is completed:
- What are our candidate sources and how do we collect personal data? An example would be gathering candidate data via application forms linked from your job ads.
- What kind of data do we collect and how much of it do we actually use? An example is asking candidates to provide their email, home address and phone number. You must be certain that all this information is needed for your recruiting (legitimate interest), otherwise you shouldn’t be collecting it.
- How do we use personal data in our operations? An example would be using candidate data to screen candidates and judge their suitability to progress to interview.
- Where do we store data and who has access to it? An example would be storing candidate data in spreadsheets or an ATS and sharing them with hiring teams.
- How does data flow within our company across processes/ functions/ departments? An example would be how candidate information is transferred from sourcers to hiring managers to hiring team members, so they can contact those candidates.
- What are our processes for sharing, transferring, modifying and deleting data? Again, if you use spreadsheets to track candidate data, what process do you have for correcting inaccuracies or sharing the documents?
- The name and contact details of your organisation. If you have appointed a Data Protection Officer (DPO), include their contact details as well.
- A statement that any data requested will be used for recruitment purposes only. You need to explain your legitimate interest too.
- The types of information about a candidate that reside in your company’s files. These could be contact details, social and professional profiles, education and work experience.
- Who you will share the data with. For example, if you are a recruitment consultant, you may share this data with your clients.
- Where you find candidate data. It’s important that you mention you use your sources lawfully.
- Where the processing is based and where you store data. This is especially important if you transfer data outside the EU.
- How long your organisation intends to store each candidate’s data. If this isn’t possible, you need to explain with what criteria you determine this period.
- The candidates’ rights. These include the right to be forgotten, to rectify or access data, to restrict processing, to withdraw consent, to be kept informed about the processing of their data.
- Instructions on how candidates can take action on the processing of their personal data. Let them know how to access their data or request that you delete, rectify or restrict processing of their data.
Source candidates online with care
Sourcing is an essential function for organisations that want to find great people. However, sourcing requires finding and storing personal candidate data so complying with GDPR all the way is critical.
First, keep in mind that you need legitimate interest to source candidates and process their personal data. Ensure that you:
- Actually intend to contact those candidates. Simply building your talent database by adding candidate data in case you need it in the future is not legal under GDPR.
- Plan to contact candidates as soon as possible. You can only keep a candidate’s data without informing them for a limited time (a month at most). Contact these candidates as soon as possible and delete their data if they ask you to. If you change your mind about a candidate, and decide not to contact them, you must delete their data immediately.
- Collect only the data you need. You may want to process candidate data relating to education, work history or skills along with contact details. These types of data make sense for your recruitment process. However, you should not process irrelevant data (e.g. cultural information) for recruiting purposes. If you need to process this data, make sure to explain it when you contact candidates and ask for their consent.
- Obtain data lawfully. Gathering data from social profiles is legal under GDPR, if those profiles are publicly accessible and if you can reasonably assume that candidates expect to be contacted. For example, you may assume that a publicly accessible LinkedIn profile indicates a reasonable expectation of contact. Only then, you can proceed to process candidate data.
If you don’t have a recruitment privacy notice yet, you need to include all information required by GDPR Article 14 (explained above) in your email. Here’s a sample email text with placeholders:
Acme, Inc. [address, phone number, email) has collected and stored your resume and contact details.
We process this data for recruitment purposes only. We found this data on [Linkedin] when looking to fill an open position at our company. We are storing this data in our Applicant Tracking System, [which stores data in the U.S and is fully compliant with EU data protection laws], and we will not share it with anyone else.
We would like to keep this data until our open role is filled. [We can not estimate the exact time period, but we will consider this period over when a candidate accepts our job offer for the position for which we are considering you.] When that period is over, we will either delete your data or inform you that we will keep it in our database for future roles.
You have the right to lodge a complaint about the way we handle your data with [supervisory authority] or you can contact our [DPO] at [contact details] for more information or concerns.
Ensure your job application process complies with GDPR
When candidates fill out your job application forms, they provide you with their personal data. Because job applications correspond to actual job openings, you have legitimate interest in processing this data and you do not need to ask for explicit consent. But, to be fully compliant with GDPR, ensure you:
- Ask only for personal data you need. The Working Party 29 (the collection of data protection authorities) states that the data you collect from candidates must be “necessary and relevant to the performance of the job which is being applied for.”
- Be transparent. In your job ads, let candidates know that you intend to use their data for recruitment purposes only and how long you may need to keep this data. If you plan to gather more information about candidates (for example, by reviewing their social media profiles) as part of your screening process, you need to say that explicitly and explain how and why.
Update your rejection email templates
Sometimes you have more than one great applicant for a role. If you can’t hire all of them, you may want to keep the ones you didn’t hire on file for future roles. To remain compliant with GDPR, you need to make sure that you will not keep this data for a longer period than the one you originally mentioned to candidates. If, for example, you told candidates in your sourcing email that you would keep their data for a year after they apply, you don’t need to send them another email until that year has passed. Conversely, if you told candidates you would keep their data until you filled this particular position, then you need to inform them again that you want to keep the data you had collected.
Do this with your rejection email. Add a few sentences to:
- Explain why you want to keep the candidate’s data.
- Mention how long you plan to keep their details.
- Link again to your recruitment privacy notice.
- Let candidates know they can ask you to delete their data at any time.
If they ask you to delete their data, you must comply.
Prepare to inform candidates of data processing whenever you receive their data
Often, you will find yourself possessing personal candidate data through means other than job applications or online sourcing. Candidates may give you their CVs at a career fair or a networking event. Or they may ask you to contact them with job opportunities. All these scenarios are lawful under the GDPR, but you need to be able to demonstrate that you have been transparent.
You can do this by preparing standard forms that provide all information required by GDPR and ask candidates to sign. Or you can email them afterwards with your recruitment privacy notice and the rest of the necessary information.
Review existing talent pipelines
GDPR covers personal data that your company has collected in the past. This means that you must review your talent databases, spreadsheets and other files where you store candidate data before the law comes into effect in May.
This is a good opportunity to make sure your talent database is updated and relevant. Determine which candidates may be good matches for future open roles in your company and which are not:
- If you determine that a candidate is unlikely to be qualified for future roles or is no longer relevant or you obtained their information too long ago, then you must delete their data.
If you store candidate data in your ATS, it’d be easy to delete the data of those who were disqualified. Take a quick look at all candidate profiles to see if there are candidates who are promising or whom you wanted to contact in the future. You could mass-delete the rest.
- If you’d like to keep a candidate in your talent pipelines, reach out to them to inform them that you are processing their data.
For candidates that you want to keep in your database, prepare an email to give them necessary information. This email should be similar to the email you would send to sourced candidates in that it must include all information about what data you hold and where. These emails should also include links to your privacy policies. Your ATS may have bulk email functions that will make sending this email much easier.
Ensure your software vendors are compliant
Data processors have full access to your candidates’ data. This is why GDPR expects you to be certain that your partners protect this data the same way you do.
Your most important vendor in recruitment is your ATS provider. Your ATS is the place where you will store almost all candidate data, send emails and delete or modify information. If your ATS complies with GDPR, it will be a great ally in ensuring your company complies as well.
If you aren’t using an ATS, consider investing in one before GDPR comes into effect. Spreadsheets, which are the most common alternative to software vendors, may expose you to risks concerning GDPR compliance as they provide a poor audit trail, access controls and version control. One of the key benefits of spreadsheets is also one of their key flaws, in that they can be easily duplicated, modified and disseminated without the owner’s knowledge. And, they are a cumbersome method of erasing and correcting data.
As a first step, arrange a meeting with your ATS provider or several if you’re planning on purchasing an ATS. Ask:
- Whether GDPR applies to them as processors. If they aren’t an EU company, they should either be part of the Privacy Shield (for U.S. companies) or be ready to sign effective data processing agreements that oblige them to follow GDPR’s guidelines.
- How they plan to become GDPR compliant. They should also be able to tell you where they store their data and how they ensure this data is protected.
- Whether they use compliant vendors. They should have data processing agreements in place with those subcontractors.
- Whether they have clear privacy policies. Review their privacy policies to ensure they comply with GDPR and can adequately protect candidate data.
Be prepared to grant candidate requests
A big part of remaining compliant with GDPR is to be able to help candidates exercise their rights under this law. To do this, you must provide guidelines and processes to:
- Let candidates access their personal data upon request.
- Determine the format of the electronic copy of their data that you must give candidates.
- Establish a process to extract and send that copy.
- Delete candidates’ personal data or restrict processing upon their request.
- Find all places where you keep data (you must have done this during your data audit) and establish a process to delete data from all these places.
- Rectify candidate data.
- Ensure you have processes to control different versions of candidate data. For example, you should not correct the same candidate data on one spreadsheet and not in another. Having an ATS in place can save you this trouble.
- Let candidates withdraw consent (in case you decided to use consent as the legal basis for processing).
- Compare this process to the process of giving consent. GDPR requires that the processes of giving and withdrawing consent should be equally easy and simple.
Ensure you communicate these processes clearly on your website and/or your terms and conditions.
GDPR Readiness Evaluator
GDPR checklist: Requirements for recruiters and HR