How to approach GDPR legitimate interest in recruiting
The General Data Protection Regulation (GDPR) provides six lawful bases for processing personal data. Two of them – legitimate interest and consent – are very relevant to recruiting. But while consent is strictly defined and simple to grasp, legitimate interest is vague and idiosyncratic.
And that’s what makes legitimate interest a challenge for employers. On one hand, it’s quite flexible. On the other hand, you might struggle to interpret your legitimate interest or be unsure about whether your interpretation would stand its ground during an audit.
To help you understand legitimate interest better and give you some pointers about how to approach it, we’ve created this short guide:
Disclaimer: While Workable has consulted with legal professionals both in the creation of this guide and our own product features, Workable is not a law firm. All information in this guide is general information only. It is not intended to constitute legal advice or be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.
What is legitimate interest?
GDPR provides a legitimate interest definition in Article 6 (f). The gist:
you can process people’s personal data for a specific legitimate purpose unless their interests, rights and freedoms override that purpose.
In practice, it’s often challenging to figure out if your legitimate interest is appropriate under GDPR.
When does legitimate interest apply?
In general, you can rely on legitimate interest when you use people’s data in ways that:
- They would reasonably expect you to,
- Have minimal privacy impact and,
- Have a compelling justification.
Legitimate interest in recruitment can be an appropriate lawful basis when processing recruiting-related data. Data that doesn’t help the team to either contact or evaluate a candidate, or that includes ‘sensitive’ information (like race and ethnic origin, religious or political beliefs and disability or genetic information), isn’t related to recruiting. Generally, you shouldn’t be collecting this kind of data as part of the hiring process.
To ensure that you can rely on legitimate interest for processing specific recruitment data, it’s best to do a legitimate interest assessment (LIA).
Why and how to conduct a legitimate interest assessment (LIA)
Every team in your organisation that processes personal data (even a small amount) should conduct an LIA. This assessment will help you:
- Determine the boundaries of your legitimate interest.
- Show authorities that you’ve thought the matter through and documented the process properly (which will play a big role in proving your GDPR compliance during an audit).
To conduct an LIA, the head of a department, team or function should complete the three-part test:
- Purpose – is there a legitimate interest behind the data processing?
- Necessity – is the data processing necessary for that purpose?
- Balancing – is the legitimate interest overridden by the person’s interests, rights or freedoms?
You need to complete the test in this exact order. To make the process easier, we have a document with a Legitimate Interest Assessment (template).
Here are some details on the test for ‘Purpose’:
- Define a purpose for processing data. According to the UK’s Information Commissioner’s Office (ICO), you can’t just say “we have a legitimate interest to process customer data” (same goes for candidate data). Your legitimate interest should be specific and clearly defined.
- You don’t need to have an original or inspiring reason to process data. Legitimate interest can be trivial, but remember that the weaker the purpose, the more easily it can be overridden by people’s interests in the balancing test.
- Your purpose must be legitimate. This seems like a no-brainer, but it’s important to note that if a purpose for processing data is unlawful or unethical, then it’s not legitimate.
To ensure you tick off these points, answer these questions as part of your LIA (the questions are included in the template):
- Why do you want to process the data?
- What benefit do you expect to get from the processing?
- Do any third parties benefit from the processing?
- Are there any wider public benefits to the processing?
- How important are the benefits that you have identified?
- What would the impact be if you couldn’t go ahead with the processing?
- Are you complying with any specific data protection rules that apply to your processing (eg profiling requirements, or e-privacy legislation)?
- Are you complying with other relevant laws?
- Are you complying with industry guidelines or codes of practice?
- Are there any other ethical issues with the processing?
When answering these questions about processing candidate data, you may find some of them aren’t applicable to your organisation (like “Are there any wider public benefits to the processing?) In this case, you could mark it as ‘not applicable’, since regulators will expect to see that you have considered this question but determined there was no relevant answer.
Here are some details around the test for ‘Necessity’:
- ‘Necessary’ means this data processing is the only way to meet your legitimate purpose. You need to be sure that processing personal data of people is the only way to achieve your legitimate purpose. If there’s a reasonable, less invasive way to achieve your purpose, your legitimate interest likely fails the necessity test.
To make sure the processing is necessary, answer the following questions as part of your LIA:
- Will this processing actually help you achieve your purpose?
- Is the processing proportionate to that purpose?
- Can you achieve the same purpose without the processing?
- Can you achieve the same purpose by processing less data, or by processing the data in another more obvious or less intrusive way?
Here are some details around the test for ‘Balancing’:
- Consider a person’s reasonable expectations. For example, you can process contact information found on a person’s social media profile only if there’s a reasonable expectation of contact on their side. Generally, people who use Facebook or Instagram do so for personal reasons, not professional, so they might not expect to be contacted for jobs. Under certain circumstances (for example, when someone mentions on their Facebook profile that they’re looking for a job), you might have a legitimate interest in contacting them. Also, as explained by ICO, members of a professional network (like LinkedIn) who have enabled settings to show recruiters that they’re open to job opportunities have shown a reasonable expectation of contact.
- Decide whether your data processing harms people’s freedoms in some way. Although it’s unlikely that processing data in the scope of recruiting will cause harm, you still need to consider every case separately. If you find that you might unjustifiably harm a person whose data you want to process, you should delete the data you already have and avoid collecting more.
To determine these points, answer these questions as part of your LIA:
Nature of the personal data
- Is it special category data or criminal offense data?
- Is it data which people are likely to consider particularly ‘private’?
- Are you processing children’s data or data relating to other vulnerable people?
- Is the data about people in their personal or professional capacity?
- Do you have an existing relationship with the individual?
- What’s the nature of the relationship and how have you used data in the past?
- Did you collect the data directly from the individual? What did you tell them at the time?
- If you obtained the data from a third party, what did they tell the individuals about reuse by third parties for other purposes and does this cover you?
- How long ago did you collect the data? Are there any changes in technology or context since then that would affect expectations?
- Is your intended purpose and method widely understood?
- Are you intending to do anything new or innovative?
- Do you have any evidence about expectations – like from market research, focus groups or other forms of consultation?
- Are there any other factors in the particular circumstances that mean they would or would not expect the processing?
- What are the possible impacts of the processing on people?
- Will individuals lose any control over the use of their personal data?
- What is the likelihood and severity of any potential impact?
- Are some people likely to object to the processing or find it intrusive?
- Would you be happy to explain the processing to individuals?
- Can you adopt any safeguards to minimise the impact?
Some of these questions may need extra thought. For example, what is ‘having an existing relationship with someone’? Does previous communication about a job opportunity count? Should you assume they have reasonable expectations of contact if they have replied at least once to your messages? If you think you can answer ‘yes’, make sure to clearly explain your reasoning in your LIA.
What happens after you conduct the LIA?
There are some times when an LIA will be insufficient for compliance. That’s when you identify that your data processing will have a significant privacy impact. For example, this could come about if you give a positive answer to the two initial questions in the balance test. When this happens, you should do a Data Protection Impact Assessment (DPIA) and keep the LIA as a reference.
After you’re finished with your LIA (or DPIA), remember that you may have to re-do your assessment in the future if you want to start processing other types of information or if something changes in the way you process data. Those responsible for the recruiting function should keep the assessments under review to raise the chances of being compliant with GDPR.
Collect candidate data… with caution
Having legitimate interest to process candidate data is essential—but not enough for compliance. You need to follow GDPR’s instructions when sourcing candidates or retaining their data. Here are a few basic rules to keep in mind (for a more detailed explanation of your responsibilities under GDPR, refer to our GDPR compliance guide for recruiters and hiring teams):
- Be transparent. Send an email to sourced candidates to inform them you’re processing their data within one month after you first processed it. You should also link to your privacy notice in that email. If you don’t send this email within a month, you should delete their data from your database immediately.
- Follow data retention obligations. You can’t keep candidate data indefinitely. Let candidates know for how long you’re going to keep their data (you can keep them only for as long as they’re relevant). If you currently have old or irrelevant candidate data, it’s best to delete it.
- Give candidates ways to exercise their rights under GDPR. Provide clear instructions on how candidates can request the details of the data you are processing and how they can ask you to delete it. Be ready to comply with their requests.