The launch of the new GDPR law in May 2018 meant that many businesses had to transform their current process with regard to how they acquired, stored and used personal data. Of course, the practice of HR and recruitment is built upon the personal data of candidates and employees – so how can you make sure you’re adhering to GDPR practices in your day-to-day role?

An Overview of GDPR

In short, the General Data Protection Regulation (GDPR) refers to new legislation which has been designed to give EU citizens more control over their personal data. These regulations affect the way that data is obtained, stored and used to ensure that bodies who collect data are obliged to protect personal data from misuse and exploitation.

GDPR doesn’t only apply to organisations operating within the EU, but also to any companies operating outside of the EU which offers goods or services to businesses or individuals within the EU.

How does GDPR affect recruitment processes?

With regard to hiring processes and specific GDPR guidelines, candidates are ‘data subjects’ and employers are ‘data controllers’. This means that candidates’ data is eligible to be protected under GDPR laws as the data that they submit is personally identifiable and employers are legally responsible for protecting this data and using it lawfully.

Applicant tracking systems and recruitment software is also a key part in the process and falls under the ‘data processor’ category and so these systems must also be considered and must operate in a GDPR compliant fashion.

Key factors that you need to consider in order for your recruitment processes to adhere to GDPR regulations:

– A legitimate reason to collect data – in this instance you need a cause to collect data so this would be job-related personal information as a result of a vacancy.

– Consent for sensitive information – if you want to process sensitive information around cultural, biometric or genetic information then this must be requested specifically from the candidate. This should be clearly communicated and their consent must be given before you can store or process this information; information should also be provided around how they can withdraw the consent if/when they choose to.

– Availability of data protection information – businesses must provide accessible and transparent information to candidates as to how their data will be processed and stored.

– Assure full responsibility – in order to be GDPR compliant, businesses must assume full responsibility which includes internal processes, software and any contractors or freelancer used in association with your company must also be GDPR compliant if they have access to candidate information.

How can candidates exercise their GDPR rights?

In addition to your internal processes, the core principle of GDPR is that candidates have full control over their personal information. This means that at any time candidates have the ‘right to be forgotten’ and can ask you to delete all of their data, this must be done within one month of receiving the request. Candidates also have the right to request to access their data and find out exactly what personal information your company holds about them. Again, this request must be processed free of charge and electronic records must be provided within one month.

The Cost of GDPR Failure

Being GDPR compliant isn’t just a ‘nice to have’ asset, it’s the law. Failure to comply with GDPR can result in some pretty hefty consequences including a fine of up to 4% of annual turnover or €20 million – whichever is greater, plus the potential for damage to reputation and lost clients.

We’re sure you’ll agree that failure to adhere to GDPR sounds pretty unappealing. To stay on the right side of these new regulations, we’d recommend you conduct a full data audit to show how you process information, where from and how it’s currently stored and used. 

Once everything is in place, the next step would be to create a specific privacy policy for recruiting which is made available to applicants and employees.

Full information can be found on the GDPR website.

Ready for more hiring advice?

Keep browsing our blog for more of our expert insights and make sure you’re following TrueProfile.io on social media so you never miss an update!

Please note, TrueProfile.io has put together this information to be used as a general guide and is not designed to be a substitute for legal advice and is not a comprehensive statement of GDPR practices. It’s the responsibility of individual businesses to take independent advice, if required, regarding the provision of data protection and GDPR compliant practices and processes.