GDPR has been with us nearly 2 years, with the new way of working due to COVID-19, ask yourself: Is your recruitment process GDPR compliant and remote working ready?
As of May 2018, any company that collects data of EU residents must comply with the General Data Protection Regulation (GDPR). This is a law that helps people protect their personal data, and since its creation, has a major effect on recruitment processes.
This is because employers can access and store candidate data. This law was, and still is, a seemingly impossible task to overcome and can carry major fines, as well as the potential impact to a company reputation if they do not meet these GDPR standards when collecting and processing candidate data, especially considering the potential number of individuals involved when hiring.
Read our five simple steps to help you ensure your entire recruitment process is efficient, streamlined and GDPR compliant.
Disclaimer: This is Occupop's opinion and advice and is not legal advice or requirement.
GDPR requires you to always ask for consent in a clear and intelligible way when collecting or processing candidate data. Additionally, if the candidate withdraws their consent or asks you to delete their data, you are required to comply.
In order to demonstrate that your company is GDPR compliant, you should keep either written or digital records of how and when candidates gave their consent, as well as what recruitment process they gave their consent for. Each candidate must consent to where you store their data, who will have access to their data and how you will process their data.
Even if candidates hand you CVs or directly apply at recruiting events such as job fairs, you must document their consent by creating standard forms for the candidate to sign, or by using recruitment technology that automatically collects consent.
You can still source passive candidates if you have “legitimate interest” in them. This means that you genuinely want to consider them for a position at your company. However, you are still required to ask for consent for obtaining and processing their data immediately after initiating contact with them.
An example of this are candidates that your hiring team sourced on LinkedIn, social media, or candidates that were recommended to you through employee referrals.
You can also attract passive candidates on your careers page with an expression of interest form and a consent box, allowing you to build up a talent pool with consent.
Throughout the recruitment process, you must explicitly inform the candidates every time you collect and process their data. You should also explain how and why you are doing so.
All candidates should also have the opportunity to consent for data processing in a transparent way--that means clear check boxes or signatures, rather than auto opt-ins.
For example, if you tell a candidate that you are keeping their information until the position is filled, you need to inform the candidates once that has happened. If you decide not to hire the candidate but still want to hold on to their data for future recruitment purposes, you can keep them up to date in your rejection email. In this email:
GDPR also applies to any data that your company collected before May of 2018. This means that you should review any files or databases where you currently store candidate data in order to ensure that it is up to standards. You can do this by conducting an official and thorough data audit.
When conducting a data audit, ask:
During the audit, you should determine which candidates are still good matches for future roles at your company. If a candidate is unlikely to be a good fit for your company, or is no longer relevant to the positions you are hiring for, then you must delete their data. If you do decide to keep information about a candidate in your database, reach out to that candidate and inform them that you are still processing their data and obtain their consent, deleting all data if consent is not given.
An Applicant Tracking System (ATS) or recruitment software can be a lifesaver when it comes to GDPR compliance. This is because certain recruitment technology has the ability to:
Recruitment software is much more secure and reliable than traditional forms of data storage and processing, such as manual spreadsheets. This is because manual alternatives can be easily deleted without backup or duplicated and modified without the owner’s knowledge along with the risk of sharing data without consent.
Ask your ATS/recruitment software provider if they are GDPR compliant and how they ensure that your data is protected. You should also look for recruitment software that uses the cloud. According to Gartner, 60% of companies that implement appropriate cloud tools experience one third fewer security failures.
Want to get on track and ensure that you stay GDPR compliant throughout the entire recruitment process? Occupop is here to help!
Book a demo with one of our product experts today and start hiring smarter.
Our five simple steps will help you ensure your entire recruitment process is efficient, streamlined and GDPR compliant.