How to make Recruitment GDPR-Compliant

When GDPR was introduced in 2018, it came with a lot of questions. Many business leaders wondered how a new set of data laws would impact their organisation.

The recruitment industry was no different, as agencies considered how they should handle the data of current and previous candidates. With this situation in mind, let’s address how you can become GDPR-compliant and still manage candidates effectively.

What is GDPR?

For those who missed the news surrounding GDPR, the acronym stands for General Data Protection Regulation

GDPR is enforced by the European Union and applies to all businesses that interact with people in Europe. Ultimately, the law is in place to help people protect how their data is used.

Since 2018, those who do not comply with the regulation are at risk of severe fines that can impact the success of a firm.

How it Impacts Recruiters

Recruiters often keep the data of clients in their applicant tracking systems (ATS) so that they can contact them about new positions and their current applications.

As a result, recruiters must be careful about what data they have and whether it breaches GDPR.

Fortunately, simple steps can be taken to ensure that communication with candidates is compliant. 

How to conduct GDPR practices in recruitment

  1. Ask for consent 

Recruiters need to get permission to store candidate data. Not only that, but it is essential that this consent is recorded and clear.

This means that candidates need to either give written permission or sign up to have their data kept by the recruiting agency.

Equally, if you have a job board, asking applicants to tick a box that says they agree to have their information stored and be contacted should satisfy regulations.

If you’ve made contact with a candidate over the phone and they have given permission for their data to be used, it is worth following up with a written message that confirms this is the case as well.

For colder messages to possible candidates, recruiters need to follow a procedure. These individuals must have “legitimate interest”. This means that the recruiter wants to consider the person for a real position. 

If someone then responds to a cold message, it’s important to then get consent for the use of their data.

  1. Explain your privacy policy

A clear and informative privacy policy is required for GDPR-compliant recruitment. This policy must explain in accessible terms how data is collected, stored, and protected as well as the options a candidate has to withdraw their information from circulation.

Below is a checklist of everything a privacy policy should contain:

  • The contact details of a data protection officer.
  • An explanation of what details will be kept in the recruitment database.
  • A description of who will have access to the data that is shared by the candidate.
  • Details on how the information will be protected.
  • Note of how long data will be kept.
  • A statement that outlines that data will only be used if there is “legitimate interest”.

Once you have created this policy, candidates need access to it throughout the recruitment process. 

  1. Audit your data

A clean database is a sure way to stay compliant. Companies must ensure that the data they use has been given with the permission of the data owner (candidate).

On top of that, if data is not relevant to recruiting purposes it must be cleared. If you use an ATS, make sure the system operates in a GDPR-compliant way. Software providers will be equipped to answer questions about regulation compliance.  

If you are implementing a new system yourself it needs to be GDPR-compliant “by design and by default”. 

  1. Be transparent

Candidates have a right to know how their data is used, so recruiters need to be honest.

If a candidate’s information is kept after a position closes, they need to be told why so that they can make a decision about how the data will be used. 

In addition, make it clear that candidates can exercise their rights and withdraw their data.

When a candidate asks for something to be done about their data, it’s important to know what they have the right to.

Candidates have the right to know how data will be used, have the information updated, and deleted. They also have a right to see what data is being kept and suspend data from being processed. 

Thriving and complying

Using data correctly is essential in modern recruitment. This is why PitchMe enables GDPR-compliant profile updates that let recruiters know if a candidate is a good match for a new role.

When attempting to follow GDPR recruitment policy it is always advisable to get a legal expert involved. However, these tips will help you to become a GDPR-compliant recruitment business. 

Leave a Reply