Paperjam.lu

 

If you’re involved in HR or talent acquisition, you need to be concerned about GDPR, the General Data Protection Regulation. The directive is designed to reinforce the rights of around 750 million people living across the EU, as to how companies hold their personal data. It is the biggest shakeup ever in the history of online privacy, and because of its impact on personal data, the field of recruitment is especially impacted.

Candidate rights

For candidates, companies they apply to will need to ensure that they have explained, from the very start, how their information will be used, processed, how long it will be held for, and can at any time ask to see copies, or prove its deletion on their request. Data on EU citizens cannot be held, or backed up, anywhere outside the EU.

Of course, it will be up to candidates to decide at the point of inputting their data if they would like to apply for a certain position or not. By doing so, and by reading the company’s privacy policy and still applying, they will be consenting to the company’s approach to what will happen to their data.

Unless they apply for specific roles, thereby giving their consent, candidates can object to the processing of their data for profiling purposes on new roles, and they can request their personal data be deleted. At any stage of the application process. I would imagine that could cause problems for employers, as both successful and unsuccessful candidates can request to have their data deleted after the process has ended, thereby leading managers to meet the same candidates again for similar positions in the future.

Key steps companies should take:

A data mapping exercise

Think about the journey your typical candidates’ data will take, from the moment it enters your organisation. You should document what information you collect at every stage of your recruitment process, and how your organization uses that data.

Review your privacy notice

Your privacy notice should be easily accessible to candidates on your careers site and you should use it to clearly state what personal data you will collect and how you will process it. You also need to include:

  • Your organisation’s identity and contact details
  • The purposes and legal basis for processing
  • Details on other recipients and cross-border transfers
  • How long you will store data for
  • Your data subjects’ rights
  • The existence of any automated decision-making

Working with agencies

As a responsible employer, you should make sure the recruitment agencies you work with are GDPR compliant. The same is true for any HR tools you use, should they hold your candidates’ data, and any service providers involved in the processing of that data.

Candidate communications

If you send emails to candidates, you’ll need to include a clear ‘opt-out’ option at the bottom of each email (you should do this already under the Privacy and Electronic Communications Regulations). You should consider linking to your privacy notice in every candidate communication too.

Disclaimer: I am not a lawyer, so this article and the opinions expressed are solely mine, and are based on what I have learned about the GDPR, and are for information purposes only.

Rana Hein-Hartmann is European director of Funds Partnership, a recruitment firm specialised in the investment fund sector. She speaks at this week’s Delano Live event.