Speakers corner: Rana Hein-Hartmann shares suggestions on what in-house HR teams should know about handling candidates’ personal data after new EU rules come into play next month.
If you’re involved in HR or talent acquisition, you need to be concerned about GDPR, the General Data Protection Regulation. The directive is designed to reinforce the rights of around 750 million people living across the EU, as to how companies hold their personal data. It is the biggest shakeup ever in the history of online privacy, and because of its impact on personal data, the field of recruitment is especially impacted.
For candidates, companies they apply to will need to ensure that they have explained, from the very start, how their information will be used, processed, how long it will be held for, and can at any time ask to see copies, or prove its deletion on their request. Data on EU citizens cannot be held, or backed up, anywhere outside the EU.
Unless they apply for specific roles, thereby giving their consent, candidates can object to the processing of their data for profiling purposes on new roles, and they can request their personal data be deleted. At any stage of the application process. I would imagine that could cause problems for employers, as both successful and unsuccessful candidates can request to have their data deleted after the process has ended, thereby leading managers to meet the same candidates again for similar positions in the future.
Key steps companies should take:
A data mapping exercise
Think about the journey your typical candidates’ data will take, from the moment it enters your organisation. You should document what information you collect at every stage of your recruitment process, and how your organization uses that data.
Review your privacy notice
Your privacy notice should be easily accessible to candidates on your careers site and you should use it to clearly state what personal data you will collect and how you will process it. You also need to include:
Your organisation’s identity and contact details
The purposes and legal basis for processing
Details on other recipients and cross-border transfers
How long you will store data for
Your data subjects’ rights
The existence of any automated decision-making
Working with agencies
As a responsible employer, you should make sure the recruitment agencies you work with are GDPR compliant. The same is true for any HR tools you use, should they hold your candidates’ data, and any service providers involved in the processing of that data.
If you send emails to candidates, you’ll need to include a clear ‘opt-out’ option at the bottom of each email (you should do this already under the Privacy and Electronic Communications Regulations). You should consider linking to your privacy notice in every candidate communication too.
Disclaimer: I am not a lawyer, so this article and the opinions expressed are solely mine, and are based on what I have learned about the GDPR, and are for information purposes only.