Having seen what changed the General Data Protection Regulation for recruiters, now you have to think about how you can comply. The most important initiative to be in compliance with the GDPR is to put in place a recruiting infrastructure capable of properly handling candidate data.
Here are some tips to achieve this.
(This information is basically our point of view. Always seek advice from a legal team.)
1. Obtain a second consent
Generally, candidates consent to the ad hoc processing of their data when applying for a job offer. But companies often store candidate data for future recruiting needs.
To avoid any issues, we strongly recommend that you request a second approval from applicants before storing their CVs in your database for later use.
For example, when you email a candidate that their application has been rejected, ask for their consent before storing their data. This way you will know for sure whether candidates are willing to be added to your talent pool. This will allow you to keep candidate data legally to come back to later. They will generally be happy to know that they can be contacted again in the future.
2. Adjust your policies to better inform candidates
Make sure to update your privacy policy frequently. You also need to define the data handling process as part of your recruiting process. This is not an easy task.
You must be transparent about the type of data collected and the reason for collecting it. It would be a good idea to include the six rights of applicants in your privacy policy. As a reminder, these rights are:
- Right of access of the data subject: applicants can ask to be informed of how their data will be processed, or even ask to see the whole of their personal data (which you have collected).
- Right of rectification: applicants may ask you to correct or update their data in your applicant database.
- Right to erasure (“Right to be forgotten”): applicants may ask you to delete their data from your applicant database.
- Right to restriction of processing: applicants may ask you to suspend the processing of their data in your database of applicants.
- Right to data portability: Applicants can ask you to export all of their data from your applicant database.
- Right of opposition: applicants can ask you to stop processing their data, indefinitely.
Present it clearly, and separately from other information. Also, the way you handle candidate data should be clearly explained and easy to find.
3. Establish a data-sharing agreement (GDPR compliant) with your partners
Are you a recruitment agency that shares candidate profiles with its clients? Or, do you share candidate profiles between different agencies, under the supervision of a parent company?
If so, do you know who is responsible in the event of a personal data breach?
To avoid litigation, you should set up a data-sharing agreement to stay compliant with GDPR laws.
The contract must define the conditions of use of personal data, which are:
- The purpose of processing
- Duration of treatment
- The nature and purpose of the processing
- The type of personal data
- The categories of data subjects
- The obligations and rights of the controller
Make sure the contract mentions instances of the breach, as well as the responsibilities of each party.
4. Work with subcontractors established in the EU
The GDPR wishes to sanction non-compliance with the obligations it imposes, even outside the borders of the European Union. Every company that deals with the EU will have to comply with the GDPR – even if it only deals with one partner established in an EU country. As a data controller, you should only use processors who deploy sufficient measures to meet the requirements of the GDPR.
5. Work with subcontractors who have an exemplary privacy policy
Even if you take drastic measures and protect yourself with sharing agreements, it is always better to deal with exemplary companies. Go for a sub-processor that encrypts all candidate data.
Data encryption involves converting information you enter into unintelligible (encrypted) characters using an encryption key.
At Recruitee, we take all necessary measures to encrypt all your confidential messages as well as your login information. These measures guarantee the highest level of security for the protection of the data you entrust to us.
6. Have a constantly updated candidate database
Collect candidate data for recruiting purposes only. Your recruitment software, through various functionalities, should allow you to ensure that only relevant candidate data is collected. The ATS Recruitee, for example, has a feature of import and analysis of CVs.
If you consider that a candidate’s profile no longer meets the requirements for a vacant position, you should delete the data from your system. And if you still have data collected in the past without the consent of the candidates, it is imperative to ask for their consent to keep it. Who knows, you might end up developing a good relationship with these talents!
7. Continue to comply with the GDPR during your sourcing
Sourcing will continue to play an essential role in recruiting. You just have to do it evolve to respect data privatization. You should therefore make sure to follow all the steps specified in the GDPR.
Share all required information with applicants you are contacting for the first time, or before allowing your clients access to data (if applicable). Pay attention to the tools you use. Some browser extensions are substandard and will cause you to collect data in questionable ways. You must indeed be able to explain and justify the acquisition of any data. You are therefore responsible if you collect data whose origin you do not know.
GDPR is a complex subject, and companies are doing a lot of work to be compliant. However, if you follow the principles of transparency in data acquisition and processing, and follow the advice given in this article, GDPR should be clearer for you and your hiring.