GDPR affects recruitment by changing how personal data can be collected, stored and used. It will be more difficult to process large volumes of candidates without having an actual relationship with the candidate. How should you best deal with the personal data of candidates and when must you delete the data? To answer these questions, read this introductory text on how GDPR affects recruitment.
Reading time: 4 min
Data Processing in Recruitment
Recruitment often includes the processing of personal data. The processing generally occurs when the recruiter gathers data on potential candidates and performs a search among them. The recruitment process can include contact information, grades, certifications, CVs, general data, tests and other documents. You can process both tests of personality and skills and document an interview with the candidate.
Update your personal data inventory (records of processing) to reflect your recruitment practices. Respect the retention periods of different data categories and make sure to delete data of unsuccessful candidates as soon as practically possible.
Sometimes it is beneficial to use an external party, such as a specialised recruitment firm. That means that the external party will share personal data with the hiring company. Thus, in that situation, the recruitment firm must only share data on a few, selected candidates. The agreement with this external firm must be clear together with a suitable worded data processing agreement.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
GDPR Affects Different Types of Recruitment
There are mainly two different ways to perform recruitment. First, you have the traditional individual job posting. Second, is by applying to a recruitment platform. Depending on how you recruit, both the legal basis for processing and the information to provide to the data subjects differ. Therefore, in the following, we describe the legal basis and the information to give in both situations. After that, we describe the special category recruitment of an External Search. We round this article up with describing how to process two data types relevant in the recruitment process.
Individual Job Posting
A data subject applies to the listing of a job. The candidate sends its application to either a recruitment firm or the hiring company.
The main legal basis for the processing is the contract for recruitment. But, consent is also possible if it fulfils the legal requirements. That is, it must be e.g. explicit and freely given.
Also, it is important to provide the applicant with relevant information about the processing activity. This information must be clear and you must give it in an appropriate and easy-accessible way. The information provided to the data subject should advise not to attach sensitive data to the application. Additionally, if the legal basis for the processing is consent, you must inform the applicant on the right to withdraw the consent at any time.
According to GDPR, the applicant must be informed that the data will be stored for future recruitments and must be able to withdraw its consent or object to the processing.
GDPR’s Effect on Recruitment Platforms
As part of recruitment firms, or for larger organisations, they use recruitment platforms for processing the data of candidates. The data can include various documents, such as a resume and notes from an interview. The data can be of more or less sensitive nature. Sometimes it is the combination of data that could be considered intrusive. As a rule of thumb, recruitment platforms use personal data in such ways that mandate a data protection impact assessment. Often there are large scale data sets and candidates are profiled, scored and data sets are matched from different sources.
Legal basis for the processing can be either contract, consent or legitimate interest.
Legitimate interest is possible to use when first there is a documented legitimate interest. Second, this interest must outweigh the interest of the applicant to not have its personal data processed. Since it is in the interest of the applicant to be recruited this is normally not a problem. This because the candidate itself has applied for the work. But, you cannot process more data than you need to fulfil the interest identified: such as giving an effective and purposeful service.
Head Hunting (External Search)
Sometimes a hiring company, either on its own or by the help of a recruitment firm, performs an external Search (also called headhunting). This search can be based on legitimate interest, provided that the headhunter respects the potential candidate’s restrictions in terms of availability to the job market. The legitimate interest can e.g. be to find talented candidates to recruitment. Also, the interest can include to inform and mediate an offering to these candidates.
When a headhunter has collected some candidates by searching on the web, the headhunter must contact the individual and ask for hers or his consent to proceed. The candidate must receive information about, for example: What personal data that has been collected, from what sources, retention periods, recipients to receive the data, purposes and legal basis, the individual rights of the candidate and that the candidate may object to further processing.
A rule of thumb is to communicate within the same channel as you found the CVs – such as LinkedIn Recruiter, or LinkedIn. Do not export the data into your own CRM or email program and continue the recruitment process without the candidate’s consent.
For an external Search to be compliant with GDPR it cannot include more data than what is strictly necessary and relevant to the job offer. You must inform the data subject about the processing. Also, you must give the data subject the opportunity to object to it.
Special Category Data
According to the data minimisation principle, a controller must limit the data that it processes to what is necessary. You assess the necessity with consideration to the purpose of the processing. A recruiter cannot process special category data if it is not relevant for the specific job offering and information about this collection must be provided at first contact, i.e. in the job listing. This includes both health data and data on criminal records.
Managing the References
In recruitment it is common to process data of references. These references normally only include a name and a way of contacting them; a phone number. It is the applicant’s responsibility to tell the reference about the processing of their personal data. But, the recruiter must inform the applicant about its responsibility to talk to its references.
In Conclusion how GDPR Affects Recruitment
- Update your personal data inventory (records of processing) to reflect your recruitment practices;
- If you use an external recruitment firm – set clear agreements including a data processing agreement;
- Respect the retention periods and delete data of unsuccessful candidates as soon as practically possible. Individual Job Postings – be clear with any specific use of data in the job listing, ask for the candidate’s consent if you would like to keep the application for future use;
- External search and sourcing – always ask and document the candidate’s consent when you wish to progress with the candidate;
- If you are recruiting for senior job postings that require more in-depth control of any viable candidates, then include any such information in the very beginning, in the job listing itself; and
- When taking references, make sure that the applicant knows how you will use the reference’s data and make the candidate contact the reference before contact is made.