The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
There are rights for people to access and control the information that companies hold about them, obligations for better data management for businesses, and a regime of fines.
In May 2018 it replaced the 1995 Data Protection Directive which UK law has been based; and remains UK law, despite Brexit.
Does GDPR apply to Recruiters?
Who enforces GDPR regulation?
The Information Commissioner's Office (ICO).
What are the rules with GDPR?
There are 7 key principles, which are called Articles. These are explained in extensive detail on the ICO’s website here, but in simple language, the following applies…
Candidates are entitled to know exactly how their data is collected and used
Candidates can ask what information has been collected about them
If there are mistakes in your data, Candidates can request to have them corrected
Candidates can have their data deleted from your records
Candidates are allowed to refuse data processing, for example, being sent communications
What is classified as Personal Data under GDPR?
Personal data is information that can be used to identify someone. Examples are:
Name / phone number / address / email address / date of birth / bank account / passport number / race / religious affiliation.
One piece alone might not identify the specific person but when connected they reveal a vivid picture of the person and their personal details.
What is a ‘Breach’ under GDPR?
Any incident that leads to personal data being lost, stolen, destroyed, or changed is considered a data breach. Data breaches must be reported to the ICO.
How to remain GDPR compliant
Review processes and practices. Use "The 4 ‘W’s!"
WHOSE… personal data is processed?
Consider whose data you hold. For example:
Job alert registrants
Third party recruitment consultants
Referees / former employers
WHY… is personal data processed?
Consider why you collect, use and hold this data. For example:
Job alerts - holding individuals’ data to alert them about jobs they may be interested in based on their expressed preferences
Job applications - holding individuals’ data to assess their suitability for a job
Talent Pooling – holding individuals’ data to assess their suitability for future jobs that may or may not arise
Offers made - holding individual’s data for offers made (whether accepted or not)
WHAT… personal data is processed?
Based on whose data you hold and why you hold it, review what data you’re holding, and consider if it’s all necessary? For example:
Registration form content
Application form content
Offer / onboarding content
Email / SMS communications
WHEN… is personal data processed?
‘Processing’ includes the actions of obtaining, disclosing and deleting personal data. Consider the following points:
When is the personal data obtained? For example:
First stage application
Second stage application
To who is it disclosed to and why?
How long is it retained for?
How long is data held within your ATS or HR systems, versus offline, such as
Offline Interview / Assessment Centre records
Print Outs / Exports
Action your GDPR strategy
Draw up a policy process and a governance/auditing process. These should be written for both those submitting information (candidates) and those receiving and processing it (your employees).
Adapt your recruitment policies, processes and user roles accordingly.
Communicate and train this out across your organisation.
How does GDPR relate to your ATS?
Review the data collected, who has access, and where necessary adapt:
Sifting/shortlisting forms or any other selection orientated data stored
Ensure you have a link to your policy/process document - that is explicit as to what reason you are asking for this data and how you intend to use it - available to candidates immediately prior to the option to register their details.
Consider adding a footnote to email communications each explaining why they have been sent the email, and who they should contact if they have a concern.
In the case of automated marketing communications – most usually ‘Job Alerts’ - draw attention to the fact they can unsubscribe from these alerts and provide steps on how to do this in lieu of a self-service button.
If your ATS offers a way for candidates to self-delete their personal data, activate it. If it doesn’t, or you're bound by another piece of legislation to keep it for a specific period, then implement and communicate a process for handling ad-hoc requests for data removal.
The GDPR does not apply to data that is anonymised in such a way that an individual can no longer be identified from the information on its own, or “reconstituted” with other data to enable identification, as it is no longer "personal data".
So, check that your ATS has:
Anonymity settings, and if so, activate them!
The capability to archive data in such a way the personal data is removed but the remainder kept. This will give you lots of GDPR compliant data you can use for analysis and reports.