Alex Hyett
Alex Hyett
CEO and Founder of GrowRecruit

How does GDPR affect your recruitment process?

Unless you have been living under a rock for the past year you would have heard about the General Data Protection Regulation (GDPR) that went into force 25th May 2018.

GDPR is an EU regulation that has affected every business from small-time bloggers, schools, to large international companies. In fact, even if your company is based outside the EU, you may still be affected by GDPR if you hold any data about EU citizens.

So what is GDPR?

GDPR has been put in to place to protect the data of EU citizens. There have been a number of large-scale data breaches which have occurred over the last few years and this is one of the reasons why we have GDPR now.

GDPR is there to enforce how you process, store and handle personal data. For recruitment these are the main points you need to be aware of:

  • Candidates that you hold information on or plan to hold information on, should be aware of what their information is being used for. You should only hold information about a candidate that is required to process their application. You may need to store their contact details and skills but you don’t need to keep their religious beliefs.

  • You need to obtain consent or have a legitimate interest before you can store a candidate’s data. As with all legislation, there is always some grey areas involved. You could argue that holding information about potential candidates is a legitimate interest and therefore you would not need consent. In either case, it is best to consult a GDPR professional before making a decision in your organisation.

  • You need to audit whether the candidate has given their consent for you to process their data. Using an automated system can help a lot with this.

  • Candidates can change their consent at any point and need a way to access and update the information you hold on them. Your ATS or CRM should have a way for them to do this to make things easier.

  • Candidates must opt-in for you to be able to contact them.

What steps do you need to take to comply with GDPR?

GDPR can be pretty confusing and therefore it is important that you get legal advice about how GDPR affects you. These are the steps that you should take to make sure you are complying with GDPR.

Step 1: Make everyone aware

GDPR affects everyone in your organisation that has contact with personal data. This includes information sent in an email as well as the data in your ATS. You may want to appoint someone in your organisation to become a “Data Protection Officer” so there is a central person to coordinate everything.

Step 2: Understand your data exposure

The nature of recruitment generally means there could be multiple points for candidates to contact you. Some may be sending in CV’s by email, others through your careers website or through social media. It is important you understand all the places that may contain personal information about a candidate.

You also need to pay attention to what personal information you hold, where it was obtained from, whether the candidate gave you the consent to hold that information and what information you actually need to keep. The new regulation means you are required to keep records about candidates up to date.

Unfortunately, there isn’t a certificate you can get to show that you are GDPR compliant. Instead, it is all about showing intent that you are trying to follow the regulations, making sure you have an audit trail of how you have complied.

Step 3: Simplify how you store candidate data

The more places you have candidate data stored the harder it is going to be for you to stay compliant with the law. If you have candidate data spread across emails, calendar events, spreadsheets etc the more places you will need to update and check to stay compliant.

So as well as appointing one person as a Data Protection Officer you should also try and keep the number of places that have candidate data to a minimum. Using an ATS or CRM can be a great place to store and keep all information in a central location.

Step 4: Update your Terms of Use and Privacy Policies

Your terms of use or privacy policy should be the central place for candidates to find out how their data is being used.

It is important that it is updated to comply with GDPR and covers the following points:

  • How you are storing candidate data
  • How long you plan to keep candidate data for
  • What rights candidates have to access the data you hold on them
  • The right for candidate data to be deleted on request
  • The reasons why you are holding information about a candidate
  • It is important that you are clear here about what information you are holding about candidates. GDPR is there to protect people from the sort of data miss use that has been seen in the past. You need to be transparent about what information you are holding, what you are doing with it and how long you are holding it for.

Step 5: Have a plan in case of a data breach

GDPR is there to protect the miss use of personal data. The only way you can truly protect personal data is to have the right procedures in place in case of a data breach. You need to have a procedure in place to detect data breaches and inform the ICO about any such breaches within 72 hours of them being discovered.

If there is a risk to the rights and freedoms of the individuals you hold data about then it is important that the ICO is notified about the breach.

How can GrowRecruit help with your GDPR process?

We have added a few features in GrowRecruit to help you stay compliant with the new regulations.

One of the main highlights of GDPR is being able to obtain consent from prospective candidates before you process their data.

Consent for each candidate is shown clearly when you open up the candidate profile:

Consent on Profile

From here you can send a request to the candidate and edit the email before it is sent. Alternatively, you can just copy the link to the candidate’s consent page and send it to them through another channel.

Send Consent Email

With the consent page, the candidate can easily grant or reject their consent as well as update the personal information you hold on the candidate.

GDPR Consent Page

Don’t like the default text, no problem! All of the text shown on this page can be changed by Administrators within your GrowRecruit settings.

Once consent has been granted or rejected it is clearly shown on the candidate profile page:

Consent Granted Consent Rejected

You can easily filter candidates by their consent status on the main candidate screen and delete on mass if required.

GDPR Filter

Whether you are an independent recruiter or large recruiting agency, GDPR affects us all. It is important that you have procedures in place to cope with the new legislation.

Hopefully, your current CRM or ATS covers your needs to comply with GDPR, if not why not give GrowRecruit a try for free today.