Announced in April 2016 and imposed in May 2018 the General Data Protection Regulations (GDPR) dominated business conversations for what seemed like an eternity.  

For months those four syllables sent cold shivers down the spines of anyone who's role involved handling personal data. An absence of meaningful public information made GDPR complex to understand and widely open to interpretation. 

Exacerbated further by the sometimes contradictory information provided by pop-up 'GDPR experts' many of us were left providing ambiguous answers and scrambling to our desk to ask our trusted friend Google for the answers. 

Sound familiar? Don't worry you're not alone. GDPR became the second most googled query behind the 2018 phenomenon that was Bitcoin.

With the dust settling and several companies now paying the price for poor compliance we've put together our GDPR knowledge in this helpful blog to help HR professionals, IT teams and business leaders to fully understand how to stay in control of recruitment data and ensure compliance. 

The hype around GDPR was similar to that of the Millennium Bug, as the clock ticked past 12 into the early hours of May 25th the world as we knew it was about to change. 

The apocalyptic regulations designed to wipe out bad business practice and bankrupt those who dared to defy were now in full effect. 

Like many I commuted to work that Friday optimistic. Today was the day that my inbox would finally be free from the regular bombardment of unsolicited emails.  

Upon arriving in the office I loaded my computer and to my delight my hopes and thoughts were confirmed. Not a single spammy email...until 10.06am. 

Could it be that Gary was simply unaware of what day it was?! As a fellow marketer I gave him the benefit of the doubt, unsubscribed and moved on with my day. 

And so, the rest of the morning passed swimmingly by without interference. But all was about to change... As I sat down for my eagerly awaited lunch I whipped out my mobile and placed it on the table. Just as I raised my sandwich toward my mouth the phone began to ring. 

Typical...But, who could it be? I quickly gobbled down my first bite and answered to the greetings of a burly northern voice enquiring about my recent car accident. Through clenched teeth I politely requested my details to be removed and hung up the phone. It was clear, GDPR hadn't changed a thing...

Several months later my opinion has somewhat changed. With Global powerhouses such as Google facing court charges and an increasing number of organisations falling under the ICO's magnifying glass it's clear that GDPR was no charade and compliance is compulsory. 

The majority of us didn't leave compliance to chance and made the necessary steps to be compliant but 10 months on, are you still compliant? In this article we'll highlight how to ensure recruitment GDPR compliance. 

According to Privacy News Online GDPR complaints were being filed just 6 minutes after GDPR was enforced! But what are the ramifications for non compliance? 

Notable Breaches

Key GDPR Terms in Relation to Recruitment 

"Data Subjects" = Candidates

When applying for a vacancy candidates typically provide potential employers with personal data such as their name, address, email and telephone number. In GDPR terms candidates are referred to as "data subjects". The reason being that candidates are identified through the personal data that they provide to you throughout the hiring process. 

The GDPR was brought into effect to protect this data and ensure it's safely secured and used only for its intended purposes. 

"Data Controllers" = Employers.

Employers and in this case recruiters are directly responsible for candidate data and are duly deemed to be the "data controllers". Data controllers are liable for protecting candidate data and must take appropriate actions when handling data ensuring that the data is being used lawfully for its intended purpose.  

"Data Processors" = Recruitment Software.

In the eyes of GDPR any tool used to manage candidates is deemed as a "Data Processor", for most companies this would be the Applicant Tracking System. Your entrusted ATS provider is responsible for processing applications on your organisations behalf following your instructions and processes.   The processor is responsible for ensuring your data is secure and is safe from cyber attacks and breaches. 

6 Key GDPR terms to ensure recruitment compliance

For recruiters the handling of personal data is an everyday occurrence. Sourcing and screening candidates requires filtering through large quantities of CV's, cover letters and application forms.

The recruiters main prerogative is of course to identify talented applicants. For every great candidate there's umpteen applicants who don't fit the bill. 

For seasoned recruiters the handling and management of candidate data is often done on autopilot. With a slip up in the management of candidate data coming with catastrophic repercussions it's never been more important to make conscious decisions on how to appropriately handle, store and dispose of data.   

To save you reading through and interpreting the full 88 page GDPR document we've put together  6 key rules recruitment teams must abide by. 

1. You need to have legitimate interest to process candidate data.     

GDPR makes it obligatory for employers to only collect essential criteria. Data captured has to be specified, explicit and for a legitimate purposed. This means that you must only collect information relevant to the job application and candidates will only be considered for the vacancy they have applied for unless specified otherwise upon application.

GDPR regulations require data controllers to ask for consent when processing sensitive data. For example this could be disability, faith or gender information. You must also provide candidate with clear instructions of how they can withdraw their consent should they wish to withdraw their data at any point of the process. 

3. You need to be transparent when processing candidate data.  

All business should have a privacy policy in place. In addition to being displayed on your organisations website recruiters should make these policies available to candidates upon application to a vacancy. In this statement you must inform candidates of your data processor (ATS provider) that will be collecting data and how the data collected will be used purely for recruitment purposes. 

4. You need to take accountability for compliance.  

All businesses must be able to demonstrate GDPR compliance and are held accountable for the companies that they employ to handle data. For example if your data processor (ATS provider) who are acting on your instruction were deemed to be non compliant you would also be liable. 

5. Candidates have the right to be forgotten at any point. 

Candidates have the right to request for their data to stop being considered and processed or deleted completely. You must comply and remove their details from the collection point and anywhere where their details may be stored e.g ATS, spreadsheet, hiring managers inbox within one month.  

6. Candidates have the right to access their data or edit their data at any point.   

Candidates have the right to request you to provide them with the data you hold on them at any point. Under GDPR you must acknowledge and action their requests within one month and provide an electronic copy of proof at no cost to the candidate.  

9 steps to recruitment data compliance 

No one want's to be accountable for putting personal data in jeopardy and attracting unwanted attention from the ICO. Here's 9 tips to help you stay compliant year round:  

Keep track of your recruitment data:

To ensure compliance it's imperative that you thoroughly understand your current processes, the data you collect how much of that data you use, how it's processed and where it is stored. 

With regards to recruitment data you must ensure that you're clear about where and how you find and store information that could be used to identify a candidate such as names and contact details. Here are a few questions you need to be able to answer upon completion of a data audit: 

• What sources do we use to collect personal data and how do we collect it? You may want to record the job boards you use / plan to use and how you will collect their information e.g from an application form. 
• What data do we ask for and how much if do we use? Certain information such as contact information is essential to collect and can be done so under legitimate interest. A recruiter wouldn't be able to consider and contact a candidates without the collection of this information. If the information that you're requesting has no relevance to the vacancy that the candidate has applied for then you shouldn't be collecting it.
• How are we using personal data? Personal data is used by most companies in the screening process and ascertaining a candidates suitability, but do you use it for anything else? 
• Where is the personal data stored and who can access the data? Most companies store candidate data centrally in an Applicant Tracking System. Make sure you know who has access and ensure old users no longer have access to data.  
• How does data circulate within the organisation? For example if you're using an Applicant Tracking System you must know what happens once data enters the system and who it goes to for review. Does your data stay central or does it go back and forth between recruiters and hiring managers for review. 

Keep  your privacy policy relevant: 

To maintain compliance you must have a transparent privacy policy in place that informs candidates on how you plan to collect, process and protect the data that they submit. There must also be clear instruction of the steps that data subjects can take to request a change in their data or remove their data from your records indefinitely. 

To further ensure compliance your organisation may also benefit from having a privacy notice dedicated to recruitment. This can be emailed to candidates upon application to your vacancies. A good privacy policy must include the information required by GDPR Article 13 and Article 14 in addition to a recap of the actions your company undertakes to ensure data protection. 

A strong recruitment policy must contain the following:

• Clear contact details - You must clearly state how candidates can get in touch with your business. You must provide a manned email address and ideally list the name of your Data Protection Officer (DPO) if you have instated one. 
• A Statement on how you intend to use candidate data - You must express that the data you're collecting will only be used for recruitment purposes and nothing else. If your organisation recruits on a regular basis then you may want to keep hold of candidate data for an extended period of time in anticipation of upcoming vacancies. You must inform candidates of this in your privacy policy and explain why you are retaining their details (under legitimate interest).

• State the information that you keep on file - Tell candidates about the particular information you will be keeping on file such as contact details and working history. 
• State who will have access to candidate data - For example the central HR team may have access to the candidate data in addition to the hiring manager. 
• Who your data processor is and where the data will be stored -  Tell candidates who your data processor is (your ATS provider) and where their data will be stored this is particularly critical if the data is transferred outside of the EU. 

• The duration of time in which details will be held - Tell candidates how long you will hold their details on file before removing from your systems.
• State the candidate rights -  Candidates have the right to be forgotten and withdraw consent at any point and you must state instruction on how candidates can request the removal of their data. 

• Instructions on how candidates can request changes - Let candidates know how they can access the data that you hold and how they can get in touch regarding deleting or rectifying this information.
• The processes you have in place to protect candidate data - This could be an overview of your organisations general privacy policy. 

Sourcing applications responsibly:

Recruitment advertising is essential to sourcing candidates for positions and candidate data compiled from applications must be safely stored to ensure GDPR compliance. 

To process a candidate's data you need to have legitimate interest to do so. Here's some tips to ensure candidate data is sourced and stored correctly:

• Intent to use data - You must only advertise genuine vacancies. Speculatively building talent pools for future use is not compliant under GDPR. 
• You must intent to contact candidates - You can only keep candidate data for up to one month. Contact candidates as soon as possible and regularly delete unnecessarily held candidate data. 
• Ensure data is obtained lawfully - Using data from social platforms IS legal under GDPR however these profiles must be publicly available for you to contact them about a role. 

Ensure the job application process complies with GDPR

Application forms are often used by organisations to capture more in depth data from candidates. If you use application forms as part of your recruitment process here's some tips to ensuring your application process is fully compliant. 

• Only ask for personal data that you need - The data that you request to collect from candidates must be necessary and relevant to the performance of the job which the candidate is applying for. 
• Be clear from the get-go - In your job advertisements express that candidates will be required to fill out an application form and inform them how you plan to use the data and how long you will keep it for. 
• Quote & link to privacy policy - You should inform candidates of where to find your privacy policy and provide links where possible. Include information and/ or instructions on how a candidate can remove or change the data they have submitted. 

Keep candidate emails fresh, compliant and candidate centric. 

If a vacancy receives a number of quality applications you may want to keep their data on file for future vacancies however to be compliant with GDPR you must must not keep their data any longer than the amount of time which has been stated in your GDPR statement. 

How you approach candidates about their data depends on the length in which you have stated. If for example you have stated that you will keep their data on file for a year you do not have to communicate with them again until that year has passed. However, once that year has passed you must communicate with the candidate and ask if they would still like to receive information about your vacancies and opt them back into communications. If a candidate does not reconfirm then you must delete their data. 

On the other hand if you've stated that you will keep a candidates details until the position that they applied for has been filled then you must actively get in touch with the candidate if you wish to keep their data on file. 

Emailing each candidate you wish to keep on file isn't an efficient use of your time. Why not include an automated rejection email into your ATS workflow process including the below points. 

Tell candidates why you wish to keep their details on file - " Hi John, we're sorry to inform you that on this occasion your application hasn't been successful. However, we did think you were an acceptation candidate and would like to keep your data on file for future opportunities if you would be happy for us to do so?"  

• Give the candidate a particular length of time in which you would like to hold the data for - " If you give our permission to do so we will keep your data on file for a further year    and contact you with regards to any relevant opportunities that match your skill set". 
• Inform candidates that they are able to delete or alter the data you have on file at any point - " Please be aware that you can withdraw or change your details at any point within that year. You can find further details and instruction on how to instruct us to change or remove your details in our privacy policy here (add in your privacy policy link)." 

Inform candidates of data processing whenever you receive their data

Most large organisations also participate in offline recruitment activities such as career fairs and recruitment open days. Receiving applications offline is lawful under GDPR however you need a way of collecting consent to process their information.  

One way to do this is to create a form that contains your GDPR terms for offline applicants to read and sign. If this option doesn't work for you then there is another option. If a candidate has verbally expressed an interest in working for you organisation then you may take their email address and email them from your Applicant Tracking System with a link to your job vacancy and policy.

Ensure your software vendors are  and continue to be compliant

Your chosen data processor (ATS provider) has full access to your candidate data which is why GDPR requires providers to protect candidate data to the same degree as employers.    

If you're using an ATS here are a few check points to ensure compliance. Conversely, if you're not using an ATS here's what you should look for from a provider: 

• Where are they based? Using a EU based provider is preferable however If your provider resides from outside of the EU then they must be willing to sign data processing agreements to oblige by GDPR guidelines.
• How do you know they're compliant? A reputable vendor should be able to tell you where your data will be stored and how they are going to protect your data. They should also have data processing agreements in place with their own providers such as data storage hosts. 
• Do they have a transparent privacy policy in place? Review the vendors privacy policy to ensure that they're fully compliant with GDPR and have the processes in place to protect your data. 

Put in place easy to follow,  efficient processes for both candidates and recruiters 

The key to mastering GDPR is to simplify the complex. Organisations need to make it easy for candidates to request for their data to be changed, updated or removed. Internal processes should also be in place to make GDPR easy for your recruitment team to follow and comply with. Here's some guidelines and processes you may want to put in place: 

• Enable candidates to access their data upon request -  You need to have a process in place to provide candidates with an electronic copy of their data if they decided to excessive their right to request their information.   
• Establish a process for deleting data - Recruiters who advertise on a regular basis are guaranteed to a mass large volumes of candidate data. It's important to have a process in place to ensure data is removed and updates consistently in accordance to GDPR.  
• Data Consistency - If a candidate requests a change in their data then these changes must be made on all versions of the data that you hold. There must therefore being a process in place for updating this data.  This shouldn't be too challenging for businesses who use and ATS' and store candidate data centrally however for organisations who use multiple spreadsheets to record data this may be more difficult. 

 Disclaimer: Talentvine are a Software as a Service (Saas) company and is in no shape or form a legal/law firm. Content included in this article has been generated from our own experience, legal professional guidance and research conducted into EU legislation. Organisations should take independent legal advice with regards to their own provisions for data protection.

100% GDPR Compliant Recruitment Software 

 ✔️ Manage all candidates centrally and securely.

✔️ Safely share candidate information with stakeholder through our Hiring Manager Portal

✔️ Automate candidate communication including that of GDPR statements