What is General Data Protection Regulation (GDPR) and How does it Affect Recruitment?

In a Nutshell

GDPR became enforceable on May 25^th of this year. Since this is a regulation, not a directive, GDPR doesn’t require national governments to pass any enabling legislation and is directly binding and applicable. It is said that, in some circumstances, violators may be fined up to 20 million Euros or up to 4% of the annual global turnover of the preceding financial year in case of an enterprise, whichever is greater.

The General Data Protection Regulation or GDPR (EU) 2016/679 is a regulation in EU law referring to data safety and privacy for all individuals in the European Union (EU) and the European Economic Area (EEA). It also addresses the export of non-public records outside the EU and EEA areas. The primary goal of the GDPR is to give control to individuals over their personal information and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Replacing the Data Protection Directive 95/46/EC, the regulation consists of provisions and stipulations pertaining to the processing of personal information of individuals (or ¹data subjects are defined in the GDPR) within the European Union, and applies to an enterprise established in the EU or—regardless of its location and data subjects’ citizenship—that is processing the ⁵personal data of people within the EU.

Key Changes

Although the key principles of data privacy from the previous directive are still visible, there have been a lot of proposed changes to the regulatory policies.

1. Consent – The conditions for consent have been strengthened, and corporations are no longer in a position to use long illegible terms and conditions. The request for consent has to be given in an accessible form with an attachment clearly stating the purpose of data processing. The consent must be clear and distinguishable from other matters. The consent must as easy to revoke as it is to give it.
2. Penalties – As mentioned earlier, organizations guilty of personal data breach stipulated in the GDPR can be fined up to 4% of annual worldwide turnover or up to 20 million Euros (whichever is greater). The gravity of the penalties varies depending on the violation that has been committed.
   • First offense or unintentional instance of non-compliance will receive a written warning
   • Relevant authorities will conduct regular audits
   • Failure to have their records in order or failure to notify the candidate and relevant authorities regarding a data breach will receive a 10 million Euro fine
   • Violation of the GDPR’s essential principles such as collection of candidate’s personal information without explicit consent will receive a maximum fine of 20 million Euros or 4% of the annual global turnover, whichever is higher.

3. Increased Territorial Scope – GDPR significantly extended its jurisdiction to all companies processing personal information of candidates residing in the EU, regardless of the company’s location. In the previous directive, it only referred to the data process ‘in the context of an establishment’. Furthermore, the GDPR also applies to the processing of the candidates’ ⁵personal data within the EU by a controller or processor that is not established in the EU (i.e. offering goods or services to EU citizens with or without payment) and the monitoring of behaviour that takes place in the EU. Non-EU businesses processing the data of EU citizens are also obliged to employ an EU representative.
4. Right to Access – As part of the previous directive’s expansion, the GDPR outlined the right of candidates to obtain confirmation of data processing as well as where and for what purpose from the ²data controller. Moreover, the controller must provide a free electronic copy of the ⁵personal data for data transparency and empowerment of candidates.
5. Data Portability – Data portability refers to the candidate’s right to receive personal information concerning them which they have previously provided in a ‘commonly use and machine-readable format’. They also have the right to transmit such data to another recruitment agency.
6. Breach Notification – The GDPR specifies the mandatory notification of the breach in all member states in case of grave risk for the rights and freedoms of individuals. As soon as the organization becomes aware of a breach, they have 72 hours to notify proper authorities. ³Data processors are also required to notify their customers and the recruitment agency that they’re working for without undue delay after first becoming aware of a data breach.
7. Data Erasure – The candidates are entitled to the right to be forgotten meaning he or she can have the recruitment agency delete his or her ⁵personal data, stop further data dissemination and potentially have third parties cease the processing of data. As outlined in Article 17, data erasure includes the data no longer relevant to the original purposes for processing or a candidate revoking consent. In addition, this right requires the recruitment agencies to compare the candidate’s rights to the “the public interest in the availability of the data” when considering such request.
8. Privacy by Design – Although privacy by design has existed as a concept for years, it’s only now that it’s becoming part of a legal requirement. Privacy by design calls for the inclusion of data protection from the start of the designing of systems instead of an addition. It specifically states that the recruitment agency will effectively implement appropriate technical and organisational measures to meet GDPR’s requirements and to protect the rights of the data subjects. According to Article 23, recruitment agencies shall hold and process data only when it’s absolutely necessary for the completion of its duties as well as limiting the access to ⁵personal data to those needing to act out the processing.
9. Data Processing Officers (DPO) – As stated in the GDPR, it’s not necessary to submit notifications/registration to each local DPA. It’s not also required to notify/obtain approval for transfer based on the Model Contract Clauses (MCCs). But there are internal record-keeping requirements and DPO appointment is mandatory only for those ¹controllers and ²processors whose main responsibilities are processing operations which calls for regular and systematic monitoring of data subjects on a large-scale or of special categories of data. The Data Protection Officer must meet the following qualifications:

Advantages

The GDPR might come off as intimidating especially to the businesses whose core business is data processing due to the regulation’s expansion on the data subject’s rights. On the other hand, we have to admit that the passage of this regulation has great advantages.

Compliance with the new regulation promotes greater transparency and accountability resulting in public trust, enhanced reputation and better relationships with existing and potential customers. The GDPR provides guidelines and measures that each organization must follow which will improve their competitive advantage, data governance, information security, and branding.

Here are some of the reasons why the GDPR is a blessing in disguise:

1. Gives a sense of clarification – GDPR provides legal clarification of the key terms involving personal data use. The involved parties will have a clear view of its rights and responsibilities as well as its scope and limitation. This will greatly help in identifying applicable solutions to a variety of situations.
2. Improves Decision-making and Risk Assessment – Due to its expanded regulations, GDPR gives a more thorough, calculated, cautious and responsible approach to decision-making and risk assessment which can greatly prevent significant monetary and reputation damages for the company in the future.
3. Better Security Framework – One of the greatest benefits of GDPR is the kind of security it provides. There is a set of clear and realistic guidelines to improve and maintain security systems in order to prevent data breaches.
4. Cutting-edge technology – Since the GDPR’s enforcement, experts foresee the rapid development of technologies in the coming years. In order to stay on top of the game, recruitment agencies must find more ways to secure data which will result in a consistent update of security systems.

 

Challenges

The GDPR is not something new. In fact, this regulation has been adopted in April 2016. However, it seemed like many companies didn’t take this seriously. Believe or not, many companies are still inquiring about GDPR 20 days before its enforcement.

One of the challenges is the accommodation of the new requirements in their internal processes. Recruitment agencies have to fully acquaint themselves to the regulations, revise existing regulations related to data processing and re-train all their staff about how they should handle ⁵personal data in compliance with the GDPR. Recruitment agencies are encouraged to get their data processes certified by a supervisory authority or an approved certification body. In addition, the appointment of a ⁴DPO is mandatory to systematically monitor and track data processes.

All these actions require a great deal of time, effort and money. This may also hinder existing or new search/es since the recruitment agency, with the assistance of the ⁴DPO and proper authorities, should ensure the adherence all of the documents, systems, and procedures to GDPR’s guidelines before proceeding.

Below are some of the FAQs that most recruitment agencies might have in relation to the GDPR from consent, application, candidate rights, data processing, third-party vendors and documentation:

Is the GDPR applicable to the data on hand such as existing talent pools or is it only valid for all data obtained and processed after May 25, 2018?

You can keep your existing data as long as you have consent from your candidates that can be considered valid under the GDPR. As a precaution, it is advisable to obtain consent from all your existing candidates and delete any data that, for whatever reason, you don’t have any right to keep.

Is it considered valid when a candidate gives consent by including a note stating that they agree to have their data stored and processed in their CV or application letter?

The GDPR requires recruitment agencies to be transparent about not only the purpose of data processing but also the process itself. Therefore, consent will only be valid if the candidate is completely aware of how you process personal data. An example of a legitimate consent includes a signed note explicitly stating that he or she has read and consented to the terms and conditions indicated in the privacy policy. The URL should be included in the note for reference.

When talking about legitimate consent, which one is preferable, written or verbal?

A written declaration is highly recommended since it can serve as indisputable evidence that the candidate has consented to the processing of his or her personal data.

How do I obtain consent when I am not using an ATS?

The absence of ATS or Applicant Tracking System is a challenge especially when you have to prove that you’ve obtained consent from the candidate. Request for a written documentation signed by the candidate is strongly advised.

While obtaining consent from a candidate, is it necessary to communicate in a specified language, i.e. their national language?

GDPR has no provision obliging recruitment agencies to localise privacy policy. However, it’s imperative for the candidate to understand exactly what you mean so it’s beneficial to translate your privacy policy into local languages to ensure the validity of the consent obtained. It’s also advisable to use simple languages to candidates who aren’t knowledgeable of legal terms so that they can easily understand the privacy policies.

How do you obtain consent from candidates who hand you their CVs or apply directly your website?

In this situation, it’s crucial to establish a process to document their consent. For example, there should be a standard form signed by all direct applicants. Make sure to keep their forms in your database and delete this data once the candidate revokes his or her consent. It’s also beneficial to use technology solutions like a secure ATS app or software in your efforts to be GDPR compliant.

How specific do I need to be when stating the purpose of obtaining and processing my candidate data within my privacy policy?

You have to be as accurate as possible. You need to clearly state your purpose for processing the data, the people who will get access to the information (listing internal and third parties), the rights of the candidates, the authorities they can contact if they have complaints, etc.

How do I comply with GDPR rules for employee referrals since referrals rarely give their consent before being approached?

You can only approach an individual if you have a legitimate interest (i.e. job offer). If that is the case, then you must obtain written consent from the candidate and allow the candidate to approve your privacy policy. You can process their data further once written consent is obtained.

If a candidate applies through an ATS does this constitute consent?

It depends. If the candidate has applied via ATS and the ATS is specifically set up in a way that it can obtain and store consent, this constitutes consent. You should refer to your ATS provider to make sure that they can obtain consent in compliance with the GDPR.

If a candidate responds to a sent message does this constitute consent?

Unfortunately, no. It will be hard to store and process candidate data without obtaining explicit consent from these candidates. It only means that you will have to enter them into a process to provably obtain consent for further action.

If an applicant sends an email or a letter containing their application, does this imply consent to store and process their data?

Still no. Having a proof that they gave you consent for processing their personal data having read and understood the privacy policy is absolutely necessary. As mentioned earlier, candidates have to enter into a process to provably obtain consent for further action.

Is it considered discrimination when giving consent to data processing becomes a necessary condition for being allowed to apply to a job that I posted?

Referring to the GDPR, the first thing recruiters should do to process personal data is to obtain a consent from the applicants. It’s standard procedure. You can’t move forward without it.

Am I still allowed to accept applications by letter or email?

Yes, you are. However, as reiterated, you need to obtain consent from these candidates to store and process this data so you still have to enter them into a process to provably obtain consent for further action.

How do I obtain consent from candidates who apply through an advertisement on a job board?

The first thing that you should do is to review the terms of use and data privacy of the job boards to know whether they’re GDPR compliant or not. As a future employer, you are responsible for obtaining consent from your candidates. Again, in order to do this, you have to enter them into a process to provably obtain consent for further action.

How do I obtain consent from candidates who apply through my own careers page?

The importance of obtaining the consent of the candidates couldn’t be stressed enough. In this case, you can build a checkbox proving that the candidate has already read the privacy policy and by checking this box, the candidate gives his/her consent. The candidate should not go further in the process without consent.

Will active sourcing stay possible under the GDPR?

Yes, it will, but you have to watch out for a few conditions. Before approaching the candidate, you and the candidate should share a “legitimate interest” as a lawful basis for approaching a candidate. For example, you have a “legitimate interest” in expanding your business by approaching a potential candidate for a role and in turn, the candidate has a “legitimate interest” in being approached by your recruitment agency. After the contact, you still have to obtain their consent before processing their personal data.

In tracking passive candidates, is it allowed to store candidate data in the ATS before getting their consent?

No. However, pragmatically speaking, you can claim “legitimate” interest when approaching them and immediately ask their consent for further data processing.

How do I ask passive candidates for consent (for example on LinkedIn)?

Again, to have a lawful basis for approaching a candidate, you can claim that you have a so-called “legitimate interest” in growing your business by approaching a talent for a role as well as the candidate has a “legitimate interest” in being approached by your company. You can ask the candidate’s consent after the initial contact before processing their personal data.

Hypothetically speaking, if the candidate has public profiles indicating that he or she is actively looking for job opportunities, is it still necessary to ask for their consent?

Yes.

Is it allowed to approach candidates whose profiles you found using a search engine?

Yes only if it is a public profile with a business background. If that is the case, it’s permissible to assume “legitimate interest” when contacting a potential candidate.

Do I have to publicly advertise a job opportunity before approaching a candidate?

Not necessarily. The important thing here is to have a “legitimate interest” (i.e. real job opportunity).

If a candidate accepts my request to connect on a business network like LinkedIn where their contact information is visible, am I allowed to contact them?

In accordance with GDPR’s principles, you have the right to contact them as long as you have a “legitimate interest” (i.e. a real job opportunity). You can ask for their consent and inform them of your data process after the initial contact. You can include a link to your company’s privacy policy for easier access.

Is it still allowed to use sourcing tools that reveal candidates’ personal email addresses or phone numbers?

So far, it is still allowed. However, as stated earlier, you need to have a “legitimate interest” to contact them like an opportunity. You still have to get their consent and inform them of how you will process the data. For added security, it’s encouraged to check the terms of use of such tools.

Can we store data that is publicly available, i.e. on a company’s homepage?

No.

Will I still be able to export candidate profiles from LinkedIn into my ATS?

Looking at GDPR’s principles, you will need to make sure that you have the right to export such profiles. In order for you to do so, you have to check the terms of use that you have with such providers. Moreover, you need to have a “legitimate interest” to export such data (i.e. job opportunity) as well as the individual’s consent.

Is it permissible to store data of actively sourced candidates in an Excel sheet?

Yes, as long as you have “legitimate interest” for each sourced candidate (i.e. a job opportunity) and consent are documented for each one of them.

What are the ways that I can do to ensure that candidates can access their data?

There are two ways:

1) You can appoint a designated contact for any candidate requests and sharing their contact information. Any candidate requests to access, amend, or erase their data need to be heeded within a narrow timeframe and compliance must be documented.

2) You can employ an ATS or CRM that will allow candidates to log onto their profiles and make any necessary adjustments by themselves. This option has the added bonus of making it easy to retain and log any occurring changes.

When a candidate states that they are not interested in a job opportunity, can I still keep their name in my database?

You can if the candidate gives you the authorisation to do so. You should inform the candidate what you will do with the data after rejection.

Let’s say that a recruiter approaches a candidate whom he or she has actively sourced, but the candidate doesn’t want their data stored and are not interested in the role, how can a recruiter ensure that his or her colleagues won’t contact them again?

If the candidate refuses to have their data store and expresses disinterest, you have to honor the candidate’s request and ensure that this information is disseminated across the organization. If possible, you should talk personally to every employee and tell them to delete such information. Since this is quite hard to achieve, it is advisable to ask for consent to keep the contact information in order to document the opt-out.

When appointing an individual as a contact for candidate requests regarding their data, what exactly are the contact data that needs to be?

You have to disclose the contact’s direct email address and a postal address.

Is it allowed to store candidate data on personal laptops, for example by hiring managers?

It’s allowed as long as the candidate knows about such storage.

Is it allowed to share candidate data with colleagues who will take part in job interviews?

Yes, you can as long as it’s clearly stated within your privacy policy that their data will be shared with colleagues (hiring manager, future superior or a future colleague) as part of job interviews. However, it’s not necessary to personally name these colleagues.

Do I need to make the candidates aware of the fact that their data has been shared, for example with a hiring manager?

You don’t have to if you have specified within your privacy policy that you will share their data with employees who are directly involved in the recruitment process. However, you need to ask the candidate’s consent if you want to share their data with an external vendor who is not named in your privacy policy (for example to run an assessment test).

How long am I allowed to store candidate data?

If we are going to strictly interpret GDPR, you are only allowed to keep candidate data for as long as it serves the purpose that you mentioned when obtaining the data. After serving its purpose, you are obliged to delete it. However, you can phrase the purpose in a way that will give you some leeway on how long you will be able to keep the data. For example, you can tell candidates that you will keep their data for as long as they are interested in positions within your organization. In this case, you should have proof that this candidate is, indeed, interested in staying in your talent pool.

Is it okay to ask candidates to renew their consent in order to retain their data?

Yes, it is. If the candidate gave you consent to store and process their data and they haven’t explicitly forbidden you from contacting them, you may approach them to renew their consent.

Is there a maximum limit for how long I am allowed to store candidate data?

You should check the local legislation applicable to such cases.

When receiving applicant data from recruitment agencies, should there be an agreement between the recruitment agency and the company data processing?

Yes. There is a need for a so-called Data Processing Agreement (DPA).

Is there an official GDPR seal of quality for compliant vendors?

Right now, there is no seal for GDPR compliance. Based on the regulation, it’s possible to acquire official certification from either a national data protection authority or from a competent private data protection authority.

When sourcing candidates through job boards, who is responsible for GDPR-compliance?

The data controller (in this case, the future employer) is responsible. However, you have to make sure that the job boards are GDPR compliant as well. Reviewing the terms of use and data privacy of the job boards is highly encouraged.

Who is responsible for GDPR-compliance when sourcing candidates through CV databases?

In general, if the CV database is hosting the candidate profiles, it is their responsibility (as the ¹data controller) to ensure GDPR compliance and to have all the necessary consent to share the candidate profiles with you. However, once the candidate profiles are duplicated within your systems, you will become the ¹data controller. Clearly, it is advisable to contact your vendors and check on their efforts to become GDPR-compliant.

How will you know which version of the Data Privacy Policy the candidate accepted?

The best way to do it is to add the date of the version that the candidate will accept. In that way, the candidate, therefore, accepts the version in force on the day of his or her consent. Keeping an archive of privacy statements (“Privacy policy”) is also feasible in order to easily find the version accepted for the candidate. Moreover, if the client has added a link to their own privacy policy, it is the client’s responsibility to keep a copy of these declarations in order to keep track of them.

Who’s in control of determining whether the candidate data is truly deleted or not from the systems?

It’s important to prove your compliance to the candidate’s request of removing their data from the systems in case of an audit. You can appoint a Data Protection Officer (DPO) within your company, who would be tasked with running internal audits and ensuring GDPR compliance.

For more information, you can refer to the original document found on this link: https://eur-lex.europa.eu/eli/reg/2016/679/oj

GDPR in respect to the recruiting function:

1. Data subject ‒ this refers to individuals residing in the EU and the EEA. In recruitment, these are the candidates and the employees.
2. Data controller ‒ this refers to the organization who decides to, and how to, collect data subject data. In recruitment, these are the employers or recruitment agencies.
3. Data processor ‒ this refers to software or services responsible for processing personal data on behalf of the data controller. In recruitment, these are the Applicant Tracking Systems (ATS) and other recruitment software/services. A processor may engage another processor called the “sub processor” to carry out certain tasks or activities related to the handling and storage of data (e.g. a recruitment company uses a cloud platform to deploy its system).
4. Data Protection Officer ‒ a person appointed by the recruitment company who possesses the appropriate skills and the resources necessary to respond to the GDPR demands including systematic monitoring of individuals or process data related to criminal offenses.
5. Personal Data ‒ GDPR defines personal data as “any information related to the natural person and GDPR data subject that is identified and identifiable”. This has been broadened and data is generally regarded as belonging to two groups – Personal Data and Sensitive Personal Data.
   • Personal Data encompasses information such as data subject’s name, biometric information (e.g. photo), location data (e.g. address), phone number, income and other financial data, and online identifiers such as IP address, cookies, apps, posts on social media sites, RFID tags. Online identifiers can leave traces which can be combined with other info and be used to create profiles of data subjects.
   • Sensitive Personal Data includes (but is not limited to) health, genetic, socioeconomic, cultural profile (racial, ethnic and religious info), sexual orientation etc.