Under May 2018’s new General Data Protection Regulations (GDPR), HR teams don’t just have to worry about compliance for employee dataand payroll processing.
They must also make significant changes to how they collect, store and process candidate data. Ultimately, this means organisations will have to rethink their recruitment strategies.
This is because the GDPR places control of personal data firmly into the hands of the individual, rather than the organisation. This is particularly true for the rules concerning consent.
Gone are the days when recruiters can hang onto the personal data of potential candidates for months and years without their explicit and regular consent.
That annual phone call to check in on a person’s job status, with a quick referral to your old notes on their family or favourite football team for a bit of banter? Gone. Cross-checking your database to find the perfect candidate for a new role from an inactive account from two years back? Gone.
Under the GDPR, candidates must consent to you controlling and processing their data, giving them real choice and control over how, when - and even if - you communicate with them.
Find out more here about how to comply with the rules of consent.
Top tips for GDPR compliance for recruiters
There are a number of changes surrounding the application process that HR departments and recruiters can make to help with GDPR compliance:
- Ensure that personal data captured initially is minimal – for example just the person’s name and email address.
- Phase two of the application should direct people to a template where they can complete more personal information. This is your opportunity to ask for consent to store and/or process their data. You can do this by embedding a feature such as a tick-box where applicants can opt in to allow you to use their data. You must be very clear about how you plan to use it, so amend your data privacy notice to comply with the GDPR.
- Once completed, capture and securely transfer the applicant’s personal data onto an encrypted database.
- The smart thing to do at this point is to set up parameters for automated deletion so you don’t hang on to the personal data of unsuccessful candidates for too long – because consent needs to be refreshed on a regular basis. As with GDPR-compliant marketing best practice, you could for example set up an automated email advising candidates that their details will be deleted due to their accounts being inactive, and include an option to opt in again if they want. Again, make sure your privacy notice is prominent.