GDPR Compliance should be at the heart of every recruitment process. The EU GDPR was introduced in May 2018 and was responsible for forcing some employers in a mild panic as they raced to review their recruitment processes and make the necessary adjustments in order meet the new regulations and improved rights of candidates.
Now that the UK has left the EU GDPR regulation no longer applies to the UK. However the core data principles, rights and obligations have now been incorporated into UK Data Protection Law, meaning that employers still have to abide by the key principles. As a result your ATS should be instrumental in ensuring GDPR compliance throughout the recruitment process.
The new additions to the UK Data Protection Law state that data you collate as part of your recruitment process must be:
(a) processed lawfully, fairly and in a transparent manner
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
How does this affect the way you recruit?
GDPR Compliance starts with understanding the rights of individuals. Candidate’s are ‘data subjects’ This is because the information they provide as part of your recruitment process means that they can easily identified. Eg. names, address, email addresses, phone numbers etc
The GDPR is designed to protect this kind of data and the data subject has rights over how you can process and store this information.
As an employer, you are considered a ‘data controller’ and therefore responsible for protecting the data you collate and ensure that it is used appropriately.
Key GDPR compliance requirements that your ATS should support
Store Candidate Information and CV’s Lawfully
As an data controller it is your responsibility not only to ensure that every candidate agrees to how you intend to process and store their details but also keep a record of when this consent was given as proof should this be required.
The simplest way to ensure you obtain the necessary consent every time is by introducing a centralised registration portal that requests that every candidate views and agrees to your Privacy Policies and automatically records the time and date they provide consent.
All applicants must provide consent as they register or apply for a role. Should a candidate send you a CV via email, whilst this is considered as implied consent this is not sufficient consent for you to manually add their details to your recruitment software – or potentially store their details in a designated inbox for future use.
Limit access to information and functionality
Printing a copy of a candidates CV to use as reference throughout the interview is standard practise across many organisations. However in line with GDPR, printing out and creating hard copies of personal information such as applications and CV’s presents a whole host of potential data breach opportunities.
Whilst we recognise that some companies may require their to ATS to support the ability to print CV’s and applications, HR should also be provided with the ability to restrict access to this functionality and where possible remove the option for users to print to help prevent the risk of a data breach. GDPR compliance is also about ensuring that only the people who need to access data, can do so.
If as an organisation you allow line managers to print CV’s then strict procedures need to be in place to determine how and where the document is stored, who can access it and what you do it after it has served its purpose.
Printed CV’s are treated in the same way as information held online. You must ensure that the information is kept in a secure manner and is only accessed by those who need to see it as part of the application/ selection process.
In case of a data breach, you will need to provide an audit trail. If you have allowed the information to be printed this could include who printed the CV, where it was being held, how many copies had been made and who had access to the information.
Unless they are locked away in a cupboard and signed out by assigned individuals and viewed within an extremely strict environment, it is almost impossible to accurately record the necessary information in terms of who has accessed the document, read the document, taken a copy or shared it etc
And without this information you may not even be aware that a data breach!
Allow candidates to manage their own data
Under the GDPR, individuals have the right to to have inaccurate personal data rectified. Although you may have taken steps to ensure that the personal data was accurate when you obtained it its important to recognise that key information such as names, addresses, contact details, job roles and qualifications can all change within a short period of time.
Whilst an individual can request rectifications either verbally or in writing, the process can be easily simplified through the use of a self service candidate account.
Giving candidates the opportunity to update their contact details is the absolute least your ATS should allow. Editing their profile, job alert preferences,updating references, withdrawing an application, downloading their data and deleting their account altogether can all be supported through tailored technology. Whilst GDPR compliance is essentially possible without a centralised platform, managing the process can be extremely cumbersome!
Support the management of your Talent Pool
For organisations who did not have the necessary consent to store an individuals personal data when the legislation came into effect in May 2018, this meant that talent pools built over many years became redundant overnight.
The process of manually adding candidate’s details from their Linkedin profile or CV database also had to be quickly reconsidered as even though this information is publically available on the internet it does not give you the right to store and process this information in your own talent pool. Infact as the information can be easily found and accessed at any time means that you have no need to store the information either.
Again a robust registration process and clear audit trail of candidates manually agreeing to your Privacy Policies is the only way to build a talent pool for your future requirements.
Remember, If a large proportion of your data has not been updated in the last 6 months, then essentially contacting these people would provide very little value anyway. Not only will they have added to their work experience but key elements such as address and contact details may have changed too.
You now not only need them to consent for you to keep their data but need them to update it as well!
Help process SARS requests
As a direct result of the new GDPR legislation, individuals became more aware of their rights when it came to storing and processing their data.
One of the rights was the ability to ask an organisation to provide a report on all the information they held about them, known as a Subject Access Request or SARS.
Organisations have a duty to respond to all requests and provide the information within one calendar month of the request being received unless the request is considered excessive when longer timescales can be agreed.
Many organisations however, fail to recognise that when a candidate requests a copy of their personal data, this also includes information such as application form answers, interview notes (including handwritten!), test scores, background check results and decline notes etc
Putting the nightmare management of handwritten interview notes aside, collating this information and providing it in a eligible format for the individual to view without technology can be a very time consuming exercise.
However it is not just about creating a huge data dump but the ability to redact certain information too . As due to the nature of the information, there may be an need to redact any notes which relate to any other data subject and save a copy of the amended version.
One of the key principles outlined in GDPR compliance is the need to provide candidates with a clear outline of how their information will be used, how it will be stored, who has access to it and who the information will be shared with.
This needs to be clearly stated in your privacy policies and adhered to.
Does your ATS helping you manage recruitment in line with the GDPR? Or are you at risk of a data breach or potential fine?
Find out more today.Back to blog page