From 25th May 2018, organisations that collect personal data of EU residents must become compliant with the General Data Protection Regulation (GDPR.) The GDPR is a new law that aims to strengthen people’s rights to privacy and protect their personal data. If you search for informantion on it you may see it being described to the effect of it being the 'strongest privacy law in the world'.
If you are a professional HR or Recruiter you will likely be familiar with your country's privacy requirements. The GDPR, is we suggest, a whole new level of compliance around privacy. It's important to note that the GDPR applies to all organisations that process data on EU residents. If you are based outside the EU you could still easily come under its requirements. In simple terms, it covers all EU organisations and non-EU companies that offer goods or services to EU residents or monitor their behavior. If you dont become compliant you risk being fined up to 4% of your annual global turnover (revenue) or €20 million, whichever is greater...
This is the first of two posts - this one looks at the actual requirements. The following post will look more at what you might do about them in your recruiting activity. Please note for the aviodance of doubt, our disclaimer. This post is not professional advice and is certainly not legal advice - you should take your own legal counsel on how GDPR may affect your own position.
For the purposes of recruiting, the GDPR refers to:
“data subjects”. In recruitment, candidates are the data subjects because they can be identified through the personal data they give to organisations through the recruitment process. This includes names, physical addresses, phone numbers etc.
“data controllers”. Employers are the data controllers. It will also include those recruiters who serve as their organisation's main representatives to candidates. An outsourced recruitment operation still makes the organsation liable as does using agency recruiters. They are fully responsible for protecting candidate data and using it lawfully.
“data processors”. Your recruitment software/services. Your recruitment system is a data processor because it processes candidate data on behalf of your organisation following your instructions. Data processors may also have “sub-processors” (e.g. if your supplier uses a cloud platform like AWS or Azure to deliver their software it will be a sub-processor).
General requirements of the GDPR
By way of a more general context, the GDPR is not aimed particualry at recruitment. It very much applies to modern marketing activity and how data is managed and used. It is aimed at protecting the public and individuals and as a general rule does not apply to businesses. Within, it provides for 6 lawful ways for processing data - which we think is useful to outline here by way of a general framework after which we can focus on recruitment.
- Legitimate Interests - personal data can be processed if you can prove there is a legitimate interest and it is balanced against the individuals rights and freedoms.
- Contractual Necessity - personal data can be processed if you have a contract with the individual and the data is required for you to comply with your contractual obligations.
- Vital Interests - this applies to organisations who are required to process data to protect someones life.
- Consent - personal data can be collected and processed with the individuals clear and specific consent.
- Legal Obligation - personal data can be processed if you are required to do so to comply with a common law or statutory obligation.
- Public Interest or official duty - personal data can be processed if the task is in the public interest or if you are required to perform a function that has a clear basis in law.
Some ways the GDPR will affect recruiting
Here are a few key parts of the GDPR that will likely affect the work of recruitment within organisations:
1. More than ever you need to be very clear and sure about your legitimate interest in processing candidate data.
The GDPR requires you to collect data only for “specified, explicit and legitimate purposes.” In practical terms this means you can source candidate data only as long as it is job-related. It also requires that you can show an intent to contact sourced candidates within 30 days. You should make sure you only ask; what you can reasonably defend as being required for recruitment purposes. You should also make sure you do not 'bank' information on candidates from previous searches just for the purposes that 'you might use it for a future role'. We would suggest that having a full software system round your Talent Pool/Portal with candidates controlling their own data is now more important than ever.
Yes, it has always been important. But with the GDPR is more important than ever. As an example, from what we understand the GDPR will require recruiters to ask for specific consent when processing data on; disability, cultural, genetic or biometric factors or information gathered for a typical EEO survey or even a background check. To be compliant, recruiters must ask for consent in a clear and intelligible way and provide candidates with clear instructions on how to withdraw their consent should they wish to. You also need to be able to act should a candidate withdraw consent. This is likely to mean in many cases deleting their infomantion - completely. If you are still accepting CVs' from agencies by email - be warned. You will need to be able to show you have deleted every instance of a candidates data across all your systems. Not so easy if you are passing CV's around by email. This is where a full recruitment system can really make a difference.
Polices and Process keep you safe. Organisations must have clear privacy policies and these must be made readily accessible to candidates. This is where your careers website/portal can really help; by providing a dedicated area to make this information readily available. As part of your policies you should also disclose how/where you store candidate data. If you have a recruitment system or you use an outsourced provider this all permitted but it should be stated. You must also make clear that this data will be only used for recruitment purposes.
Basically it's the employer who is ultimately responsible. It's the employer who has to demonstrate compliance with the GDPR. For example, if an employer uses an outsourced service provider (or agency) who fails to comply with the law, the employer will be held to account as well as the provider. Note the provider such as an outsourcer or agency needs to comply as well.
5. The right to be forgotten.
Candidates have the right to have their information removed - from ALL your systems - including emails if they hold e.g. a CV or any personal data. In practical terms this means you must locate every place that you keep their information (e.g. spreadsheets, emails) and delete it within one month after receiving the candidate’s request. If you have a recruitment system you should ensure it has such a facility and we suggest that using emails to pass round candidate details will now put the organisation at risk. Not that this was ever a good idea anyway.
6. Candidate right of Access.
Candidates have the right to ask what data of theirs that you hold and also ask that it may be reasonably be amended to e.g. rectify inaccuracies. They can also request that you make corrections to any inaccuracies. Recruiters then have one month to comply. You also of course need to be able to provide candidates with a free, electronic copy of their own personal data. As we currently understand it, from a GDPR perspective this will include copies of any assessment type tests and/or interview notes held electronically. You may like to consider asking your recruitment system provider to provide a direct online access facility for candidates to their data. We have offered this facility as an option for some time but we know its a big step for most employers and not one that many will want to take.
This is a big topic so we are going to do another post on what you can do about the GDPR for your recruiting activity in our next post of this, two part topic. The informantion we have enclosed has been taken from publically available sources. But in the months following May, we can likely expect more guidance on practical means of operating in compliance. We know many in HR and recruitment are either still grapping with the implications or have not yet heard of the GDPR. We hope this post has provided a useful primer and assistance.