What does GDPR mean for recruiters?

The new privacy regulation taking effect on 25 May 2018 applies to all companies that process data of EU residents - regardless the location of the organization itself. In the face of the new law employers and recruiters are “data controllers” and, therefore, fully responsible for protecting candidate data and determining why and how they are being processed. So what does that mean in practice?

Your company needs to demonstrate compliance with the new law by being transparent and lawful in the recruitment processes. This translates to:

  • Updating relevant documents (privacy policies and terms and conditions) and making them easily available to candidates, requesting candidate’s consent for processing their data. It must be clear and accompanied by information on how to modify and delete the data.
  • Only being allowed to collect the candidates´ data for recruitment purposes and if you intend to contact them within 30 days. The purpose of data collection has to be specified and legitimate and it’s storage limited by a time margin known to the candidate.
  • Informing the candidates why, where and for how long their data is being stored.
  • Complying when candidates request to view their data and have them modified or deleted. The term for executing this request is one month.
  • Taking responsibility for GDPR compliance of your company’s contractors (i.e. Applicant Tracking Systems)

In order to meet those requirements, your company should:

  • Conduct an audit to learn what kind of private data your company collects, how it does that and where is the data being stored. The purpose of collection of each and every piece of data has to be justified.
  • Update the Privacy Policy and the Terms and Conditions.
  • Be intentional when sourcing candidates and only collect personal data which is absolutely necessary.
  • Be transparent about the privacy policies with all parties involved in the recruitment process by updating email, job description and contract templates with information on data processing mentioned above.
  • Review, adjust and clean-up existing talent- and mailing databases.
  • Make sure the contractors and third parties are compliant with the new law by contacting them or checking their website resources.
  • Make sure it is prepared for possible candidate requests related to exercising their rights by appointing responsible teams and/ or creating technical systems.

Should you have any doubts about the changes and how the new law affects you as a recruiter, do not hesitate to contact us via email at [email protected].