Description: How the recruitment process of companies in search for talent is impacted by the GDPR, and what HR teams should be aware of regarding the regulation that aims to protect personal data from individuals in the EU.

With the proximity of the enforcement of the General Data Protection Regulation (GDPR) in May, there is a rising awareness that many companies will be impacted in different ways and for many reasons, and the recruitment process in each company is one of them. If you are a recruiter or an HR manager, there are some aspects that you should be aware of. Consider focusing on talent acquisition procedures before costly fines and sanctions reach your business.

Until now, the exploration of personal and sensitive data of potential candidates during talent acquisition is expected and generally accepted, both online in social networks and through other channels such as headhunters and partners’ networks. Everybody shares their photos, experiences, family moments, job/academic history and even opinions online, which means their performance and behavior in past jobs are often shared among companies, without the subject’s knowledge is how potential employers pre-analyze applicants for a job offer.

What does the regulation say?

The GDPR is a broad regulation, but it is very specific regarding the exploration of personal data, despite being publicly available on social networks – without explicit consent and purpose, it might be dangerous.

The arbitrary collection and processing of personal data for companies’ commercial or recruitment purposes should not be assumed by recruiters only because it is publicly available. There must be a legal basis for that collection, analyzing whether it is exposed in a business related platform, if the interest and the purpose for the collection is legitimate and if that data is relevant to the classification and performance of the function related to the job application.

From the company’s side of the recruitment process, it is important to get consent from the candidate, subject of that data, with a clear explanation of the purpose of the collection and processing activities to be performed with it. Also, it is important when taking consent to make it clear for how long that data will be held (ideally until the end of the recruitment process). It should be properly erased as soon as the agreed purpose and time is finalized. Friend requests and acceptance on social networks are not a form of expressing consent.

To make it more clear, there are a number of practices that should be taken into account if you want to make sure your recruitment process is compliant with GDPR:

1 – When reaching out or collecting information from a candidate, ask for consent and record it;

2 – Keep the candidate’s data confidential and secure in your system;

3 – Take good care of who has access to printed CVs. For example, leaving CVs lying on a desk in a shared office is often considered a breach of data protection.

4 – Ask for Data Processing Agreements (DPA) with your hiring, recruiting, training and headhunting companies;

5 – Find out how long can you keep the data (depends on the type of data, purpose and which country you are) for;

6 – Maintain a Records of Processing Activities (RPA) – find out more here.

7 – In the employment contract, ask for consent to use photos and details with fellow company colleagues, and the potential to share outside as well;

8 – When screening a candidate for a background check, make sure you do not violate any personal rights of the candidate;

9 – Use HR software & application tracking systems that are GDPR compliant;

10 – Implement an easy unsubscribe button (opt-out) if you send marketing or job option emails.

11 – After hiring, ask for the written consent from the newly hired to share his or her PII (Personally Identifiable Information) with the company colleagues and if you need to use it anywhere else.

These practices will ensure that your process is compliant with the regulation, but there are other important aspects to be taken care of, such as the appointment of a Data Protection Officer (DPO). We suggest you stay tuned to our posts and look for professional guidance!

Extra: As a social network user, stay aware!

Whether an HR professional or not, today virtually everybody uses social networks. It is important to understand that the GDPR aims to protect the rights of data subjects and diminish the extent of commercial exploration of that data. Religious beliefs, ethnic aspects, political views and health data are sensitive, and the harm caused by the exposure of them can go beyond commercial profiteering.