GDPR compliance in recruiting
Let's Talk

Complying with legislation

Complying with legislation is already an integral part of recruitment with most businesses aware that they cannot discriminate and must have a fair recruitment process, along with being able to evidence your actions throughout the process and explain why decisions were made. Since May 2018, recruitment also needs to comply with GDPR regulations which relate to candidates’ data and the way you process, store and allow access to it. When you consider that most small to medium businesses don’t have anyone in-house who is trained in recruitment, the issue of compliance can become a complex one.

The data that candidates provide, when applying for positions, can include some really sensitive information. It is therefore vital that you look after this data properly and in compliance with GDPR.

The following is a brief outline of how GDPR affects recruitment and the areas you need to be aware of.

Collecting candidate data

Under GDPR there are a number of legal grounds under which you can process and store data. Given that candidates willingly provide their data to you in application for your posts then consent is clearly given (though you do still need a data protection notice that the candidate agrees to) however, you can only collect data for ‘specified, explicit and legitimate’ purposes. This covers a number of things but primarily it means that a candidate’s data is provided for that specific purpose, ie to apply for a specific position. It does not give you consent to use it for any other purpose, eg to pass to a third party or add to a mailing list. You can only process this data in relation to this specific purpose and you can only ask for data that is relevant to the recruitment process.

If you are collecting data from ‘open sources’ such as job sites or headhunting via platforms such as LinkedIn, where data has been provided but not specifically in relation to your positions, you can only collect data that is relevant to the job and you must intend to contact your sourced candidates within 30 days.

Consent for sensitive data

The recruitment process may include requesting sensitive data such as disability, ethnicity or cultural information or background checks including criminal record or health screening. Separate, specific consent needs to be sought for this.

Processing and storing data

As mentioned above, data can only be processed for the specific purpose for which it was provided. Candidates have a right to know how their data is stored, to be able to access their data, to be able to rectify their data (eg if there is an error in it) and to ask that their data be destroyed. It’s really important therefore to have a clear privacy policy that covers all these areas and is available to candidates.

Remember that GDPR covers data in all its forms, whether submitted electronically or hard copy CVs handed in or sent by post. This means that you need to be aware of who may access and store this data (could it end up in someone’s drawer or on their desk or even thrown in the bin?).

Getting to grips with GDPR for non-qualified recruiters

We absolutely appreciate that this is not simple stuff and that many companies don’t have someone who is trained in recruitment or legal compliance or even basic HR. Given the potential consequences of non-compliance (companies can be fined up to 4% of their turnover) it is really important to seek some advice, at least in the initial setting up of policies and procedures and just making sure that all are aware of their responsibilities. Once these are established, it makes remaining compliant a much easier process.

Helping you with GDPR

We can help you understand GDPR and your responsibilities within your recruitment process, whether it’s just a case of reviewing what you already have in place or creating policies and ways of working. If you have any questions on GDPR, or any other aspect of recruitment, call us on 01924 683583 or send us a message.