The rapid pace by which digital technologies have evolved has fundamentally transformed the way we communicate, acquire knowledge, and transact business. A byproduct of this advancement is the vast amounts of data that is now collated on a regular basis. This naturally poses a challenge to streamline and protect the way this data is processed, transferred and stored. The General Data Protection Regulation (GDPR) forces new obligations on businesses that deal with such personal data - and the recruitment process is one of the processes that will be susceptible to this level of scrutiny.

What is GDPR?

In a nutshell, the GDPR is the latest EU data privacy and protection framework, which will come into force on 25th May 2018. It replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

Unlike its predecessor, the GDPR will include all businesses based in and/or conducting business in the EU. This means that whether your company is located and operating in the EU, or outside the EU but provides goods and services to EU citizens, you are equally obliged to comply with the new legislation.

Broadly speaking, the GDPR establishes three classifications involved in business transactions:

  • Data Subjects: These are the individuals living within the EU, who supply their personal data to businesses and whose rights are to be protected.

  • Data Controllers: These are businesses that determine the type of personal data that is required and how and why this data is to be used.

  • Data Processors: These are businesses that process data on behalf of the controller. This may include the collection, recording, organisation, storage of information among others.

In a recruitment industry scenario, the data subjects would be the candidates applying for a job, the data controllers would be the company to which the candidate is applying, while the data processors would be the recruitment software or CRM software that the recruiting company is using.

How will GDPR impact the recruitment industry?

The GDPR includes several clauses related to the processing of personal data. We will be exploring three which will impact the recruitment process and are relevant to Data Controllers.

1. Processing personal data fairly and lawfully

  • The processing of personal data must be done in a fair, lawful and transparent way. The data subjects i.e. the applying candidates must be aware of what data is to be collected and processed, and for which legitimate reason. Therefore, as a data controller, it is your responsibility to identify how you will be providing your candidates with such information.

  • One solution is to outline all the relevant information in your Privacy Policy and sharing this with your candidates at the beginning of the recruitment process. If you are using a recruitment software, this can also be automated through auto emails or pop up windows throughout the registration or application process. Your privacy policies must be revised to cater for the new responsibilities outlined in the GDPR.

  • In order to store personal information you also need to demonstrate that you have the specific consent of the owner of that data. Candidates will need to opt-in to providing data - that is, explicitly perform an action in order to imply consent and move forward in the process. This consent-giving should also be traceable. Automatically checked boxes or simple statements will no longer be acceptable.

  • You must also acquire specific consent for the use of personal information for marketing purposes.

2. Keeping personal data accurate and up-to-date

  • The GDPR implies that personal data stored must be current and accurate for the purpose it was collected. This means that your candidate database must contain up-to-date information about your candidates.

  • Your candidates have the “right to rectification,” which makes your company, as data controllers, responsible to remedy any inaccuracies. Managing information accuracy can be a nightmare, so having a recruitment solution that helps mitigate this risk is key.

  • Having a recruitment software with a candidate interface facilitates this step greatly, as it allows users to log in to their profile in order to keep the information updated, and puts candidates back in control.

  • With such a system, automated email notifications can also be triggered to your candidates at regular intervals in order to encourage them to update their details on the system. This keeps data as clean and as updated as possible with minimal intervention required.

3. Retaining personal data

  • The new legislation stipulates that personal data collated, in this case from your candidates, may only be kept for as long as it is necessary. A specific duration is not stipulated however what is clear is that the data can not be stored for an indefinite period of time.

  • The duration for which the information is kept is naturally dependent on why the data is being processed in the first place. Also consider any other local legislation that may provide a reason for retaining the data for a specific period of time, such as employment law.

  • As data controllers you are responsible to make this timeline clear to your candidates.

  • The process of automating the deletion of candidate data after a stipulated time period has elapsed will significantly simplify the process of adhering to these new regulations.

What should you be doing?

Tips to consider:

  • This article is by no means exhaustive. Familiarise yourself with the provisions of the new GDPR, particularly how it may differ from your current data protection obligations and consider the relationships you have with both your candidates and your own staff.

  • Audit your processes for the capture, process and retention of data both for your candidates and also internal staff. Consider creating an updated and precise inventory of personal and sensitive data that you control. Review your current controls and processes to ensure that they are adequate, and build a plan to address any gaps.

  • Keep yourself updated on regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you as a data controller.

Read more about the GDPR that comes into effect in May 2018.

Elsa Gaffiero

Product Manager at