When the European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018, professionals in every industry became concerned about how it would change their day-to-day processes. Hiring was no different, with HR pros and recruiters paying close attention to how they recruit and reach out to those in global markets. Learn how GDPR changes how you find talent and what you can do to ensure GDPR compliance.
How Does GDPR Relate to Recruiting?
There are three main areas where the policy affects hiring practices and the recruitment process. They include:
1. Data subjects
These are your candidates as they give their personal data to you during the application process. The GDPR specifically protects this data, which may include addresses, phone numbers, and financial information.
2. Data controllers
The employer is the data controller in this case because they hold the data and decide what to do with it. Because they collect data for their own purposes, they are responsible for keeping it safe and informing the data subjects what will happen with the data after it’s provided.
3. Data processors
The data processors are software solutions or services that take all the collected info and then turn it into useful reports or tracks trends. This data processing is usually done by an Applicant Tracking System (ATS) and must follow the GDPR regulations as well.
Who Must Comply with GDPR?
Everyone who collects and processes the data of EU residents is subject to the rule changes. This means that even if you don’t specifically target EU residents, you must follow the law if they are likely to apply to your job postings or request additional information on a position. It’s worth noting that while Brexit’s finalization may change how GDPR applies to U.K.-specific applicants, they are included in the protections as of this writing (Nov. 25, 2019).
What are the Penalties for Non-Compliance?
Fines under GDPR are stiff and are based on global revenue. The maximum for infractions is 4 percent of annual revenues or €20 million (more than $22 million) whichever is greater. There is also the legal and administrative costs of addressing the infraction and the cost to your reputation or productivity.
How Does GDPR Affect Recruiting?
If you are seeking global candidates for your positions, GDPR will make the recruitment process a bit more problematic. Compliance isn’t optional. If you haven’t taken steps to make your hiring and data collection policies GDPR-friendly, don’t wait a moment longer.
Some of the most notable changes that GDPR presents include:
- Hiring teams and recruiters must use data as promised for hiring purposes only. Don’t use data collected on an application for marketing purposes or for research projects.
- Hiring teams must use data in a timely manner and not hold it indefinitely with no intent to hire. For example, it’s ideal to use the information within 30 days of collection.
- Hiring teams must get explicit consent to collect, use, and store sensitive candidate data. This includes information used in a background check or for tracking the diversity of your hires.
- Your contractors must comply as well. If you use background check companies, for example, make sure they are GDPR compliant and follow through with acceptable data collection and protection methods.
- Data must be deleted upon request. If a data subject withdraws their consent for data to be used or stored, even if they just gave it, you must have the means to scrub it from your systems and keep your contractors for continuing to use it as well.
What Should Employers Do in Hiring & Recruiting to Comply with GDPR?
In addition to the aforementioned tasks, there are some very hiring-specific changes you need to make now.
Map Your Recruiting Data
Do you know all of the places that you collect information and where it goes once it’s been submitted? If not, now’s the time to make a “map” of this information.
Start with all of the submission portals you get info from, including online applications or email newsletters, and document what data is collected. Then, track that data through the hiring process to see who receives it and where it ends up. Know who touches every piece of data in your map to ensure that the touchpoint is compliant.
In addition, personal information that candidates give should be marked for a specific purpose—in this case, hiring. It should not be used for any other reason without a clear legal basis.
Turn Opt-Out Policies into Opt-In
Currently, most U.S. companies require those who share information to take steps to keep you from using that data with other parties. GDPR requires the opposite. Obtaining affirmative consent is the only legal way to collect and share data and remain GDPR compliant. Your mailing lists, subscription forms, and hiring databases will need to shift their focus to remain legal.
Reconsider Your ATS
Since data is collected and stored within your tracking software, it must meet GDPR requirements. Decide if it’s easier for an applicant (and your teams) to work with a solution that presents compliance across the board for all applicants, or just those located in the countries where GDPR applies.
Article 35 of GDPR states that a Data Protection Impact Assessment (“DPIA,” which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that is likely to result in “high risk.” Since much of the hiring process requires the collection of very sensitive personal data that’s often revealed through background checks and applications, it’s wise to identify these high-risk data fields and work to protect them.
For anyone wondering what to do to comply with GDPR, the answer is that it may take a significant investment of time and technology to get it done right. Fortunately, by using compliant ATS solutions, you’ve taken one giant to-do off your list.
Are you looking for an ATS to change the way you hire? Get in touch with Comeet today to learn more about how we can improve your recruitment process!