How To Ensure Your Recruitment Process Is GDPR-Compliant

GDPR — the General Data Protection Regulation — has been top of mind for any businesses that operate in the EU since the law came into effect. GDPR represents a hugely important shift in data privacy regulation, the culmination of years of increasing international attention to data usage. But what is it, exactly? And why is it so important?

Here’s a brief overview of GDPR:

  • Came into effect 25 May 2018
  • Impacts all European Union member states
  • Regulates data usage and increases data protection within those states
  • Fines any organisations that fail to comply with regulations, up to £18.2 million (€20 million)

No organisations have been fined as yet for noncompliance under GDPR — by now, the majority of businesses are fully compliant — but it’s still a pressing issue. Watchdogs are on high alert; fines can mount quickly for any business that lapses into noncompliance.

Establishing — and in particular, maintaining — that compliance is a tricky undertaking. At the same time, it’s essential, not just because it’s mandated by law: it’s also a key facet to ethical practices and customer trust. As data worries mount, more people want to feel assured that businesses take data protection seriously. Organisations that demonstrate integrity, trustworthiness and compassion around data usage will thrive.

Recruiters, Take Note

Recruiters in particular need to be conscious of GDPR requirements: you handle sensitive personal data daily, such as contact information, resumes or even bank details.

To comply with GDPR, you need to make sure that your recruitment process:

  • Has a clear privacy policy outlining how you’ll use a candidate’s data and how long you’ll retain it
  • Makes candidates aware of that policy before they submit info to you
  • Enables candidates to easily withdraw any personal information after it’s been submitted
  • Has a process to remove old data from your system when it’s no longer needed
  • Demonstrates sufficient security practices to protect that data

Essentially, you need to convey to candidates how you will manage their data in compliance with these regulations proactively and transparently. This applies even if you use a data processor: as a recruiter, you are the data controller who captured that information, so your organisation still has the burden to ensure compliance.

Methods to Stay Compliant

Despite the far-reaching impact of GDPR and the threat of fines, you shouldn’t be scared to incorporate data into recruitment. Data is absolutely integral to effective recruiting. You just need to make sure you’re using that data properly.

There are some definitive steps you’ll need to take, all of which roll up into the broad umbrella of data organisation methods. You can organise your database manually, or with the assistance of automated recruitment software.

The Manual Option:

1. Get rid of Excel sheets or piles of folders.

If your process relies on manual data collection in Excel sheets, or your candidate files are stored in a messy pile of folders on your desk, it’s time to upgrade your system. That data sits exposed and at risk with inadequate security, and there is insufficient transparency into your data use policies.

While it’s possible to be compliant with those cumbersome processes, it’s intensely time-consuming and difficult. Instead, store your data within an platform with more robust security — even Google Drive is protected by encryption.

2. Write up a privacy policy in line with GDPR.

Make sure that you write up a comprehensive privacy policy that covers all the factors we outlined above. Post that privacy policy on your recruitment forms. You need to ensure that any candidate who submits info to you has first had the chance to read the policy and agree to it.

3. Know where all data is, and be responsive to all data removal requests.

You’ll need to establish a thorough procedure for data processing in order to comply with data removal regulations, because all individuals are entitled to the “right to be forgotten.

To properly comply with any removal requests, you must be able to locate that data as needed. You’ll also need to respond speedily and effectively to all requests.

Disorganised or inefficient systems will be your Achilles heel here and can put you at risk of noncompliance suits. If you’re digging through old folders to make sure you really have found every piece of information related to that individual, you’ll struggle to be compliant and will waste time.

4. Keep careful track of when data was received.

The “right to be forgotten” also covers how long you can hold onto data. Essentially, when someone’s data is no longer relevant and your organisation doesn’t have a legitimate interest in retaining it, you need to delete that data.

This might apply to old candidates who weren’t hired: if there’s no reason for you to retain their data, you shouldn’t have it. Similarly, if your privacy policy says you keep data for 12 months, you need to remove old data after 12 months.

By tracking when data is received and regularly purging your database, you can ensure you’re compliant with regulations.

The Automated Option:

While you can be compliant using manual systems, it’ll be a continual struggle. You’ll find yourself spending ghastly amounts of time on compliance rather than actually meeting candidates. Rather than slogging through an old-fashioned setup, implement an Applicant Tracking System (ATS).

Simply put, an ATS automates all of these processes. It organises and stores data, secures it, purges it automatically, tracks all removal requests… the list goes on. It also comes with significant added benefits, like improved recruitment ROI or better talent pool management.

Want to learn more about compliance made simple? Looking for more information on how an ATS can help your business? Download our free eBook, The Pocket Guide to Applicant Tracking Systems, for an in-depth look at why an ATS is the superior option for both GDPR compliance and recruitment as a whole.


New call-to-action



Leave a Reply

Your email address will not be published. Required fields are marked *