How to Stay Compliant with Candidate Privacy Regulations

We are now 3 years into GDPR (and the mirroring UK version the Data Protection Act). These regulations within the EU and UK give individuals control over their personal data.

As the recruiting and hiring industry increasingly comes to use online data to identify and reach out to prospective candidates, laws like GDPR have had more influence on hiring and recruiting practices. Candidates have also become more aware of the issue of privacy and personal data, making GDPR compliance a sound priority both for the legal ramifications and the cause of building trust with candidates.

If your company hires candidates who reside within the EU, regardless of whether the processing takes place in the EU or not, GDPR applies to you, and you’ll need to be able to demonstrate compliance. Article 6 of the GDPR outlines the six conditions, of which one must be met, in order for lawful processing of the data.

This article aims to support HR Optimisation clients in ensuring ongoing data privacy in their recruitment and candidate management practices.

INTERPRETING THE GDPR FOR RECRUITERS

When discussing GDPR and how it relates to recruiting, a little translation is necessary. Here’s how the data-focused terminology of the GDPR applies to recruiters, candidates, and technology:

Data Subjects refer to the candidates being recruited. The GDPR exists to protect candidates and regulate how companies use or collect their personal data.
Data Controllers refer to the companies or the recruiters that are collecting the data subjects’ personal information.
Data Processors refer to the systems and platforms that are used to capture and process personal information, such as an applicant tracking system (ATS) or talent management platform.

The GDPR/Data Protection Act define personal data as any information related to a person, such as their name, photos, email addresses, bank details, updates on social networking websites, location details, medical information, and computer IP address. GDPR does not make a distinction between an individual’s personal data or professional data.

The GDPR states that data controllers (the employer) must clearly disclose any data collection and declare the lawful basis and purpose for data processing (collecting candidates’ personal information). They must state what, and how long data is being retained and if it is being shared with any third parties or outside of the EU. Data subjects (candidates) have the right to request a portable copy of the data collected by a controller in a common format, and have the right to have their data erased under certain circumstances.

This disclosure is best achieved through hosting a candidate privacy notice on your careers page, and ensuring it is hyperlinked on ALL job descriptions and speculative application routes. If you have an ATS you can also add a tick box for voluntary consent in advance of any data supply.

ON WHAT BASIS CAN WE RETAIN RECRUITMENT RELATED DATA?

The two most common bases for retaining the information recruiters and hiring managers meet is:

Receiving consent from a candidate at the start of the application process
Demonstrating that your company has a legitimate interest for a business purpose that is not outweighed by rights and freedom of the individual

The critical factor for proving consent is that all personal data being collected and stored needs to have an accessible audit trail that outlines precisely when and how the consent was provided. A good talent management platform or ATS should have a way to easily collect consent, whether it is as simple as a check box for candidates to mark or a more structured consent field.

Aside from its usefulness in helping you access and streamline your talent pipeline, another key advantage of using an talent management platform or ATS is the ability to customise how you collect and get robust approval for processing and storing candidate data. A Good ATS:

Offers a clear way for candidates to give consent in a legal manner, easily remove consent, and request access to their data
Provides a way to confirm data has been removed from all platforms when a candidate requests it, as opposed to personal data flying around internally over email, and being saved locally to drives.
Provides an easy method to share a copy of all candidate data when requested by candidate
Ensures the ability to report on a breach in data within 72 hours of determining that it is likely to result in a risk for the rights and freedoms of individuals
Offers the ability to purge records at the expiry of the agreed data retention interval.

While the GDPR 2018 and Data Protection Act 2018 establishes data privacy principles within the EU and UK, it does not detail exactly how these principles should be achieved. Decisions regarding how companies achieve compliance are unique to each Company and subject to different factors, like the size, location, and risk tolerance of your business. The best way to make a plan is to work with legal experts or HR Professionals that understand how your business operates, and what level of risk tolerance your organisation is comfortable with.

The consequences of non-compliance with GDPR don’t stop at fines and legal action. GDPR also represents a new take on what candidates expect from companies when it comes to their personal, private data — so it’s up to you to make sure your approach offers an accurate impression of how much you respect candidate privacy and consent.

If you need help with your GDPR compliance, or advice on ATS technology that would be a good match for your needs and budget, HR Optimisation are always on hand to help hello@HROptimisation.co.uk.

Hannah Powell

Privacy policy

This privacy policy sets out how HR Optimisation Ltd uses and protects any information that you choose to provide when you use this website. HR Optimisation Ltd is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy policy. HR Optimisation Ltd may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from: 25th May 2018. If you have any queries in relation to how we use your personal information, please contact hello@hroptimisation.co.uk

What we collect

No personal information has to be given in order to navigate around the HR Optimisation website. However, any information which you choose to provide via the website will be added to our marketing database and used by us for administration of our contact and client information and for marketing our services and events to those whom we believe will have an interest in these. On occasion it is possible that these messages will contain input from other companies or organisations with whom HR Optimisation Ltd is working, however HR Optimisation will never share your personal information with third parties without express permission. HR Optimisation Ltd may also store and use personal information which you have provided on the website or during email communications with us, during relationship management activities, provision of services and commercial administration. In all our dealings we abide by the principles of the Data Protection Act 2018 and General Data Protection Regulation 2018.

What we do with the information we gather

We require this information to understand your needs and provide you with our services, and in particular for the following reasons:

Internal record keeping e.g. administration of our services and for accounts processing

We may use the information to improve our products and services

Where you have supplied your details specifically in relation to our recruitment services, to provide information to prospective employers. In this regard you expressly agree that your personal details may be submitted to client contacts as appropriate in order to offer our services

We may periodically send promotional emails and newsletters about our services, special offers or other information which we think you may find interesting using the email address which you have provided.

From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail.

Law Enforcement

HR Optimisation Ltd may be obliged to provide personal information to law enforcement officials during the investigation of any alleged unlawful activities and we shall have no legal liability for disclosures of this kind.

Security

We are committed to ensuring that your information is held securely. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. All information supplied to HR Optimisation online or via any other means is stored securely and HR Optimisation will take all reasonable steps to ensure that no unauthorised third parties may gain access to this database/documentation.

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device. You can find more information about cookies at:

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests. The cookies used on this website have been categorised based on the categories found in the ICC UK Cookie guide. Our website only uses cookies for anonymous page tracking, allowing us to improve your experience of our website. No personal data is collected.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

When you request information from us, or send an email enquiry, you will be given the opportunity to unsubscribe at any time, and cease receiving any further emails, by clicking on the unsubscribe link at the bottom of our emails. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. You may request details of personal information which we hold about you in line with the Data Protection Act 2018. A small fee will be payable. If you would like a copy of the information held on you please write to: hello@HROptimisation.co.uk If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at the above address. We will promptly correct any information found to be incorrect. However, if you feel that any issue raised has not been adequately addressed, you can contact the Information Commissioner’s Office at www.ico.org.uk.

How to Stay Compliant with Candidate Privacy Regulations

Categories

Latest Projects