How GDPR Impacts Global Recruiting Teams

Join us on 3/22 at 9:00 AM EST as we dive into GDPR basics for the recruiter and what they need to know. Click here to register

In our last post, we covered the basics of the GDPR, or the European Union’s General Data Protection Regulation. When it goes into effect on May 25, 2018, the EU will have an enforceable a set of rules regulating the personal data handled by EU and many non-EU organizations.

Because data collection is at the heart of recruiting, it’s imperative that recruiters are prepared for the GDPR before May 25. The areas impacted include your ATS, candidate storage, sourcing, and employment branding strategies. Here’s what you should consider with regards to data collection and compliance moving forward:

Legal basis for GDPR in Recruiting and Hiring

Recruiting agencies and HR managers will need to substantiate the legal basis for their handling of candidate’s personal data. The GDPR envisions a number of legal bases, with two of the notable ones being the candidate’s consent and the legitimate interests of the organization. Some EU countries helpfully expand the GDPR’s list of legal bases to also include employee recruitment, and that is a matter of local law.

The GDPR imposes burdensome requirements in order for consent to qualify as a permissible legal basis for data processing. First, consent must be explicit (e.g., by opt-in that is separate from consents or approvals for obtained for other matters). Consent must also be informed, after having provided proper privacy disclosures. It needs to cover merely a specific and narrowly tailored purpose of processing. And it must be freely given, i.e., giving the individual genuine free choice whether or not to consent without being subject to adverse consequences.

Clearly, to qualify for consent under the GDPR, organizations must do more that than simply add a clarification and a checkbox to data collection forms.

GDPR’s “Right to Erasure”

You should enable candidates to access and review their data anytime they like, to update their data, and even allow for full erasure upon request in many instances. Candidates will have the “right to be forgotten or right to erasure,” meaning that candidates can request for their data to be erased when it is no longer necessary for the original purpose.

This impacts your work in your ATS because applicants can apply for a position, be rejected, and then exercise their right to erasure. A few months later, the same job seeker can apply again, but you won’t know it because your ATS won’t show it – it’s been deleted. No data, no notes from previous interviews, no data on the job seeker at all.

Data Portability

Recruiters will need to provide all the personal data they have on a candidate, when requested by the candidate, in a portable format. The GDPR states that each candidate has the right to transfer their data anywhere they prefer.

No More Unsolicited Emails

Recruiters will no longer be free to send emails to users who have not opted into their mailing list. Initially, recruiters and HR staff must be aware of who is currently in their database and whether those data subject benefit from GDPR rights. You might want to consider grouping candidates in the EU into a different category than candidates elsewhere (who are not impacted by the GDPR).

Fines for Non-Compliance

As we mentioned in our first blog post, failing to comply with the GDPR could result in severe penalties of up to 4 percent of worldwide turnover, or 20,000,000 Euros – whichever is higher.

Breach Notification

The GDPR requires companies to inform data subjects about data breaches impacting their personal information, if the breach is likely to result in a high risk to their rights and freedoms. While this type of requirement is not particularly new for American companies—most states in the U.S. mandate it currently—the breach reporting requirements under GDPR are strenuous. Notification must be made “without undue delay”.

GDPR Increases the Complexity of Hiring Globally

Will the GDPR make your job more difficult? Yes, it absolutely will. Companies need to tread cautiously, positioning them as offering an improved candidate experience, particularly if they are targeting candidates in the EU.

GDPR compliance statements will likely be everywhere beginning in May. You don’t have to wait to put yours in place now. The earlier you begin to implement privacy-friendly data collection practices, the easier it will be to avoid risks and ensure compliance.

Develop a Clear Privacy Policy

Even if you currently have one in place, companies need to write a clear privacy policy that consumers will actually be able to read and understand. In that policy, you will need to clearly indicate what personal information is being requested or collected. Where the legal basis of your processing is consent, candidates or applicants will have to be given a choice of whether or not to provide the personal data requested from them. Any data that is collected needs to be clearly marked for the specific purpose for which it was collected. Notably, data that is collected for a stated purpose can only be used for that purpose, unless there is also a legal basis for its use for a different purpose.

Turn Your Opt-Out Into an Opt-In

Most U.S. companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default.

The GDPR will require organizations to do just the opposite when they rely on a consumer’s consent. When basing your processing activities on consent, you must obtain affirmative consent before collecting or sharing candidate data.

Make Sure Your Recruiting Software is Compliant

Your ATS and any other software you’re using to hold data should be GDPR compliant. If it is not, consider upgrading sooner rather than later. If your ATS is on its game, it’s already working on compliance or has compliance for GDPR in place. Your application process must be consistent and take the candidate experience into consideration. For example, is it easier to have GDPR compliance for applications around the world or should you have separate policies for each country?

Be Prepared for New Reporting Requirements

Under Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that is likely to result in “high risk.” In addition, supervisory authorities may also establish and make public a list of the types of processing operations that require a DPIA. While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, you’ll want to begin identifying areas of high risk, such as sensitive data processing, candidate profiling and automated decisions regarding candidates.

Note that these are just a handful of topics under the GDPR, the European Union’s General Data Protection Regulation. You can learn more about GDPR by clicking here and clicking here as part of our GDPR Recruiting series. 

Join us on 3/22 at 9:00 AM EST as we dive into GDPR basics for the recruiter and what they need to know. Click here to register

*DISCLAIMER: This article is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes. You should seek the advice of competent legal counsel with respect to any particular fact pattern or issue.