Yoono discuss the Importance of GDPR in Recruitment (2022)

Yoono, an automated intelligence service discusses the importance of GDPR in recruitment and how to be compliant.

Importance of GDPR in Recruitment and How to be Compliant – Yoono

Yoono discusses the importance of GDPR in recruitment


Yoono, an automated intelligence service discusses the importance of GDPR in recruitment and how to be compliant.

The General Data Protection Regulation (GDPR) has a huge influence over how businesses both handle and process the data of other businesses and individuals. They came into force in May 2018 when the drawn-out plans for data protection measures were finally put into place.

The General Data Protection Regulation was mutually agreed across Europe and after been in place for almost 4 years has completely modernised data privacy laws.

The Introduction of the GDPR 

GDPR was brought in to completely replace the previous data processing and data protection principles that were in place throughout Europe. This is because those rules were around two decades old and given how much access to data, our reliance on technology and our lifestyles have changed, the European Parliament saw it was time for data privacy to be modernised.

The European Union confirmed that the whole point of introducing the general data protection regulation was so that data protection principles could be “harmonised”. This meant there was more unity for member states when discussing data protection, not to mention more rights for individuals’ information. The GPDR’s implementation also affected businesses, specifically how they handle the information of others regardless of whether they are other businesses, customers, or prospective candidates. If any business is found in breach of these regulations, then public authorities can step in and there could be GDPR fines assigned to that business as a result.

Though the general data protection regulation does bring with it several big changes, it is merely building on, and modernising previous data privacy laws as opposed to completely creating new ones. It means that though businesses need to alter how they handle information in the name of GDPR compliance, their GDPR obligations are not wholly dissimilar to how they were previously. There are notable changes, specifically within the world of recruitment, and these are all going to be discussed in more detail below.

Additionally, organisations that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO).

What Actually is the General Data Protection Regulation? 

When it comes to the likes of data controllers and data privacy, all of them look towards GDPR as it is essentially the strongest set of data protection rules in the whole world. It is the Magna Carta when it comes to detailing how people can access pieces of information and then also puts limits on the information organisations are able to gain access to.

GDPR is a framework for different laws across the continent of Europe and was instilled to replace the previous legislation that dated back to 1995, the Data Protection Directive. The final form of the General Data Protection Regulation, upon its release was adopted by both the European Council and the European Parliament.

When it finally came into force in May 2018, countries needed to comply with the regulations but then also had control to make small amendments to whatever justified their needs. In the UK, these small changes lead to the Data Protection Act which was implemented in 2018 and overrules the previous Data Protection Act from 1998.

Who Does the General Data Protection Regulation Apply to? 

Access to personal data is the foundation that the GDPR was built upon. Personal Data refers to any information available about a person that allows them to be identified (whether this is directly or indirectly). The relevant information pertains to the likes of someone’s name, their location and an online username (for instance if they have a twitter account). GDPR will also apply to information that is a bit less apparent than this as well, such as cookie identifiers and IP addresses, all of these records will be considered some kind of personal data.

It is also worth noting that one of the changes that came into place with the introduction of GDPR are special categories of personal data. These include a person’s racial or ethnic background, what their political opinions are, their religious beliefs and whether or not they are members of trade unions. Essentially, it involves any data that can allow a person to be identified, the above are particularly important in recruitment given they allow businesses to avoid bias when hiring candidates, as will be discussed more below.

It’s important to have this understanding of what personal data is because under the General Data Protection Regulation, anyone who is a controller or processor of such information will be covered by the law. A controller is able to exercise their data protection rights. Essentially, they have the final say over the means and purposes of the processing of their personal data. The processors on the other hand are organisations that act under the instructions of said possessor.

Finally, it is worth noting that even though the introduction of the GDPR and GDPR compliance comes from the EU, it operates on a large scale. This means that it can apply to third countries as well, so if there is a business in the US that works with a business in the UK, EU and UK GDPR will still apply.

What If You’re Not GDPR Compliant? 

A large talking point that surrounds GDPR is the fact that in instances of a data breach, regulators can impose large fines on to a company. This basically means that if an organisation is not using their information systems correctly and as such is storing personal data wrong then they can be fined. These fines can also apply when a company needs a data protection officer but does not have one.

Within the UK, these penalties will be decided by the ICO. The fines that are applicable can be large as smaller offences can result in up to 10 million euros worth. In the instance of a larger breach, this could result in fines of up to 20 million euros. This already sounds like a lot but the difference can really be seen when these figures are compared to the previous data protection laws, which only allowed in the instance of incorrectly stored data fines of up to £500,000.

What is GDPR Recruitment?

The introduction of GDPR affects businesses in a few ways but one of the most notable is in recruitment. This is because of the fact it changes the way that personal data is collected, stored and used. A lot of businesses use such stored information when processing applications and looking for new candidates. This is now more difficult due to the robust laws surrounding personal data processing, how you can store personal data and when it is time to delete that information.

Data collection has always been an important factor in recruitment as organisations have been able to use different search engines and tools to identify potential candidates. This means looking through the web for CVs and email addresses, not to mention gaining access to entire websites whose service is to provide access to CVs that fit a company’s specific search criteria. Information on candidates has always been very valuable in the industry and a lot of the time in the past, this information was passed around without the candidates themselves even knowing. That is of course until GDPR.

How Does GDPR Affect Recruitment

The introduction of GDPR in the UK and across Europe has a large impact on recruitment. This was firstly felt by organisations whose sole purpose was collating personal data. This is because GDPR was not only applicable to the candidate data they had previously collected but everything collected since it had come into effect.

There have also been effects felt by employers and recruitments agencies in the UK as well. The thing to keep in mind is the subject of the data’s consent. Remember that as the data controller you are going to need permission to both:

  • Obtain the data of candidates; and
  • Process said data for recruitment.

How Does GDPR Apply to Recruitment and Selection? 

If you are recruiting candidates in the UK then there are a few ways that you can ensure you are acting in compliance with GDPR. These include:

Ask for Approval Twice

When candidates are asked to verify, they are happy with having their data processed, they are doing so with the job they have applied for in mind. You tend to find though that companies keep them on file so they can contact them about future job posts.

In order to avoid issues with doing this and protect yourself from prospective fines, you should ask for second approval to keep candidates’ information on file for the future. This can be done with a simple request to the candidate asking if you can retain their data for future use.

Keep Your Companies Database Clean

In the interests of GDPR compliance you need to make sure that any candidate data you store is from recruitment and recruitment only. If you do not require a candidate’s services anymore or you no longer think they are fit for a role, then you should have their data removed from your system. If you have records of an old candidate and don’t have their consent to keep them then send a request asking for consent.

Outsource for Recruitment and Background Checks 

A lot of businesses run background checks on candidates and customers to ensure by working with them they will not damage their reputation. This is standard practice and was before GDPR as well, as such, it is fine to continue doing it, but it may be worth outsourcing to an organisation who you know will comply with GDPR.

If you are interested in running a background check and getting a better idea on your prospective employee, then consider enlisting the help of organisations such as Yoono. Yoono offer services where they will be able to run a sufficient check on your candidate and compile a report which consists of GDPR compliant information obtained from the internet. This will allow you to get a better idea of that candidate without worrying about being in breach of GDPR.

Is a Recruitment Agency a Data Processor? 

This is a common question which is brought up when discussing the effect that GDPR can have on recruitment. A recruitment agency is not a data processor but is a data controller. This is because they are responsible for determining the purpose and the means of processing personal data. Not to mention, they control the processing activities.

What Does GDPR Mean for HR? 

There are a few key changes that come with GDPR which HR need to be aware of. These include:

The Laws Have a Wider Scope

Unlike previous regulations, GDPR has a much wider scope and applies to employers in third countries so long as they have documentation and information for employees based in the EU. As such, organisations outside of the UK and EU will still need to process data in accordance with GDPR or face penalties.

The Redefinition of Personal Data 

The scope that constitutes personal data is much broader than it was previously. As previously discussed, it now considers the likes of ethnic background, religious ideologies and political views.

Increased Breach Requirements 

If there has been a breach in GDPR compliance, then employers need to report it within 72 hours of becoming aware of it. They also must notify the employees that might be affected by said breach as well without further delay.

New Roles for Security 

When it comes to the security of a business, new roles have been created considering GDPR. If a business is responsible for regularly monitoring the personal data of individuals and businesses as part of one of its core activities, then that business has to hire a Data Protection Officer. This is a new requirement outside of Germany that applies to all other member states.

Employees Have New Rights 

The new rules that surround GDPR mean that an employee is given more control over their data, specifically how that data is used. They also can obtain, rectify, access and request that their data is deleted. Employees also need to be notified by their employer how their data is used.

Yoono discusses the legal obligations of recruitment

The Legal Obligations of Recruitment considering GDPR Compliance

GDPR came into force in 2018 and since then has been a major influence over how personal data is obtained and used. This has naturally had an impact on a few businesses, including in recruitment which has had a variety of legal obligations imposed on it because of the modernisation in law.

Previously, the data of candidates was used without the candidates having knowledge of as much, this has now changed, and recruiters need to ensure that they have a candidate’s permission to store information. A lot of recruiters outsource their services now and use AI as a means of recruitment and running background checks so if this is the case, they will need to ensure those organisations also operate in a way which is GDPR compliant.

If your organisation needs assistance with running recruitment and background checks in a way that is GDPR compliant then do not hesitate to contact us at Yoono. Here at Yoono, we are an online tool that will allow you to check companies and individuals in Google and provide your HR department with an automated report. Everything is done with GDPR compliance in mind and will help you significantly throughout the recruitment process. If you have any questions or would like to know more about what Yoono can do for you then please do not hesitate to get in touch.