The Complete Guide to GDPR in Recruitment (2024) Yoono

Yoono, an automated intelligence service provides a guide to GDPR in recruitment and how to be compliant.

The Complete Guide to GDPR in Recruitment 2024 | Yoono

Yoono discusses the importance of GDPR in recruitment

The General Data Protection Regulation (GDPR) has had a monumental impact on data privacy and how companies handle customer data. This extends to GDPR in recruitment and HR, meaning that companies will need to know exactly how to handle the personal data of candidates, employees and clients.

In this article, weʼll cover all the essentials of complying with GDPR in recruitment and HR, so you can stay informed and put effective GDPR measures in place for your business.

GDPR has had a huge influence over how companies both handle and process the data of other businesses and individuals. The regulation came into force in 2018 when the drawn-out plans for data protection measures were finally put into place. The General Data Protection Regulation was mutually agreed across Europe and after being in place for just under a decade has completely modernised data privacy laws, particularly in relation to how businesses process personal data online.

Here, weʼll take a deep dive into the legalities and specific applications of GDPR principles to the recruitment and HR industries, covering:

  • What is GDPR?
  • Who Does GDPR apply to?
  • What Happens If You Arenʼt GDPR Compliant?
  • How Does GDPR Affect Recruitment?
  • What Does GDPR Mean for HR?

1. What is GDPR?

When was GDPR introduced? The General Data Protection Regulation was devised and written by the European Union, EU , and came into effect in the UK in May 2018. However, GDPR compliance also impacts international organisations located anywhere around the world, if they deal with data subjects based in EU member states.

What are the 7 Key GDPR Principles?

 In order to make it easier for organisations to avoid penalties for non-compliance, the GDPR data privacy laws lay out the

7 key GDPR principles in Article 5.1.2. These are:

Processing must be lawful, fair and transparent to the EU citizens as data subjects.

  1.  Data can only be processed for legitimate reasons clearly spelt out to the data subject.
  2.  Data minimisation must be in practice.
  3.  Data accuracy and timeliness must be adhered to.
  4. Storage limitation and purpose limitation on information in that it can only be kept for the least possible time.
  5. All processing of data and data flows must ensure security, confidentiality, and integrity.
  6. The data controller is accountable for compliance with GDPR protection privacy laws.
  7.  All data has to be handled securely using what the GDPR calls the “appropriate technical and organisational measures.ˮ The GDPR, if complied with, is designed to minimise the chances of a security breach and improve information security for people who live in EU member states.

Key GDPR Terminology

You may be unfamiliar with some of the legal terminology associated with GDPR. Brush up on these essential GDPR terms:

Data controllers or data protection officers

What is a data controller? A data controller refers to the person in control of processing personal data. This includes business owners or employees that take on this role. They will also be in charge of data protection impact assessments.

Data subject

The data subject is the person whose data is being processed.

Data processors

A data processor is any third party that works on behalf of the data controller to process personal data.

Personal data

Personal data includes any and all information that the data processor has collected that can be used to identify the person, including names, addresses, sensitive or opinion-based information, biometric data, cookies and pseudonymised data.

Data processing

Data processing includes all and any action that occurs in order to pertain information from the data subject. This includes automated decision-making, manual data collection, storing data, erasing data and disseminating data through information systems.

3. Who Does GDPR apply to?

Any organisation that acts as a data controller, or other organisations that handle information relating to the data subjects must achieve GDPR compliance to prevent any risk of a data breach or any mishandling of sensitive personal data.

Anyone who is a controller or processor of personal data will be covered by the law. A controller is able to exercise their data protection rights, and ultimately the data controller has the final say over the means and purposes of the processing of their personal data. The processors on the other hand are organisations that act under the instructions of the controller.

In order to explain who GDPR applies to, itʼs important to fully understand what is considered to be ‘personal dataʼ under the regulation.

 What is Personal Data?

Personal Data refers to any information available about a person that allows them to be identified, whether this is directly or indirectly. The information might include someoneʼs name, their location and/or an online username (for instance, if they have a social media account).

GDPR also applies to information that is less obvious than this, such as cookie identifiers and IP addresses. These types of record will also be considered as some kind of personal data under GDPR.

It is also worth noting that one of the changes that came into place with the introduction of GDPR are special categories of personal data. These include a personʼs racial or ethnic background, what their political opinions are, their religious beliefs and whether or not they are members of trade unions.

For GDPR in recruitment and HR these different categories of personal data are important to know about, as these allow businesses to avoid bias when hiring candidates, which weʼll look at in more detail below.

3. What Happens If You Arenʼt GDPR Compliant?

One essential thing to know about GDPR is the fact that in instances of a data breach, regulators can impose large fines on a company. An organisation can be fined if it is is found to not be using its information systems correctly, with the result of personal data being mishandled, lost or stolen.

Fines can also apply if a company has not allocated a dedicated data protection officer.

Within the UK, these penalties will be decided and implemented by the ICO (Information Commissionerʼs Office). In the instance of a large data breach, the ICO have the power to issue fines of up to £17.5 million or 4% of the companyʼs annual worldwide turnover, whichever is higher.

4. How Does GDPR Affect Recruitment and HR?

Many recruitment businesses and HR departments use stored information when processing applications and looking for new candidates. This is now more difficult due to the robust laws surrounding personal data processing, how you can store personal data and when it is time to delete that information.

Before GDPR it was possible for recruiters to find and share information about candidates, including email addresses, names and CVs, often without the knowledge or consent of candidates.

The most important element for recruitment agencies and HR hirers to consider post-GDPR is candidate consent. As the data controller you are going to need permission to both:

     Obtain the data of candidates

     Process that data for recruitment purposes

In order to perform both of these to comply with GDPR, you should read the following tips and adapt your business practice accordingly:

Ask for Approval…Twice

When candidates are asked to verify if they are willing to have their data processed, they are doing so with the job they have applied for in mind. It is often the case, however, that companies keep their data record on file so they can contact them about future job posts.

In order to protect yourself from prospective fines, you should always ask for second approval to keep candidatesʼ information on file for the future. This can be done with a simple request to the candidate asking if you can retain their data for future use.

Keep Your Companies Database Clean

In the interests of GDPR compliance you need to make sure that any candidate data you store is kept for recruitment purposes only. If you do not require a candidateʼs services anymore or you no longer think they are fit for a role, then you should remove their data from your system. If you hold records of a former candidate, then you should send them a request for consent to keep their data on file.

Outsource for Recruitment and Background Checks

Many recruitment businesses run background checks on candidates and customers to ensure by working with them they will not damage their reputation.

This is still standard practice within recruitment, and can be done in accordance with GDPR. However, it may be worth outsourcing to an organisation who you know will comply with GDPR and data privacy.

5. What Does GDPR Mean for HR?

There are a few key changes brought in with GDPR which HR departments and Human Resources businesses need to be aware of. These include:

The GDPR Laws Now Have a Wider Scope

Unlike previous regulations, GDPR has a much wider scope and applies to employers in third countries if they have documentation and information for employees based in the EU. As such, organisations outside of the UK and EU will still need to process data in accordance with GDPR or face penalties.

The Redefinition of Personal Data

The scope that constitutes personal data is much broader than it was previously. As previously discussed, it now extends to additional information such as ethnic background, religious ideologies and political views. For HR hirers this is particularly important to keep in mind to avoid bias in hiring procedures.

Increased Breach Requirements

If there has been a breach in GDPR compliance, then employers need to report it within 72 hours

on becoming aware of it. They must also notify all employees, customers and other individuals that might be affected by the breach as soon as possible.

New Roles for Security

If a business is responsible for regularly monitoring the personal data of individuals and businesses as part of one of its core activities, then that business has to hire a Data Protection Officer. This is a new requirement outside of Germany that applies to all other member EU states and the UK.

Employees Have New Rights

The new rules that surround GDPR mean that an employee now has more control over their data, and specifically how that data is used. An employee is also able to obtain, rectify, access and request that their data is deleted. Employees also need to be notified by their employer how their data is used and stored.

GDPR: Data Protection for the Future of Business

Since its introduction in 2018, GDPR has had a seismic impact on how personal data is obtained and used by businesses within and external to the EU.

In recruitment and HR, GDPR has had a particular impact on the need to obtain consent from candidates, and offer greater provision and security for personal data. Many recruiters look to outsource their services, but they will need to ensure that the organisations they work with also operate in a way which is GDPR compliant.