The Complete Guide to GDPR in Recruitment (2024) Yoono
Yoono, an automated intelligence service provides a guide to GDPR in recruitment and how to be compliant.
In this article, weʼll cover all the essentials of complying with GDPR in recruitment and HR, so you can stay informed and put effective GDPR measures in place for your business.
GDPR has had a huge influence over how companies both handle and process the data of other businesses and individuals. The regulation came into force in 2018 when the drawn-out plans for data protection measures were finally put into place. The General Data Protection Regulation was mutually agreed across Europe and after being in place for just under a decade has completely modernised data privacy laws, particularly in relation to how businesses process personal data online.
Here, weʼll take a deep dive into the legalities and specific applications of GDPR principles to the recruitment and HR industries, covering:
When was GDPR introduced? The General Data Protection Regulation was devised and written by the European Union, EU , and came into effect in the UK in May 2018. However, GDPR compliance also impacts international organisations located anywhere around the world, if they deal with data subjects based in EU member states.
In order to make it easier for organisations to avoid penalties for non-compliance, the GDPR data privacy laws lay out the
7 key GDPR principles in Article 5.1.2. These are:
Processing must be lawful, fair and transparent to the EU citizens as data subjects.
You may be unfamiliar with some of the legal terminology associated with GDPR. Brush up on these essential GDPR terms:
Data controllers or data protection officers
What is a data controller? A data controller refers to the person in control of processing personal data. This includes business owners or employees that take on this role. They will also be in charge of data protection impact assessments.
Data subject
The data subject is the person whose data is being processed.
Data processors
A data processor is any third party that works on behalf of the data controller to process personal data.
Personal data
Personal data includes any and all information that the data processor has collected that can be used to identify the person, including names, addresses, sensitive or opinion-based information, biometric data, cookies and pseudonymised data.
Data processing
Data processing includes all and any action that occurs in order to pertain information from the data subject. This includes automated decision-making, manual data collection, storing data, erasing data and disseminating data through information systems.
Any organisation that acts as a data controller, or other organisations that handle information relating to the data subjects must achieve GDPR compliance to prevent any risk of a data breach or any mishandling of sensitive personal data.
Anyone who is a controller or processor of personal data will be covered by the law. A controller is able to exercise their data protection rights, and ultimately the data controller has the final say over the means and purposes of the processing of their personal data. The processors on the other hand are organisations that act under the instructions of the controller.
In order to explain who GDPR applies to, itʼs important to fully understand what is considered to be ‘personal dataʼ under the regulation.
Personal Data refers to any information available about a person that allows them to be identified, whether this is directly or indirectly. The information might include someoneʼs name, their location and/or an online username (for instance, if they have a social media account).
GDPR also applies to information that is less obvious than this, such as cookie identifiers and IP addresses. These types of record will also be considered as some kind of personal data under GDPR.
It is also worth noting that one of the changes that came into place with the introduction of GDPR are special categories of personal data. These include a personʼs racial or ethnic background, what their political opinions are, their religious beliefs and whether or not they are members of trade unions.
For GDPR in recruitment and HR these different categories of personal data are important to know about, as these allow businesses to avoid bias when hiring candidates, which weʼll look at in more detail below.
One essential thing to know about GDPR is the fact that in instances of a data breach, regulators can impose large fines on a company. An organisation can be fined if it is is found to not be using its information systems correctly, with the result of personal data being mishandled, lost or stolen.
Fines can also apply if a company has not allocated a dedicated data protection officer.
Within the UK, these penalties will be decided and implemented by the ICO (Information Commissionerʼs Office). In the instance of a large data breach, the ICO have the power to issue fines of up to £17.5 million or 4% of the companyʼs annual worldwide turnover, whichever is higher.
Many recruitment businesses and HR departments use stored information when processing applications and looking for new candidates. This is now more difficult due to the robust laws surrounding personal data processing, how you can store personal data and when it is time to delete that information.
Before GDPR it was possible for recruiters to find and share information about candidates, including email addresses, names and CVs, often without the knowledge or consent of candidates.
The most important element for recruitment agencies and HR hirers to consider post-GDPR is candidate consent. As the data controller you are going to need permission to both:
Obtain the data of candidates
Process that data for recruitment purposes
In order to perform both of these to comply with GDPR, you should read the following tips and adapt your business practice accordingly:
When candidates are asked to verify if they are willing to have their data processed, they are doing so with the job they have applied for in mind. It is often the case, however, that companies keep their data record on file so they can contact them about future job posts.
In order to protect yourself from prospective fines, you should always ask for second approval to keep candidatesʼ information on file for the future. This can be done with a simple request to the candidate asking if you can retain their data for future use.
In the interests of GDPR compliance you need to make sure that any candidate data you store is kept for recruitment purposes only. If you do not require a candidateʼs services anymore or you no longer think they are fit for a role, then you should remove their data from your system. If you hold records of a former candidate, then you should send them a request for consent to keep their data on file.
Many recruitment businesses run background checks on candidates and customers to ensure by working with them they will not damage their reputation.
This is still standard practice within recruitment, and can be done in accordance with GDPR. However, it may be worth outsourcing to an organisation who you know will comply with GDPR and data privacy.
There are a few key changes brought in with GDPR which HR departments and Human Resources businesses need to be aware of. These include:
Unlike previous regulations, GDPR has a much wider scope and applies to employers in third countries if they have documentation and information for employees based in the EU. As such, organisations outside of the UK and EU will still need to process data in accordance with GDPR or face penalties.
The scope that constitutes personal data is much broader than it was previously. As previously discussed, it now extends to additional information such as ethnic background, religious ideologies and political views. For HR hirers this is particularly important to keep in mind to avoid bias in hiring procedures.
If there has been a breach in GDPR compliance, then employers need to report it within 72 hours
on becoming aware of it. They must also notify all employees, customers and other individuals that might be affected by the breach as soon as possible.
If a business is responsible for regularly monitoring the personal data of individuals and businesses as part of one of its core activities, then that business has to hire a Data Protection Officer. This is a new requirement outside of Germany that applies to all other member EU states and the UK.
The new rules that surround GDPR mean that an employee now has more control over their data, and specifically how that data is used. An employee is also able to obtain, rectify, access and request that their data is deleted. Employees also need to be notified by their employer how their data is used and stored.
Since its introduction in 2018, GDPR has had a seismic impact on how personal data is obtained and used by businesses within and external to the EU.
In recruitment and HR, GDPR has had a particular impact on the need to obtain consent from candidates, and offer greater provision and security for personal data. Many recruiters look to outsource their services, but they will need to ensure that the organisations they work with also operate in a way which is GDPR compliant.