The General Data Protection Regulation (GDPR) is a regulation which aims at strengthening and unifying data protection for all those living in the European Union (EU). The GDPR also regulates the export of personal data outside the EU. The Regulation replaces the current Data Protection Directive of 1995 and enters into force on May 25th 2018. The GDPR does not require legislation from national governments as it is a regulation instead of a directive. Therefore, it will be effective immediately.
The collection of candidate data is an essential part of the recruitment activity. As soon as you receive applications you collect and process data! Moreover, with lots of scrapping tools allowing you to enrich and retrieve all kinds of data on candidates on the internet, a lot of data is processed and / or transferred between companies without the candidates being really aware of it. The GDPR prevents this and therefore has direct implications for recruiters.
The GDPR has several implications in terms of rights granted to candidates. Make sure you can answer to these rights within a maximum of one month to avoid a serious fine, as an example. Here are the rights a candidate is granted under the GDPR:
Before going into more details, there are certain terms of the GDPR that need to be explained.
« Data subjects » is equivalent to candidates in our case.
« Personal data » is any information that can be used to identify the data subject (e.g. last name, first name, e-mail address or phone number).
« Controllers » collect and decide the purpose of the processing of personal data (e.g. data processing for an open position). Controllers are employers (companies, recruiting firms, etc.). In our case, it might be you.
« Processors » are the application management systems or any other organization that processes personal data on behalf of a controller. In our case, it can be Zenploy.
« Processing » means any action taken on personal data, such as collection, registration, organization, storage, use and erasure.
In general, the GDPR aims at empowering those concerned (the candidates) by providing strict guidelines to both controllers and processors.
The GDPR is all about one thing: the consent of the person concerned. As a data controller, you will need consent from applicants to obtain their data and process it for recruitment purposes.
You will also need to ensure that applicants can withdraw their consent as easily as possible. Once this happens, you must stop processing their data and permanently delete it on request.
When you get candidate data as a controller:
When candidates apply for one of your job offers, you must provide to them all the information below.
When you receive applications, you must provide more information.
In case you were profile-hunting over the internet or used to get their data by other indirect channels, you will need to provide more information. In this case, you must provide all that has been quoted above, but also:
The most important part of compliance with the GDPR is to set a structure that can properly handles candidate data. Setting up this compliant structure by yourself can take a lot of time and you may not get it right, which is why the user of recruiting software that meets GDPR standards (like Zenploy) is recommended.
Finally, here are a few tips:
Collect only relevant data
Collect only candidate data that is useful for recruiting. Do not use it for anything else. Your recruitment software can help you ensure that only relevant candidate data is collected. For example, the Zenploy application form allows you to define specific fields in order to collect the right information.
Inform your candidates of the use of their data
Do not forget to inform candidates of how their data is being processed and of the duration of its storage. For example, with Zenploy, our customers have at their disposal Terms of Application that provide such information to candidates. Additionally, when a candidates apply, they must explicitely give their consent by checking a checkbox.
Keep your database clean and up-to-date
Treat your application data clearly and accurately. If you no longer consider a candidate's application, we advise that you to delete its data from your system. You can do it in easily on Zenploy.
Stay compliant when sourcing candidates
Candidate hunting plays an important role for many companies. Always make sure to stay compliant with the GDPR while doing so. Especially by informing prospects, at the first contact, that you have collected and processed their data in order to offer them a job and that they can exercise their rights.
We hope that this article gave you a better understanding of the implications of the GDPR on the management and processing of your candidates' data, as well as the overall impact on your recruiting processes.
If you want to know more about Zenploy feel free to book a demo.
N.B. This article is for guidance only. It is recommended to get legal help on this matter. We will not be held responsible for the accuracy of any information provided in whole or in part in this article.