The Impacts of GDPR on Hiring
Looking to revamp your security and data collection policy? The General Data Protection Regulations (GDPR) have changed the game when it comes to data collection. Although these rules apply for EU companies and citizens (and anyone that handles data for EU companies and citizens), its impacts are far-reaching and will undoubtedly influence policy-makers the world over. This means it’s probably a good idea to align your security policies towards GDPR, just incase.
If you are new to GDPR or want to know more about how it impacts your handling of data for hiring purposes, then you’ve come to the right place. Keep in mind, GDPR as a whole is a very complex legal beast. We’re going to skim the surface for key changes for better data protection of your candidates.
Before we get started, please keep in mind this is not legal advice. This article is to give you a simple heads-up on some of the main changes surrounding data collection for hiring. If you want to be GDPR compliant or otherwise follow the laws for your own region, please consult an actual lawyer.
Collecting with Interest
A big part of GDPR is collecting information with legitimate interest. What does legitimate interest mean you ask? Well, essentially it means that you have a sincere reason for collecting that data. For example, if you collect resumes/data to fill an open position, that’s a legitimate interest. You are interested in collecting and reviewing that data to find someone for your team.
What’s not legitimate interest is collecting resumes just because you want lots of possible candidates to contact. Then, they sit idly collecting digital dust (or real dust if you have physical resumes). GDPR is a protection against data-hoarding, in a sense. This doesn’t mean that you can’t have a talent pool full of great potential people. I’ll discuss more about this in the next section, but it does mean you have to think about why you’re collecting this data.
Legitimate interest extends to how you collect information from social media too. Social channels like LinkedIn are great for finding and collecting information on people. Though you can’t scoop up loads of data and save it for a rainy day, rather there needs to be consent from the potential candidate to gather their data and you need to have set guidelines for how you handle that data. Reaching out to these prospective candidates and saying that you would like to add them to your talent pool is one way to be in line with GDPR. When you reach out, make sure to send the person a link to your privacy policy, outlining how you handle data. Under GDPR, people need to know how you handle your data and how you keep data safe.
Sweep Away Old Data
Deleting data is a big part of keeping data safe. It doesn’t get any safer than when it doesn’t exist. As such, GDPR talks a lot about the deletion of data or otherwise known as the right to erasure (article 17 describes it further). So knowing how you plan on deleting people’s data is a key part in becoming GDPR compliant.
So how does this impact hiring? It impacts it because you can’t hold people’s data forever anymore. You need to not only inform people when you plan on deleting their data, but you have to delete it once it is no longer relevant. If you do want to keep someone’s data for longer than first intended, you have to tell them that.
For example, let’s say that you collect someone’s data to fill a position and you plan on deleting their data after you make your hire. Once that position is filled, you should delete that person’s data. This is because that data is no longer relevant. If you want to keep that person in a talent pool, you can, but you have to reach out to that candidate and tell them you would like to keep their record on file for a specified time period. They then get the option to say “sure, keep me on file until then” or “nah, delete me”.
If a candidate asks you to delete or rectify their data, you must do it. This goes for any point in the hiring process. If someone doesn’t want you to have their data on file, you need to remove it in a timely manner (no longer than a month). Not only is it the nice thing to do, it’s the lawful thing to do (both of which should be sufficient motivators, considering the possible fines).
Generally speaking, you shouldn’t hang on to anyone’s data for over a year. By that time, it’s most likely inaccurate anyway and if you haven’t used it yet, you’re not going to. Declutter your talent pool like Marie Kondo declutters homes. This also applies to data you already have collected and physical resumes. GDPR impacts any and all of your current talent pools. Make sure to go through them and see if you still need that stellar candidate that didn’t quite cut it from 2014. Chances are you can delete a lot of the old data you have. If you do choose to keep some, remember to reach out to let the person know they’re still on file.
Communication is Key
We’ve already went over a couple of instances of when you should reach out to your candidates, but communicating is more than just a couple emails. With GDPR, you need to have a privacy policy listing exactly how you handle and delete data. Your company may currently have a privacy policy, but you might want to consider creating a recruiting specific policy. This will make it easier and faster for candidates to read and understand.
This recruiting privacy policy should include the reason why you are collecting data and what information you need. Include how candidates can reach out to you if they want their information destroyed or changed. You should also have some details on who you share data with and how long you plan on keeping the data in general.
Make sure that this privacy policy is easy to access. Attach a link in your email footer and send it in your initial message to candidates. Candidates need to know how their information is handled under GDPR. It’s your job to make it as easy as possible for them to learn about it.
GDPR also ensures that you are communicating in a timely manner. Once someone applies, you have about a month to send that candidate an email with your privacy policy and informing them how long you intend to keep their information. This is also a good time to ask for extra information, such as any disabilities, if you need it. You need explicit consent to collect and store this type of information. Communicating in a timely manner and having full disclosure is never a bad thing. It improves the candidate’s experience with your company, so if you weren’t doing this, now would be a good time to start.
As I said in the beginning, GDPR can be confusing and has many different articles (99 to be exact). While we obviously can’t cover everything in this post, we have gone over some of the bigger things that GDPR changes for recruiting. If you are still unsure about something, please seek professional legal advice.
Hopefully you can now start working towards better data security with a foundational knowledge on GDPR and how we manage data under it.