GDPR and recruiting: the rights and obligations of recruiters and applicants

The new EU general data protection regulation (abbreviated “GDPR”) is approaching rapidly. For most, if not all, companies, this means changes need to be made to their way of working. Because as soon as personal data are involved, any processing, transmission and/or storage must be in line with the new law. If your use of data violates the GDPR, you will be subject to heavy fines. In the event of a violation caused by recklessness, the company could be subject to a penalty in the amount of €20 million or 4% of the company’s turnover worldwide, whichever is higher. Negligence will entail a fine of €10 million or 2% of the company’s turnover.

An overview of the facts

 The protection of natural persons’ personal data is central to the GDPR. These data comprise all information related to a natural person or information which identifies the person. Specifically, this refers to their name, ID numbers, location information and online usernames. Other data to be protected include a person’s physical, physiological, genetic, psychological, economic, cultural or social characteristics. If these data are to be processed, the person is to be informed in accordance with the GDPR. We’ll get to that in a bit.

The GDPR divides people into 3 groups

Each of the three groups either has the right to the protection of their personal data or the obligation to protect such data:

• Data subjects
• Data controllers
• Data processors

Data subjects are natural persons who are entitled to protection of their personal data. In terms of recruiting, this refers to candidates who provide personal data during the application process.
The controller determines which personal data is needed and how it is to be used. This category includes recruiters and companies that determine which data is necessary for the recruiting process.
The processor processes the data according to the controller’s instructions. For example, it could be the provider of a recruiter management system, as it collects and processes the applicants’ personal data.

The 5 principles of the GDPR 

The GDPR is based on 5 principles which should improve the fairness and safety of using personal data.

1. Transparency
   Data subjects must always know that their data is going to be processed. In other words, applicants should know which data is going to be processed and when.
2. Purpose limitation
   The use of data may only be for the explicitly defined purpose and may only be stored for a limited time. Data collected during the application process shall only be used for this purpose.
3. Data minimization
   Personal data must be limited to what is necessary in relation to the purposes for which it is processed. If certain information is irrelevant with regard to the application process, recruiters are not allowed to collect it in accordance with the GDPR.
4. Accuracy
   When a controller has information, the controller must always ensure that it is up-to-date and accurate. This is the most difficult principle for recruiters. You will find out more in our whitepaper: GDPR & Recruiting, which is available in the download section and can be downloaded for free.
5. Storage limitation
   The GDPR dictates that data can only be stored for a limited time, even if it does not specify for how long. This is another area that requires special attention from recruiters, particularly when talent pools are used.

“The challenges associated with recruiting or applicant tracking are less about a legitimate interest in data processing activities and more about ensuing a level of technological and organizational security that protects against risks.”

The GDPR does not set out specific technical or organizational measures (abbreviated “TOMs”). However, depending on the factors or purpose of data processing, it makes sense to implement the following measures, among others, to be able to ensure compliance with the GDPR:

• Pseudonymization
• Encryption
• Ensuring confidentiality
• Ensuring integrity
• Ensuring availability
• Ensuring system stability
• etc.

Other measures which make you conform with the GDPR are available here: GDPR & Recruiting.

How can you make your recruiting process fit for the GDPR?

Proper planning is half the battle. In particular, it is advisable to appoint a data protection officer; it does not matter if this person is part of the company or a third party. Remember, you shouldn’t pick someone who has no idea about data protection and who will have to do a lot of reading up on the GDPR in addition to their other daily business activities. As with any project, it makes sense to create a schedule and a budget. Prioritize your goals. Then you can gather information on the status quo. It should provide valid information about, as well as answers to questions about the current status of your company’s data security. You can also draw up the necessary documents, such as contracts, forms or agreements. On the one hand, this will help you prioritize goals and, on the other hand, you will save time when the GDPR actually enters into force on May 25, 2018.