Six steps to facilitate GDPR-compliant recruiting.

As of January 2023, European data regulators have issued a record €2.92 billion in fines for 2022. This is a 168% increase from 2021, which is only expected to rise throughout 2023.

Professional recruiters face financial risks due to the General Data Protection Regulation (GDPR). This regulation modernizes data privacy and protection for companies with dealings in the EU. This rigorous set of rules limits how companies can use and store the personal data of EU citizens.

This article does not provide an extensive review of how recruitment firms and employers can violate GDPR regulations. Instead, it gives a simple set of steps to help companies and recruiting professionals understand and apply GDPR compliance best practices to their hiring process.

1. Inform employees of the true meaning of GDPR Compliance and their role.

The first step to implement positive change is to properly educate your team. They need to know the impact of their role when it comes to collecting and using candidate data.

Team members should be aware of the data they have access to. They should also understand how their use of this data may breach GDPR regulations. This is why it is essential to clearly define the roles and responsibilities of team members regarding GDPR compliance.

Identify key personnel responsible for data protection, such as Data Protection Officers (DPOs). Communicate this role to the rest of the team and situations which should be brought to attention of the DPOs.  With a clear definition and continued education on updates and changes to GDPR, companies can ensure compliance is emphasized in a collaborative environment.

2. Review how your systems gather and store information, including integrations.

A common occurrence in data mismanagement in the recruiting process occurs when the data is passed between different systems. In some cases, information may be transferred between one or more strategies that have various compliance features or procedures.

Your systems must handle storing and managing personal data appropriately, just like your team members. When choosing software and the information it will access/store, it is essential to remember the following guidelines that directly affect recruiting processes or procedures.

  • Cookie Banner & Privacy Policy must be present when posting open positions through your company website
  • Consent for communication, such as emails and texts, must be granted by the candidate and properly stored once given
  • Keep track of each department. Record the data they access. Note which systems they use to process this data. Understand why they use it
  • Candidates must be able to edit or add to the information they have submitted in a user-friendly and compliant manner. This must be done in accordance with the GDPR guidelines
  • Personal information must be securely stored. It may not be transferred to offices or clients in countries listed as non-compliant with GDPR

Continue to grow your recruiting tech stack and automate your recruiting process. Protect your proprietary database with strict security policies and control protocols. This will guard against and reduce any potential damage.

3. Properly communicate the right to privacy, candidate consent, and access to information.

GDPR requirements take special consideration when defining the meaning of consent by any citizen of the EU.

Your privacy notice must convey the following information to be considered compliant.

  • Identify the information you are collecting
  • Establish the lawful basis on which this data will be used
  • State how long you will hold this information
  • Update how the information will be deleted and how to request this
  • State the user’s rights regarding their data

Before users give consent for data to be used and shown to potential employers, they must have all the relevant information. This ensures that they are making an informed decision.

Recruiters must provide additional instructions for how the user can edit or append the information obtained during the recruitment process. This information is related to the user’s consideration for a role within the recruiter’s company or one they represent.

SmartSearch helps recruiters keep compliant of the GDPR

4. Streamline processes for requesting information.

The GDPR outlines many procedures for accessing and processing candidate data in a compliant fashion. However, these regulations are not meant to impede the productivity of recruiting professionals. It is essential to remember this.

There are many ways to streamline your processes and procedures while remaining compliant with GDPR.

An example is how you allow users to access their stored candidate data and process requests to have data deleted.

The software you use should have a way to escalate requests for approval to your Data Protection Officer (DPO). This will help the company interact with request to delete personal records more effectively. The DPO has 30 days to delete the records. Once complete, an automated confirmation should be sent to the candidate confirming the removal of the records.

While deletion should be escalated appropriately, mere changes or updates requested by the user can be automatically annotated on the candidate record with a timestamp of when the user asked for the change added as a permanent note on the form.

5. Ensure consent is appropriately documented and stored.

Mistakes are bound to happen, and audits are a standard requirement of working in talent acquisition.  To make a GDPR audit as easy as possible, it is essential to keep accurate records of consent and communications. These records must be easily accessible to approved team members.

As we pointed out in the previous step, records of when information is deleted are required for GDPR compliance.

During an audit, additional information may be requested. This may include any messages between the company and the candidate. This is to ensure that these messages did not contain any practices prohibited in Article 12 of the GDPR.

6. Review and improve procedures for data protection and steps in the event of a breach.

Large Scale data breaches happen, and although many technologies work to prevent this from occurring, the demand for instant access to data ensures that we will always have to be diligent in protecting contact details and other personal data.

While the software providers you use to conduct recruitment should be chosen based on their ability to ensure files can not be accessed from any non-approved interfaces, it is also imperative that they have a set of processes in place in the event a breach does occur.

Article 33 of the GDPR sets clear standards that any company with a suspected data breach report this to a supervisory authority in no later than 72 hours.

Creating a culture of data protection that educates and empowers recruiters for their roles and responsibilities in GDPR compliance is crucial for organizations.  
This is why SmartSearch had built a full suite of GDPR-compliant solutions for recruiters and corporate employers prior to these laws going into effect.

With our compliance-focused Applicant Tracking System (ATS) and Candidate Relationship Management System, companies can effectively manage their recruitment efforts while remaining compliant with GDPR regulations.

By implementing the steps in this article and a compliant recruiting software platform, organizations can ensure that their team members are well-informed and actively contribute to GDPR compliance efforts.

Remember, GDPR compliance requires the collective effort of the entire team. This effort is essential for protecting personal data and sustaining the trust of stakeholders. If you’d like to add SmartSearch’s information security measures to your team, click here to speak with a representative.