GDPR checklist: Requirements for recruiters and HR

The General Data Protection Regulation (GDPR) is an EU law that aims to protect EU residents’ personal data and rights to privacy. Come May 2018, organisations must be prepared to comply with GDPR whenever they collect and process EU citizens’ data. Recruiters and hiring teams especially should make sure that they are transparent when processing candidate data during hiring. They should also ensure candidates can exercise their rights under GDPR.

To help you prepare your recruiting and HR processes for GDPR compliance, we created this GDPR checklist:

Please note: while Workable has consulted with legal professionals both in the creation of this GDPR checklist and updates to our own product features, Workable is not a law firm. All information in these FAQs is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.

Does my company have to comply with GDPR?

Your company must comply with the GDPR if it collects and uses data of EU residents. This definition covers:

• EU companies.
• Non-EU companies that:

• Offer goods or services to EU residents or,
• Monitor EU residents’ behavior.

What to do this week:

Understand the basic GDPR terms

• Candidates or “data subjects”: EU residents you are considering for open roles.
• Employers or “data controllers”: Organisations that collect candidate information for recruiting purposes.
• Applicant Tracking Systems (ATS) or “data processors”: Software providers that handle candidate information on behalf of employers.

Our hiring specialists can answer your questions about GDPR and the Workable GDPR Feature Pack. Request a free demo to learn how Workable’s all-in-one recruiting software can keep candidate data secure while making your hiring process more efficient. 

Learn about GDPR requirements that pertain to recruiting

• Legitimate interest: You need to have a specified, explicit and legitimate purpose to collect candidate data.
• Consent (for sensitive data): As a recruiter, you have legitimate interest to process candidate data. You need to ask for consent only if you require sensitive data like disability information or cultural and genetic information.
• Transparency: You need to disclose information required by the GDPR (e.g. how candidates can ask you to rectify or delete their data.)
• The “right to be forgotten”: You need to comply with a candidate’s wish to delete their own data from all systems where you store it within one month.
• The right to access and rectify data: You need to comply with a candidate’s wish to access their own data from all systems where you store it within one month.
• Accountability: You must ensure you have processes to properly inform candidates and you are responsible for partnering only with organisations that comply with GDPR.

What to start doing as soon as possible:

Map your recruiting data

• Meet with senior leaders and your company’s Data Protection Officer (if your company is obliged to appoint one) to plan your company’s data audit.
• Answer the following questions as part of the audit:

• What are our candidate sources and how do we collect their personal data?
• What kind of data do we collect and how much of it do we actually use?
• How do we use personal data in our operations?
• Where do we store data and who has access to it?
• How does data flow within our company across processes/ functions/ departments?
• What are our processes for sharing, transferring, modifying and deleting data?

Create a recruitment-specific privacy policy

• Make sure to include:

• The name and contact details of your organisation and DPO where applicable.
• An explanation of your legitimate interest and a statement that any data requested will be used for recruitment purposes only.
• The types of information about a candidate that reside in your company’s files.
• Who you will share the data with.
• Where you found the candidates’ data.
• Where the processing is based and where you store data.
• How long your organisation intends to store the candidate’s data.
• The candidates’ rights.
• Instructions on how candidates can take action on the processing of their personal data.
• How you protect candidate data.

Modify your sourcing practices to comply with GDPR

• Consider whether you have legitimate interest before storing passive candidate data. Ensure you:

• Source candidates for a specific, legitimate reason, not just to build your talent pool.
• Collect only the amount and types of data that are absolutely necessary for your recruiting purposes.
• Intend to contact candidates whose data you store in less than a month.
• Obtain data lawfully from a legit source.

• Set a fixed period (less than a month) in which your team should contact candidates to inform them that you are processing their data.
• Create a sourcing template to contact candidates including:

• A link to your privacy policy for recruitment.
• The name and contact details of your organisation.
• A statement that any data requested will be used for recruitment purposes only.

Ensure your job application process complies with GDPR

• Ask only for personal data that are necessary (“necessary and relevant to the performance of the job which is being applied for.”)
• Be transparent:

• State that you intend to use their data for recruitment purposes only.
• Specify for how long you may need to keep this data.
• Note if you plan to gather more information about candidates as part of your screening process.

• Link to your privacy policies and clarify that:

• Candidates can find instructions on how to access their data in your privacy policy.
• Candidates have the right to ask you to rectify or delete their data.

Comply with GDPR when rejecting candidates

• Delete all data you have about the candidates you will not be considering for further roles.
• Inform candidates whose data you want to keep that you will keep processing their data (if you told them you would process their data only until you filled the position.) In your email:

• Explain why you want to keep the candidate’s data.
• Mention how long you plan to keep their details.
• Link again to your privacy policy.
• Let candidates know they can withdraw their consent (if applicable) at any time.

Be transparent whenever you receive data from candidates

• Have copies or links of your company’s privacy policy available.
• Email candidates after you receive their data.

Review existing talent pipelines

• Go through every candidate in the places you store candidate data (spreadsheets, ATS, internal database):

• If you determine that a candidate is unlikely to be qualified for future roles or is no longer relevant, then delete their data.
• If you’d like to keep a candidate in your talent pipeline, reach out to them to inform them you are processing their data.

Ensure your software vendors (e.g. ATS) are compliant

• Are your data processors in the EU? If yes, they must comply with the GDPR by default.
• Are your data processors outside of the EU? If they handle personal data of EU residents on your behalf, they must comply with GDPR.

• Ask them to sign data processing agreements that will oblige them to process candidate data according to GDPR requirements.
• Some U.S. companies are part of the Privacy Shield, which provides companies with a framework to comply with EU data protection requirements including GDPR.

• Arrange a meeting with your software providers and ask:

• What they’ve done, or plan to do, to comply with the GDPR.
• How they ensure their own data processors are compliant.
• What tools they offer to help your company remain compliant.
• Whether they have clear privacy policies and ask to review them.

• Check in with vendors after the law goes into effect.

Update your processes to grant candidate requests

• Establish processes to let candidates access their personal data upon request.
• Create processes to delete or rectify data.
• Create a process to let candidates withdraw consent if applicable.
• Communicate all these processes clearly on your website and/or your terms and conditions.

Related: GDPR Readiness Evaluator