GDPR: How to prepare Candidate Data in Recruitment

May 3rd 2018


The new GDPR (General Data Protection Regulation) laws are set to go into effect on May 25, 2018. These new regulations will play a vital role in how companies collect, manage and store candidate data. It is important for all employers who work with candidates from the EU (European Union) to understand these new rules and how GDPR will affect candidate database management in recruitment.


What Is GDPR?

GDPR, formally referred to as the General Data Protection Regulation, is a regulatory EU law that is designed to protect the personal data and right to privacy of EU citizens. This new law essentially regulates how companies can collect, use, maintain and store EU citizens’ data. With this law in effect, companies must have explicit consent from the person or have a legitimate purpose for collecting, using and storing personal data.

It is crucial for companies to understand that mandatory compliance of the new GDPR regulations is not limited to EU companies. These rules apply to any company, despite its location, that acquires, uses or stores personal data of a citizen of the EU. Businesses found out of compliance risk a hefty fine of “up to 4% of annual global turnover or €20 Million (whichever is greater).”


Who’s Who in GDPR?

In regards to the new GDPR regulations, there are three primary roles involved in the recruitment process.

  • Data Subjects

The data subjects are the candidates whose personal data, such as name, address and contact information, is being collected, reviewed and stored. Data subjects have the right to know that their information is being collected and how long it will be stored. Candidates also have the right to request a copy of their record and to request that their record be permanently removed.

  • Data Controllers

Employers and in-house recruitment teams are the data controllers. They are responsible for determining the purpose for collecting the types of personal information gathers, as well as for protecting the candidate’s personal data and using it within the constraints of the GDPR rules.

  • Data Processors

Data processors consist of recruitment software platforms, such as ATS (Application Tracking System) and recruitment service agencies. Data processors are responsible for processing and maintaining a candidate database and protecting the candidate’s personal data.


How Will GDPR Impact Recruitment?

The new GDPR regulations will have a huge impact on the recruitment industry. No longer will employers or recruiters be able to go to sites like LinkedIn and download resumes to build a candidate pool, without explicit consent from the candidate. Employers and recruiters also cannot store a prospective candidate’s information indefinitely without having a legitimate purpose and/or the candidate’s explicit consent.

Instead, both data controllers (employers) and data processors (recruitment software and services) must be intentional about the information they collect and store. Only information that pertains to recruitment can be collected and that information can only be used for recruitment purposes.

Data controllers and data processors also must provide a way for candidates to update their information if necessary, review their information if requested and have their information permanently removed if asked.

Responsibility for safe and secure storage of the candidates’ personal data also lies with the employers and data processors. GDPR regulations limits how long this data can be stored. In most cases, companies can store the candidates’ information until the position they applied for is filled. Keeping this information for a longer period of time will require explicit consent from the candidate.


How to Handle Candidate Data in ATS

Employers must take steps now to ensure GDPR compliance. Here’s a look at four easy steps to help you maintain a structured candidate database in your ATS and still follow GDPR principles.

1. Filter by Data Source

The easiest way to track the data that you are collecting during the recruitment process is to structure your candidate database by data source. It is important to know what platform or talent pipeline each applicant was sourced from originally. This will help you determine what type of personal information is collected, as well as how long you can maintain each candidate’s records.

2. Update ATS

Now is the time to update your ATS system and service plan. Determine how long the candidates’ information is being stored on this platform. Do you have a legitimate reason for maintaining this information? Who has access to the candidate database Are your storage policies in compliance with GDPR regulations? If necessary make any adjustment to your ATS system to maintain GDPR compliance.

3. Determine Core Purpose

Review what type of candidate information is being collected and make arrangements to remove any personal data that is being collected but not relevant to recruitment. In addition, if you are holding on to candidate data after the original position was filled, determine what your purpose for holding this information is and if that reason meets GDPR regulations.

4. Obtain Written Candidate Consent

Candidate written consent is a vital part of GDPR laws. It is not enough to have an open-ended and vague consent form at the end of your application. In order to adhere to GDPR rules, you must have explicit, written consent from the candidate.

This written consent should let the candidates know why you are collecting their personal data, how long you intended to store their information, how they can request a copy of or make adjustments to their personal records and how they can request to have their personal record be removed in necessary.

With May 25 fast approaching, now is the time for employers to take the necessary steps to ensure GDPR compliance. If you want to know how to still source top talent candidates, while adhering to GDPR regulations, contact Tulsie today.

Written by: Sushila Ramkisoensing

Back to resources index