GDPR vs. Recruitment
It has been almost 2 months since the General Data Protection Regulation came into force, but there is still some uncertainty in the interpretation of some of the new rules. The recruiting function is based on collecting and processing personal data, so today we would like to figure out what GDPR means for recruitment and the processes around it.
- Can recruiters use personal data collected from different public sources?
- What kind of data can be handled and stored?
- What kind of legal ground recruiters should use to rely upon?
- What to say when you’re approaching candidates?
- Can recruiters retain personal data after candidate have refused an employment opportunity?
These are the questions recruiters should answer relying on the new regulation.
First of all, it’s important to clarify that GDPR applies to all the companies that process data of European Union residents, no matter whether your company is based in EU or not.
Then, let’s briefly review the main GDPR subjects in the recruitment perspective:
- Data subject – is primarily a candidate, whose personal data is being processed
- Data controller – is the recruiter/sourcer or the person of the related role, who determines the purposes and means of the processing of personal data
- Data processor – is the service provider which processes personal data on behalf of the recruiting function
And the other important terms:
- Personal data – any information related to the candidate: name, an identification number, location data, an online identifier related to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
- Processing – any operation performed on personal data, whether or not by automated means: collection, storage, adaptation or alteration, retrieval, use, dissemination or otherwise making available, erasure or destruction, etc.
Practical implications of key GDPR principles in recruitment
It is important to consider how the recruiter can deal with the GDPR principles in order to make his hiring GDPR ready. The review will help to understand the fundamentals of the new law and map the core steps toward the adoption of the GDPR principles in recruitment.
1. Lawfulness, fairness and transparency
The first and the most fundamental GDPR principle, which states that personal data must be processed lawfully, fairly and in a transparent manner.
What should be done for the processing to become lawful? It is essential to identify a valid legal ground, so-called lawful basis.
GDPR outlines 6 legal bases. The first one is consent – an indication of the candidate’s wishes by which he or she signifies agreement to the processing of his/her personal data (in the form of the statement or clear affirmative action). This legal basis will not be suitable for sourcing candidates online as you will have to collect too many consents before you actually hire someone. But it would be very useful if you want to retain the resumes of those who failed to proceed to the next stages of the recruitment process. It would be okay to ask: “Can we still hold your data for (some specific period) because we would like to consider you for another position in future?”
Another legal basis is the contract. It is used when the data processing is necessary to fulfil the contract or if you need to take specific steps to enter into the contract. In recruitment, this legal basis can be used when the candidate is considered for the position and you require certain data to complete the contract. For instance, you need to indicate the personal identity number.
The next is a legal obligation when processing is necessary for you to comply with the law. But it’s very important to emphasize that your contractual obligations do not supercede the fundamental rights of the individuals. You can’t use a contract with another company about the processing of personal data of your clients and pass that as a valid legal basis. The legal obligation is usually used as a basis if there are more specific laws that require you to process employees’ data. For example, the former employee asks you to delete his data. Even though the individuals have the fundamental right to be forgotten, according to accountancy law you must store the data for the duration of, like, 75 years.
The fourth legal basis is a vital interest when the processing is necessary to protect the data subject’s vital interest. Whereas successful recruitment can be a lifesaver, this legal basis is hardly be used in recruitment, it’s typically linked with the life and death situations.
Next is a public task – the processing is necessary for you to perform the task in the public interest or for your official functions and this task has a clear basis in the law. Unless you are performing the public functions, there is a very little practical use for this basis in recruitment.
The last one is the legitimate interest. It is when the processing is necessary for your legitimate interest or legitimate interest of a third party unless the individuals’ rights and freedoms override those legitimate interests. Despite this legal basis is usually challenged and it’s subject to a lot of speculations, it is the most suitable legal ground for recruiters.
The essential part of the concept is to carry out the balancing test to balance between your interests and the rights and freedoms of the candidates. Obviously, the legitimate interest for the recruiter is to find the best suitable candidate but as any legal basis for processing, legitimate interest can only be used to the extent to which this activity is necessary. The balancing test will help you to assess necessity.
To perform it you should, firstly, identify your legitimate interest. Then, you have to assess the necessity by asking such questions as:
- Can the purpose be achieved by other means?
- Can we avoid processing or reduce the number of categories of personal data processed?
Remember that the processing should be consistent with GDPR and your legitimate interest.
Then consider the rights and freedoms of the candidate. Answer the questions:
- Are the interests of the individual corresponding with the purpose of processing?
- Is the processing in the interest of the person whose data it relates to?
- Can the processing be harmful to a data subject?
- Can we ensure that individuals can exercise their rights? (e.g. right to access, right to rectification right to erasure, right to object, right to portability)
Pay attention to the source you use to collect data as the interest of the individuals may depend on the source they’re leaving their data in. You shouldn’t use private closed groups intended for family and friends. It will be impossible to balance your interest against data subject’s in this case.
You should also make sure that you can immediately delete data or stop processing if the person is objecting. Another point to consider is whether you can ensure that individuals can exercise their rights. Do you have the ability to ensure right to access, right to rectification, right to erasure, right to object and right to portability?
The results of the balancing test must be documented and be available on demand to supervisory authority or data subject.
If you have another processing activity to perform or you decide to use information for another purpose than that you’ve indicated as your legitimate interest, you’ll need to make another balancing test.
Here is the balancing test template prepared by AmazingHiring for you to have a starting point.
When using the legitimate interest as a legal basis, it’s always a matter of how you will be able to advocate your decision and justify your processing.
The second component of the first GDPR principle is fairness. In general, fairness means that you should only handle personal data in a way that people would reasonably expect and never use it in a way that has unjustified or harmful adverse effect on them.
Fairness test should be the part of the balancing test. You should consider how the processing affects the interests of data subjects and what are the ways of obtaining the data. Can the individual reasonably expect his or her data to be used in this way?
Then we move to transparency. Transparent processing is all about being clear and honest about who you are, how and why you’re using personal data. It’s important to review your privacy notices. They must be easily accessible and easy to understand, written in a clear, precise and plain language, so even a child could understand. Include the information about the purposes of processing, retention periods, distribution of the data and, of course, your lawful basis.
How to approach candidates online?
The related and very important topic is how to approach candidates when you found their data online.
Here are the items you should include in your message for the candidate:
2. Purpose limitation
The second GDPR principle is purpose limitation. The main focus of this principle is the fact that you obviously cannot process data unless you have a valid lawful purpose. Once a purpose is defined you cannot process data in a way that is incompatible with that original purpose you defined. For instance, if your legitimate interest is strongly linked with recruitment you cannot use personal data for other purposes. In this case you will just fail to meet the obligations related to the legal basis.
As an example, at the beginning of the recruitment process, you collect data about the educational background, experience, technical stack and so on. These types of data are necessary for your purposes, however, if you decide to go and do direct marketing you don’t need to store information about education, you need to simply erase it.
3. Data minimization
To comply with this principle you should always keep in mind that the data you process must be compatible with your purpose and all unnecessary data must be minimized. Ask yourself: “Do I really need this particular data to reach my purpose?” “Can I justify the data being processed?”
Supervisory authority may request you to justify why you handle, for example, the identification number, and you’ll need to come up with a valid answer.
Another important element of the minimization principle is getting rid of all the data that are no longer needed. If you’ve considered 10 candidates for a particular position and hired one, you must delete the data about 9 other candidates. You cannot store data just in case.
Introduce minimization routines to find unnecessary data and anonymize it or simply erase. For instance, if you have personal data in your emails after the hiring process is complete, delete the data unless you have a consent.
This GDPR principle is less relevant for recruitment. It states that company must ensure the personal data is not incorrect or misleading and if it is, reasonable steps to correct it or erase must be taken as soon as possible.
5. Storage limitation
According to the storage limitation principle, you will need to assign the retention period for all the data categories you store. Answer these questions: “What principles or criteria I use to define retention?”, “How I’m going to explain why I kept data for so long?”.
If we return to the example with 10 candidates, upon assigning the retention period, you ’re probably interested in retaining the data about the best candidates in case of the chosen one fails during the probation period. In this case, it will be a good idea to secure your ability with consent.
6. Integrity and confidentiality
This principle requires the controller to apply a proper technical and organizational measures to protect personal data they process. But it’s not that easy as it seems. The GDPR doesn’t define the security measures that you should have in place, it requires you to have a level of security that is appropriate to the risk presented by your processing. But it may be very difficult to define what is appropriate.
To do it you need to assess your DISA (Defence Information Security Agency) security risk. Review the personal data you hold and the way you use it in order to asses how valuable, sensitive or confidential it is, as well as the damage or adverse effect that may be caused if the data is to be compromised.
What is more, the main organizational technical measures GDPR is talking about are related to security awareness. You should identify a person with a day-to-day responsibility for information security within your organization. Make sure that the person has appropriate resources and authority to do the job effectively. Consider having an effective information security policy to make sure you outline the security standards and appear as one of the companies which values and encourage information security.
Pay attention to access control – password protections, password strength and other access management controls. And, of course, ensure online security – your website and other online services you use. What happens if you delegate outsource part of your processing functions to the third party, for example such data processors like AmazingHiring?
First of all, you need to ensure your processors are following GDPR requirements. Choose a data processor that provides sufficient guarantees about its security measures. You can ask them directly: “What security measures do you apply?”, “How you ensure the data is safe?”.
In accordance with the article 28 of GDPR, you’ll need to enter in a written contract which has to require the process or undertake the same security measures that you would have to take if you were doing the processing yourself. Ensure that your contract includes all information necessary to demonstrate compliance. Article 28 can help you to come up with the draft of the contract.
The last principle is accountability. It states that companies must be able to demonstrate compliance by:
- adopting comprehensive policy documents,
- processes for handling data subjects’ requests,
- reporting security breaches to keep records on the data processing activity.
- ensuring appropriate information security by default and design
- having a strong awareness culture within the organization
You need to have documents and the ability to prove that you’re following GDPR, that it’s ingrained in your organization, that you have a very strong awareness and you are GDPR compliant.
Summing up the necessary steps towards GDPR ready hiring, you should:
- Identify a proper lawful basis for data processing and justify it
- Prepare comprehensive documentation confirming your GDPR compliance
- Ensure that candidates can exercise their rights
- Handle personal data in a way that people would reasonably expect and never use it in a way that have unjustified or harmful adverse effect on them
- Be clear and honest about who you are, how and why you’re using personal data
- Modify the way you approach candidates according to the GDPR requirements
- Process data in accordance with a valid lawful purpose
- Process only necessary data
- Collect data only from suitable sources
- Assign the retention period for all the data categories you store and set the necessary processes
- Ensure the data security awareness
- Make sure that your processors are following GDPR requirement
- Be able to demonstrate the GDPR compliance
Remember that the new Regulation came into force in order to ensure individuals to exercise their rights effectively, but not to make companies struggle in attempt to collect consents or enter into contracts. Using a consistent approach you will manage to make your recruitment processes GDPR compliant without extra efforts.
The material is based on the webinar Recruitment vs. GDPR prepared by Amazing Hiring Data Protection Officer.