First impression of your company and your team. A possible applicant sees the ad for vacant position. This is how proper GDPR actions can streamline the whole process, from submission of CV to selection, background checks and making an offer and signing the contract.
Understanding GDPR and data protection basics
Experienced recruitment specialists consider privacy and legal requirements as important part for successfully doing their job. They know that:
- GDPR stands for General Data Protection Regulation
- Personal Data or Personally Identifiable Information (PII) is any information that can be related to the applicant. From name and contact info to education, experience, background check results, assessments etc.
- Planning the data flows in the recruitment process reduce the amount of data needed or collected and this also means less work for the people responsible for successful recruitment projects.
- Sometimes there can be negative feedback or even legal trouble if applicants find the process to too troublesome or there is loss of data or even loss of confidentiality.
Implication in Recruitment
Depending on the planned process:
- Add layered notification about the collection and use of personal data / PII.
- Explain recruitment process and if necessary collect the consent from the applicant for data collection from third parties. Consent is one tool that can be used in requirement, but it might not be necessary.
- Understand the data flow and the necessity of each particular set of PII in the process
- Plan the retention and destruction of data after finishing the recruitment project
GDPR topics in Recruitment
- If consents are collected:
- How to obtain and manage consent from applicants
- Scope of consents – data collection and authorizing for collection, processing special category data or for wider purposes?
- Privacy Notices
- When to present privacy notice?
- Adopt layered approach or make a full statement?
- How to make it accessible in all relevant channels?
- GDPR assessents
- Privacy impact assessment if necessary
- Legitimate interest assessment if applicable
- Data Protection Impact Assessment (DPIA) if required
- Data Retention
- Necessity for storing applicant data for failed and successful applicants.
- Requirements regarding retention
- Practical actions to ensure retention or deletion
- Data Security
- Is recruitment flows included in company information security policies and protected by technical means?
- Basic limitations and actions for ensuring confidentiality
- Employee Training
- Training HR staff on data protection compliance in recruitment
- Training service provides who are used for recruitment