Recruiters, do you understand your GDPR obligations?
Since 2018, the general data protection regulation (GDPR) has created important but complex responsibilities for companies that collect data on individuals within the EU.
The reason behind the complexity is the same reason it’s so difficult to find a straight answer on your company’s obligations as a recruiter or hiring manager – there’s no “one size fits all” approach to GDPR.
The best place to start is with the facts, followed by a thorough conversation with your organization’s general counsel to make sure your approach to GDPR is clear and consistent throughout your recruiting and hiring efforts.
Assessing Your GDPR Risk
Fortunately, you don’t have to be an expert on GDPR in order to recruit and hire candidates in the EU. You just have to get a few basic best practices in place for collecting, storing, and using candidate data.
Here are three things you should know about how GDPR applies to the recruiting space that can help guide your conversation with your internal legal counsel:
1 — GDPR applies to recruiters and recruiting agencies targeting EU citizens
If your company operates within the EU or recruits candidates who live in the EU, then you need to have a plan for complying with GDPR. All businesses of any size must comply with GDPR, but if your company has more than 250 employees, you are required to be GDPR-compliant and designate a data protection officer (DPO) who is an expert of data protection law and procedures.
Under GDPR, all data subjects have the right to request to receive a copy of their data that has been collected. They can also request that you make corrections to any inaccuracies in that data or that you stop processing their data and delete it – and your organization has a 30-day to respond to such requests.
2 — GDPR applies to candidate data captured from social media platforms like LinkedIn
In order to capture someone’s contact information from a business card or social media profile like LinkedIn, you must have that candidate’s direct consent. The best way to ensure you have a record of this consent is to provide an information notice (also referred to as a privacy notice or fair processing notice). An information builds the case for GDPR compliance in the following important ways:
- It outlines the purpose for which the data will be processed
- It defines the legal basis for processing, such as having a legitimate interest that is not outweighed by the rights and freedom of the individual
- It specifies how long the data will be retained.
The easiest way to obtain consent is by using a talent management platform like Lever with built-in and customizable functionality to collect consent from candidates. It can be as simple as a “check box,” or as complex as multiple structured consent fields and an opt-out capability where a candidate can remove their consent within the portal.
3 — It’s up to you to determine how GDPR applies to your organization – and how to stay on top of changes in the law
Compliance with GDPR starts with an accurate assessment of your company’s risk tolerance is, and only you can decide what that is. The best place to start is to identify your current standard procedures and work with your general counsel to determine your risk and your tolerance level for risk.
As companies continue to collect, store, and process data, and as individuals become more aware of their rights regarding their data, GDPR will continue to evolve. The best way to stay on top of changes in this law is to partner with a talent management suite that makes candidate privacy and compliance a top priority, and to regularly consult your general counsel about the best path forward for your unique organization.
Explore Lever’s GDPR Toolbox
GDPR doesn’t need to be difficult to understand. At Lever, we’ve created a host of resources to help maneuver privacy and compliance. Check out our new 5 Common GDPR Questions Answered eBook on our GDPR page for more information.