The rules around your ability to store and process candidate data are changing, and if your company is not compliant then it may be open to fines of up to £20m or 4% of its annual global turnover. So this could be one of the most important articles you read.
On May 25th 2018, new European laws on data protection are coming into force. This doesn’t just affect companies based in Europe, it affects companies based in non-European countries but who store and/or process data on European citizens. And if you are a British company, then the UK government has stated that these regulations will be enforced regardless of Brexit.
The regulations are collectively known as General Data Protection Regulation, or GDPR. GDPR isn’t about candidate data specifically, it is about ANY data your company stores or processes about any European citizen. However, this article aims to give you an understanding of how it affects recruiters and recruitment software.
In my experience, organisations sit in one of three groups with regard to GDPR:
- GDP what?;
- We’ve heard of it but it doesn’t apply to us because of Brexit;
- We’re aware of and currently planning for it.
Shockingly, the majority of businesses seem to sit in groups 1 and 2, above.
Although in many ways GDPR is similar to current data protection regulations, it is somewhat more stringent in key areas around an individual’s rights to their data, and what is done with it.
At a very high-level, candidates have the right to:
-
- be informed that their details are stored on your system, and for how long;
- consent or otherwise for their data to be stored and/or processed by your system;
- know why you are requesting, storing, and/or processing their information;
- know who will have access to their data (staff, countries, and third-parties);
- access the information that is stored on your system;
- have any incorrect information on your system corrected;
- have their data removed from your system;
- restrict the processing that you do with their data on your system;
- download their information in a standard format;
- be informed of any automated decision making and profiling that your system may do with regards the candidate’s information.
I should clarify one point before continuing: I am not a lawyer. And the GDPR rules do not differentiate between customer data, job seeker data or any other reason for collecting or processing personal data. Therefore, to a degree GDPR could be seen as open to interpretation for different data. However, do you want to take that risk? £20m fine? 4% of global revenue? Me neither, so I’ve written this with a view of identifying how this likely affects us!
That said, you probably have a lot of these covered already, however, it is unlikely that you have everything covered with the new regulations, especially where you may be creating your own talent pools, so let’s look at each of the above points individually.
Be informed that their details are stored on your system, and for how long
When a candidate gives you their information it must be clear to them that you are storing the data. It must also be clear to them how long you will store the data and when you may delete it.
This is less of an issue for candidates that register themselves on your recruitment system, but if you are registering candidates yourself as the recruiter/sourcer without the candidate’s knowledge, then you may soon be breaking the law! You must make sure that the individuals you add to your system know that they have been added, and their details stored.
Consent or otherwise for their data to be stored and/or processed by your system
Consent under the GDPR requires some form of clear affirmative action; silence, pre-ticked boxes, or inactivity does not constitute consent.
Flybe, a leading UK airline, was recently served a fine of £70,000 for breaching current legislation and sending emails to its users without their consent. The irony was that they were sending the email to people in its database to make sure they still have consent from the user. So this penalty may seem harsh!
The candidate must give consent for you to store and process their data. So when a candidate registers, make sure they acknowledge that they are giving you their consent.
This is straightforward for candidates that register themselves on your recruitment system, but what about candidates that your recruiters add themselves? Did those candidates give their consent for you to store and process their data? Can you prove it?
This is perhaps the most complex area of GDPR for direct sourcers who are building up their talent pools. Maybe they found a profile on Linkedin or Facebook, or even searched a job board that the candidate registered on. The candidate hasn’t given you the right to copy their data into your system, even if their profile was on a public website.
And if they registered on a job board that you are now copying their data from, did the candidate give that job board the right to allow other people to copy that data to be stored on another system?
Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. Has the candidate logged in? Can you prove they did? Does your ATS know when a candidate last logged in and can it prove it? (IP address, date and time?)
Individuals have a right to withdraw consent at any time. This doesn’t mean your ATS needs a self-destruct button, but it does mean that candidates should be allowed to request that your organisation forgets them.
Know why you are requesting, storing, and/or processing their information
You must inform candidates on what data you are going to store, and why, regardless of whether the candidate provided the data themselves, the sourcer added it, or whether the data is automatically generated.
The following table from the ICO’s website shows a good summary of what information you should provide candidates with in regard to why you are storing their information and their rights.
Make sure this is all clear in your privacy policy and terms and conditions.
You should also be clear of the need for the data at the time of requesting it from a candidate. For example if you are requesting diversity/equal opportunities information you must state why, and what use you will have for it.
Know who will have access to their data (staff, countries, and third-parties)
You must make it clear to your candidates which countries their data will be made available to, and which third parties will have access to it. Make sure this is in your privacy policy.
If a candidate’s information is going to be shared with any other party then the candidate should be informed about what data before it is shared. As an example, if as part of an application you send a candidate to a third-party assessment tool, then the candidate should be made aware that this is not your company’s system, and what that means to their data.
Access the information that is stored on your system
The candidate must be provided with access to the data that you store about them, whether this was information given to you by them, added by you, or generated by your system.
The DPA previously allowed you to charge candidates if they required you to provide all information about them that is held, GDPR now means that this must be provided for free unless the request can be proved as unfounded, excessive, or repetitive. In any case the fee must only be relevant to the administration costs required to complete the request.
Have any incorrect information on your system corrected
The candidate must be able to correct any incorrect data that you store about them. The candidate doesn’t have to correct the data themselves, but they must have a way to have the data corrected.
Have their data removed from your system
The candidate has the right to be forgotten from your system unless you have a valid reason to keep their data, and you may only keep the data that you need for a valid business reason.
The main reason why a recruiter/ATS can refuse to remove candidate data is to defend against a legal claim, or if it contravenes a specific legal/regulatory requirement.
If you have shared candidate data with a third party then you should also endeavor to inform that third party if a candidate requests you to remove their data.
You also must not keep the data for longer than you need it. Does your ATS automatically remove candidate data if it has not been used for a reasonable amount of time? If not, then ask them about it.
Restrict the processing that you do with their data on your system
Candidates should be able to opt-out of certain types of processing that your system does with their data. The types of processing should be made clear on your privacy policy and the candidate should normally have a means to refuse unless you explicitly state in your conditions of registering that their data will be processed in such ways if they register.
For example, if your system analyses a candidate’s profile to suggest jobs to them, or to recommend the candidate to recruiters for certain jobs then the candidate should be allowed to opt-out, UNLESS you make it an explicit registration condition. However, you will need to be very careful about having explicit conditions of registration, especially if they are non-essential to the purpose of the candidates applying for your jobs and being recruited.
Download their information in a standard format
Candidates must be given the ability to download their data in a standard format so that they can reuse it for their own means. This does not mean that your ATS needs to be compatible with other ATSs but could be more simply achieved by allowing candidates to download a PDF or Word document that contains their information.
Be informed of any automated decision making and profiling that your system may do with regards the candidate’s information
This is an interesting one for an ATS. Do you auto-reject candidates or does your ATS generate profile information (e.g. personality/behavioural etc)? If so, then the candidate should be informed of this, especially if your system will make decisions about a candidate based on this automatic information generation. You should notify the candidate no later than one month after the data has been generated about them, but certainly before the first time that data is used or shared.
Protecting data using encryption
Is a candidate’s identifiable data encrypted in your ATS database? If so then you can probably relax a little more. This means that if your ATS database was breached then it would still be hard for an attacker to retrieve the personal identifiable information about the candidate. This would minimise your risk! While GDPR is not currently explicit as to which encryption method should be used, it is a given that an industry recognised encryption mechanism should be employed to minimise your organisation’s risk. (For the technically minded this would be an absolute minimum of AES-128.)
One thing that you should check now though is whether your ATS URL starts with http or https. If you login to an ATS with http instead of https then stop using it now! I mean, NOW! It is not secure and your candidate data is being shown across the internet!
General
A key requirement of GDPR, and to a large degree previous data protection regulations, is that you must only request and store information that you need, and can demonstrate a legal need for. E.g. are you storing candidate national identification numbers (like national insurance numbers?) when you don’t need to? If so, stop. Now!
You are strongly advised to review your privacy policy and terms and conditions. Make sure your candidates understand what data you need and why you need it, and what you are going to do with it, especially if you are going to share the data with any other party.
Make sure your candidates acknowledge this as part of their registration process.
If you are adding a candidate’s personal information without their knowledge and consent then think again! Make sure their consent has been obtained. If you import them from a job board into your ATS or social media site then you are advised to make sure the job board / social site’s terms and conditions have made it clear to its users that their data may be shared for the purpose you are using it for.
If your ATS does let you create candidate records without their consent, then at the very least make sure the system then informs the candidate they have been added, show who added them, when and why and from what source (job board, Linkedin, other?). And also let the candidate immediately request to be removed! You should also consider encouraging the candidate to acknowledge that they now consent to being in your database.
If you have created a candidate record in your database without the candidate’s consent before May 2018 then you should seek now to get their consent – or remove their data! But do not fall foul of current data protection regulations by emailing the candidates if they have opted-out of such emails – you are better off deleting the data than risking a fine!
To wrap things up, I’ve included a checklist of things to think about and review within your recruitment team and organisation. If you tick an amber box then you’ve definitely got work to do.
This checklist is far from exhaustive for an organisation but will help the recruitment teams identify whether there is work to be done to be compliant.
Are you ready for GDPR? Is GDPR good or bad for recruitment? What are your challenges? Is there anything you think should be added?
Although the regulations are not due to come into force for over a year, you need to be planning for this now.
Disclaimer
Please note that this article should not be seen as a definitive guide and should not be used for legal purposes or for your or your company’s planning and implementation of GDPR compliance. While the author has tried to convey an accurate reflection of GDPR, it is not a definitive guide and the author does not hold any responsibility for any inaccuracies later found. It is the reader’s responsibility to gain professional and qualified legal advice on how your company may be impacted and how you should respond to any obligations.
