With the General Data Protection Regulation (GDPR) having now been in force for more than 3 years, it is a staple of a lot of the work we do and should be a consideration in every business. This is because non-compliance comes with a hefty fine of up to €20 million or 4% of the organisation’s total worldwide annual turnover if higher.
This regulation applies to data controllers and processors therefore, as an employer receiving applications you fall into both categories.
How does GDPR Impact Recruitment?
When an employer collects an applicant’s personal data during a recruitment process, whether this is directly or through an agency, it must provide the applicant with a privacy notice otherwise known as a fair processing notice.
The notice must detail:
- The purposes of processing the data
- The legal basis for processing
- The period for which the data will be retained
This information could be provided on the company website or as a copy of the notice in correspondence to individual applicants.
Privacy Policy
You should set out policies for how long recruitment data will be retained. The employer should retain only the minimum data required for the purpose of responding to employment tribunal claims if they arise and only until the relevant limitation periods have expired.
If an employer decided to keep details of unsuccessful applicants on file for future recruitment, it must notify candidates of this in the privacy notice. This should either obtain consent form the candidate or notify them of their right to object.
This policy should cover how the employer will deal with unsolicited personal data as well including CVs submitted on a speculative basis.
If an employer uses a third-party recruitment agency where the recruiter processes applicant data on their behalf, the recruiter will be the “processor” and will have their own obligations under the GDPR. The employer must also ensure the relationship with the recruiter meets the requirements of the GDPR.
Consent Matters
It is important to remember that consent must be obtained. Companies must implement tracking mechanisms which gather consent, maintain it and prove that consent has been obtained.
You cannot assume when an applicant sends you their CV that they are giving you consent. Employers must inform all applicants of their policy and obtain confirmation that this policy is accepted. This is your responsibility as a “data processor”.
To be GDPR compliant, when receiving CVs via email or post, you must contact data subjects and send them a link to your privacy policy. This evidence must be easily provided as evidence that you have sent your privacy policy and informed the applicants of their rites.
How to Track Recruitment Data
Spreadsheets are the most commonly chosen method of tracking applicant information although they data within them may not be the most secure. An applicant tracking system is a safer implementation to use.
Candidate Rights
Candidates have the right under GDPR not to be subject to a decision based solely on automated processing (automated shortlisting where candidates without a certain level of qualification are automatically filtered out before being considered by recruiters). Under GDPR, automated decision making can only be used if it is:
- Necessary for entering a contract
- Authorised by law
- With the candidate’s explicit consent.
Every applicant has the right to be forgotten and should be aware of the length of time data can be stored.
GDPR can be a concern for employers so please contact us for any help or advice on how to remain legally compliant and we will do our best to put your mind at ease. info@applehr.co.uk