GDPR that four-letter combination that you might have heard of the last past couple of months and will affect most of us. GDPR is coming from words GENERAL DATA PROTECTION REGULATION and it will come in force on 25th of May 2018. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR, as well as information on the impacts it will have on recruitment business, can be found below. We have also given our thoughts to you dear reader and why we think that the GDPR will be a good thing in all EU-wide area.
As in personal level, this oncoming new regulation will force every company that holds any personal information about you, to tighten their security and create new protocols how to handle that data. From 25th of May 2018 onwards, all information, which the person hasn’t given his/her permission or hasn’t updated within the new terms, has to be deleted. You have most likely already received numerous emails, where has been stated and kindly requested to accept new T&C’s. To companies be able to use your personal data, you will need to consent your approval, or example to submit your application again with your agreement to new terms. Beyond this 25th of May, when new regulation steps in force, companies are obligated to comply when you exercise your rights under GDPR;
Every candidate has right to ask companies to delete and stop processing their personal data. Companies must able to locate every place that the information has been held and delete it within one month after receiving this request.
Every candidate has the right to access their data and ask to rectify it. Companies needs to comply and be able to show information that they hold of the candidate. Every candidate has their rights to request that companies will make corrections to any inaccuracies ( rectify. ) Companies have to grant their request within one month and provide candidates with a free, electronic copy of their own personal data.
Recruitments according to GDPR
Management of personal data will be significantly tightened by the Data Protection Regulation, and of course, it has an impact on the recruitment processes of companies. If you are a recruiter, consider what kind of communication tools you use during the day? I bet that the list will fit email, phone, instant messaging, recruitment information system, ATS, internal databases, maybe even more. Messages within the company as well as with jobseekers and third parties – may include, for example, recruiting and direct search or other possible services.
The biggest challenge from the point of view of recruitment will be the clear communication between companies for job seekers and applicants. Many recruiting companies do not even think of themselves as a register company that maintains personal data even though the recruiting firm has the responsibility as a controller to communicate as clearly as possible to job seekers how to utilise personal information. Job seekers also need consent to the processing, storage and retention of personal data if the data is used in other open locations.
In addition, companies need to pay more attention to the fact that only persons concerned have access to personal data. Nor should it be overlooked that the service providers used by the company must comply with the security regulation.
Limited Access to Information
Who does the company have access to the personal data collected? In this context, personal information means, in addition to the name and address, the interview notes and the information provided by the referrals. For example, the HR coordinator for the recruitment process and the future supervisor of the task to be filled can have access to personal data.
In principle, other company staff can be excluded. Such data limitation requires different access levels from existing information systems. During the recruitment process, it is important to know who the information is about. Log data is also required; there is a clear indication of the processing of data.
It may be surprising that the job seeker’s consent to the processing of personal data should always be a proactive choice from the applicant. The job seeker can not automatically consent to the processing and storage of personal data by submitting an application to a job that is interesting to him. It must always be clear that the job seeker has read the terms and conditions of the register and has given them consent. There is a danger here, particularly for companies who have used e-mail to collect applications – it is difficult to present documentation.
Job seekers’ consent to the processing and storage of personal data does not only mean that the company has communicated the terms of the register to the applicants. The company has the duty and the responsibility to prove what the job seeker has been told when he has given his consent. In addition, it must be possible to demonstrate in what way or in what form the jobseeker has given his consent to the company.
If the company updates its terms and records, this information will be communicated to the persons in the register. If a job seeker asks, he must provide him with information about which personal data has been stored on the system and, if possible, provide independent data updating and deletion.
Allocation and retention of jobseeker’s personal data
The sharing of personal data in the recruitment means, for example, sharing a CV or interview notes within a company or forwarding to third parties. At the same time, personal data are also processed. For example, personal data forwarded via e-mail is difficult to certify as processed under the security regulation. E-mail server security itself is already weak and documents containing personal data attached to the email are handled extensively, the possibility of errors is great. Data sharing can be facilitated by information systems, so worrying about waking CVs and notes is considerably lower than when using e-mail.
Do you make international recruits? Attention must be paid to the transfer of data outside the EU / EEA. Transfer of data is only possible if there is a specific criterion. Typically, in such situations, standard contractual clauses approved by the EU Commission have been used as part of Data Processing Agreement. The company’s registrar needs to know about the outsourcing of data transfers so that they can be forwarded to the registrars if needed.
Have you collected the applicant bank? If your system or email retains old job applications collected on different terms, their retention will be prohibited after May 25. Such information must be deleted or updated with the latest permission. The easiest way to ensure that an applicant bank is up to date is to ask jobseekers to resubmit the application, and at the same time request to read and accept the new updated terms of the register. A list of recruiters – to avoid critical pitfalls
1. Check that the information systems in use support the changes introduced by the GDPR regulation. Also, be sure to investigate the security level of journalists.
2. Always on the job search and on the site as much as possible about handling and storing personal data. The job seeker must know what information is collected and how it is processed and how long it will be maintained. Also mention third parties who might be processing personal data. Message to the job seeker for the possibility of editing and deleting data.
3. Restrict access to personal data from outside the recruitment process.
4. Think of new personal data sharing; the safest option through the information system. Avoid Emailing! Request permission to retrieve jobseekers for future searches.
5. Please check the applicant bank / open applications and update the updated terms and conditions.
6. Clear and disable the company email addresses that have been used for recruiting job applications such as recruitment@companyX.com
7. International recruitment processes and sharing of personal data outside the EU / EEA; other special provisions!
As an recruitment agency, we ( Nordic Recruitments Ltd ) have taken great responsibility of our candidates and clients since day one. We ensure that within this oncoming regulation, we will use our maximum efforts to comply and handle all your personal data with respect and care. As until this point and from this day onwards, we shall never share your information with any of our clients or 3rd party without your acceptance. We do feel big responsibility and honor towards our work in this field as an recruitment agency. We will also honor your privacy and we are very grateful all the connections we have successfully made.