It’s been three years since the Data Protection Act 2018 came into force.

Nowadays, strong Data Protection practices are part and parcel of our working lives. If you work for a larger organisation, it’s likely you have a Data Protection Officer in post to ensure you continue meeting the requirements of the DPA.

But how often are you reviewing your recruitment processes? It could be time for a Data Protection and Recruitment MOT- and here are our top 3 places to start…


Review your application process

As we all know by now, under the DPA you need to identify your legal basis for processing personal data for recruitment purposes.

Most organisations will have been able to use ‘legitimate interests’, displaying a link to their privacy statement when a candidate applies. Some will have had to go a step further and obtain consent, perhaps providing a checkbox at the point of registration or application.

Now it could be time to revisit your application process:

  • If you’re obtaining consent, is your statement and mechanism clear enough?
  • Is a link to your privacy notice in a prominent enough position?
  • Look and feel is still important. Is the styling of your consent checkbox or privacy statement in line with your branding as a whole?
  • Are you gathering too much personal data at the beginning of your application form – information that could be saved for later in your hiring process?
  • Is your wording plain-speaking enough for candidates and do you make it clear why you’re requesting certain information?
  • Remember ‘Special Category’ data! If you’re capturing sensitive data, you will need to obtain consent from candidates.

Ask your team members to go through the application process themselves to understand if you can make improvements. You could also ask your candidates for their feedback. Were they clear on how, why and where you’re processing their data? Did they feel confident in your adherence to the DPA?


Establish a data subject access request procedure

Under the DPA, if somebody submits a request to access, edit or erase their personal data, you need to be able to respond efficiently, without undue delay and within one month or receipt’ (ICO).

By now, it’s likely you have a well-established data subject access request policy and procedure. But it’s still prudent to review it, particularly from a recruitment data perspective.

  • Do your team all understand their role in actioning candidate data subject requests?
  • Is it simple for a candidate to make a request about their personal data through your website or over email?
  • Once you receive a request, do you know who should action it?
  • Can you easily locate the data a candidate is asking about and tell them what information you’re holding, how long you’ll store it for and why you’re processing it (your legal basis)?
  • Can you amend the candidate’s data based on their request, e.g. to edit, restrict processing or erase?



Keep Data Protection on your team’s radar

Strong Data Protection practices start with your team members. Three years on, colleagues still need to be mindful of how and why they process candidates’ personal data.

You might want to review the following:

  • Do your team members know who your organisation’s Data Protection Officer is (if you have one)?
  • Do your team members know who else they can talk to if they have Data Protection concerns or queries?
  • Is regular Data Protection and Information Security training available for your team?
  • Are team members familiar with Information Security basics? This could include setting strong passwords, keeping a clear desk policy and ensuring anti-virus technologies are up to date. It sounds simple, but these kinds of habits can easily be overlooked!
  • Are your Data Protection policies and procedures, and all relevant documentation, accessible to your people?


What about your Applicant Tracking System?

There’s so much we could talk about when it comes to Data Protection! And we haven’t even touched on the technology…

Keep talking to your ATS provider, and ensure that they remain as familiar with the DPA as you are. Your supplier should be clear on their Data Processor responsibilities and be open to conversations with you if you are keen to enhance your application process, for example, or better improve your data archiving and deletion.

We’re not DPA experts ourselves here at Hireserve, but we are happy to help with any questions around Applicant Tracking Systems and the Data Protection. Why not drop us an email, or give us a call?

And, finally, it wouldn’t be a blog post about the DPA if we didn’t include our legal disclaimer, would it?

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. And remember, the ICO website has an excellent range of resources and guidance on the Data Protection Act.


Read more

Download the In-house Recruiter’s Guide to the GDPR

Learn more about Hireserve ATS and the Data Protection Act

Meet Beverly, who oversees our Information Security and Data Protection.

About the author

Tristan Potter

From candidate experience to flexible working, and from supporting graduates to ATS reports; Hannah's written it all over the years! Hannah has contributed to publications as diverse as The Guardian, UK Recruiter and University Business. She is also the wordsmith behind our whitepapers and guides, from GDPR to Employee Volunteering.