GDPR resources and guidance
The GDPR came into force on 25th May 2018.
In the run-up to the new legislation, a key area of focus for in-house recruitment teams was (and should continue to be) around transparency and accountability.
On this page you’ll find links to a number of in-house recruitment GDPR resources to help ensure you’re embedding strong Data Protection practices into your hiring processes.
Read on for blog posts, infographics, practical advice and more, including:
Download your GDPR guide
From data-mapping to reviewing your privacy statements – essential GDPR reading.
This guide was create in partnership with international law firm Osborne Clarke, to help in-house recruitment teams and talent acquisition professionals prepare for the General Data Protection Regulation. Download today!
A GDPR-compliant ATS
Technically, an Applicant Tracking System can’t ‘comply’ with any legislation.
However, your recruitment technology should provide you with all the tools you need to meet your Data Controller responsibilities – and therefore you can operate in a manner compliant with the GDPR.
Hireserve ATS provides Data Protection functionality to ensure you can:
- Obtain consent or establish legitimate interests from your candidates
- Add a link to your privacy statement on your application forms and candidate emails
- Set your custom data retention period
- Auto-remove candidates when they exceed your data retention threshold
If you’re preparing to choose a new ATS, make sure GDPR is high on your list of priorities to discuss with a potential provider.
Download your free guide to ATS Selection and turn to pg. 8 for guidance and key questions to as an ATS supplier.
Practical steps to meet your GDPR responsibilities
Undertake a data mapping exercise
A data mapping exercise is the process of identifying, processing and mapping out the data flows of your organisation.
This is a complex process, particularly for organisations with multiple systems and technology platforms in place.
Think about the journey your candidates’ data will take, from the moment it enters your organisation. You should also document what information you collect about candidates at each stage of your recruitment process, and document how your organisation(s) use that data.
As part of your work towards GDPR compliant processes, you will need to define your organisation’s legal bases for processing candidates’ information. You should define and document these legal bases during your data mapping exercise.
Review your privacy notice
As transparency is a key theme of the GDPR, your privacy notice(s) will take on greater significance.
Your privacy notice should be easily accessible to candidates on your careers site and you should use it to very clearly state what personal data you will collect and how you will process it. You also need to include:
- Your organisation’s identity and contact details
- The purposes and legal basis for processing
- Details on other recipients and cross-border transfers
- How long you will store data for
- Your data subjects’ rights
- The existence of any automated decision-making
Additional GDPR resources for your recruitment team
How will the GDPR impact your recruitment activity?
Working with agencies
As a responsible employer, you should make sure the recruitment agencies you work with are GDPR compliant.
It may be sensible to start conversations with agencies on your PSL now, in order to understand how they will adapt their processes in order to adhere to the new regulations.
This approach should also be taken with third parties such as HR & Recruitment technology and service providers
Your candidate communications
If you send emails to candidates, you’ll need to include a clear ‘opt-out’ option at the bottom of each email (you should do this already under the Privacy and Electronic Communications Regulations).
You should consider linking to your privacy notice in every candidate communication too.
You will also need to implement a way for candidates to contact you with requests or complaints about their personal data.
Want to talk through your GDPR needs or concerns?
Please remember: The information on this page concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.