GDPR Myths: Busted

We firmly believe the GDPR is a positive opportunity for in-house recruitment & HR teams.

It’s a chance for organisations with exceptional data handling processes to strengthen them further. And it’s an opportunity for organisations that aren’t quite there yet to review and embed more sustainable, secure and fair practices.

But if you venture into the world of Google, you’d be forgiven for thinking a data apocalypse is winging its way towards us. Scaremongering, warnings, misconceptions and miscommunications abound.

To balance the scales, we’re going to tackle three common GDPR myths we’ve encountered recently.

If you are asking candidates for personal data, you must obtain their consent.

This isn’t quite right. Under the GDPR, you must choose one of six legal bases for processing personal data. Consent is one of these six options – but it holds no more weight than any of the other five.

For recruitment purposes, legitimate interests may be the most appropriate legal basis for processing potential candidates’ personal data. If you choose legitimate interests as your legal basis, you do not need to obtain consent as well.

Importantly, you cannot choose two legal bases – or swap between the two.

Let’s say you are advised to use consent as your legal basis for recruitment purposes. If a candidate does not give their consent (e.g. by not ticking a checkbox you’ve designed for this purpose) but you still want to process their data, you could not then process it under an alternative basis, such as legitimate interests.

The GDPR shines a renewed focus on transparency, so you must be upfront with candidates about why you are processing their personal data. You should document your legal basis in your privacy statement, which should be easily accessible for candidates when they apply for a role with you.

If you are using consent as your legal basis, remember that it must be freely-given. This means no pre-checked tick boxes or ‘implied consent’.

Note: Public sector organisations have different conditions under the GDPR and may not be able to rely on legitimate interests as their legal basis. Talk to your GDPR advisor or legal professional for more information about this.

 If you’re asking for ‘Special Category’ data, you just need to obtain consent

This is false. The key thing when you’re collecting special category data is that you need to obtain explicit consent from your candidates.

The ICO defines explicit consent as: ‘Explicit consent must be expressly confirmed in words, rather than by any other positive action. Therefore, even if it is obvious from an individual’s actions that they consent to the processing of their personal data in a particular way, this cannot be “explicit consent” unless it is also expressly confirmed in words.’ – Letter from the Information Commissioner, March 2017

We are still awaiting final guidance from the ICO about consent.

Ahead of the GDPR, you may want to consider whether you really need to obtain special category data during your recruitment process. If you do need to, there are additional conditions of processing you must consider.

You cannot store candidates’ data in talent pools

This is false. The GDPR does not stop you from retaining candidates’ personal data, nor does it set a time limit for you to do so.

Instead, the onus is on the data controller (you) to assess what is a reasonable period of time for you to store a candidate in your ATS or CRM.

To do this, you should undertake a data retention assessment, where you clearly document what the purpose is behind you storing candidates’ personal data for ‘X’ amount of time, and how you are balancing the benefit to your organisation with the candidates’ rights and freedoms.

With the focus on transparency, you must also be clear with candidates about how long you will store their data, why you’re retaining it and where/how. You should include this detail in your privacy statement.

Remember, under the GDPR your candidates have widened rights and can ask for the data you hold about them to be amended or erased, amongst other things. You should make sure you have a clear process in place to action candidate requests like these, as you need to respond without undue delay.

The internet is heaving with news of huge fines, deleting entire databases and consent being king.

Hopefully we’ve assuaged some concerns by busting three common GDPR myths.

In the run-up to GDPR, in-house recruitment & HR teams will undoubtedly have concerns that they won’t be ready in time for the new legislation arriving in May.

Yes, it may take time for processes to be firmly embedded into organisations. It will take time for understanding to reach every corner of a department,  and for good data practises to become second nature. And it’s unlikely that every in-house recruitment & HR team will be ‘GDPR compliant’ at 00:01 on 25^th May.

But if you are able to demonstrate that you are striving to embed principles of fairness, accountability and transparency in your hiring processes by then – and that you’re rising to the challenge opportunity of GDPR and are putting candidates’ rights, freedoms and security at the heart of your data processing – you should be able to face the impending legislation without fear.

Find out more

5 Questions to ask your ATS provider about GDPR

Download your in-house recruiter’s guide to GDPR

Hear from Bev, our Head of People, about her take on GDPR

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.