With the GDPR fast approaching, in-house recruitment and HR professionals need to understand how the new legislation will affect the ways you source, process and store data.

In this post, we’re focusing on what you will need to do to continue building and managing talent pools. Here’s what we know at this stage:

You’ll need to be transparent in your privacy notice

‘Transparency’ is a key principle of the GDPR, and you should keep this in mind when you write your privacy notices.

Your privacy notices must be clear and concise, and must also be easy for candidates to access when they apply for a role with you.

If you intend to store unsuccessful candidates for future roles, you need to be clear about this in your privacy notice.  Outline why you’re retaining their data, what information you’re going to store, how you will process it and for how long you intend to store it.

Similarly, if a candidate is registering for a job alert with your organisation, they will need to have access to your privacy notice too. Your privacy notice should include a section which explains the above points specifically in relation to job alerts.

You’ll need to define how long you retain candidates’ data for

‘Storage limitation’ is another key principle of the GDPR. In a nutshell, this means that you can’t keep personal data for longer than is necessary.

In your data-mapping exercise, you should consider what candidate data you are going to store in your talent pools, and how long you will need to keep that data for. Most of us have a tendency towards storing data for as long as possible, ‘just in case’, but think pragmatically about how likely it is you’ll re-engage with candidates in your talent pools after a couple of years.

Once you and your colleagues have completed this assessment, you should document your reasoning for your retention period. This is important to demonstrate compliance with the GDPR, particularly if you are ever audited.

You should also ensure you have clear data retention and data security policies across your department/business.

Link to download the In-house Recruiter's GDPR Guide




You’ll need to consider how you manage data going forward

Once you’ve documented how long you’re going to store data for, you should consider how you will manage that practically day-to-day.

Will you set up an auto-delete function after a certain period of time? Can you send automated emails to candidates explaining that you are about to remove them from your database, and if they would like to remain in your talent pools, they should sign up again?

Another consideration is what you’re going to do with your existing candidate data. Our understanding is that one of two things needs to happen.

Either you need to contact all candidates, explain that you are holding their data, include a link to your privacy notice and provide them with a simple way to opt out or object to you retaining your data, or you need to delete existing data and start over.

If you use an Applicant Tracking System, it’s worth talking to your ATS provider about how their technology can support you with processes like this.

You’ll need to strong processes in place to manage candidate requests

When the GDPR comes into force next year, data subjects (your candidates in this context) will have wider rights around their personal data.

You will need to ensure that you have clear processes in place to deal with any candidate requests that arise. Some candidates may request for you to update the data you store about them in your talent pools, some may ask to be deleted, or some may simply want to know what kind of data you’re holding.

Again, ask your ATS provider how they can support you in actioning and documenting candidate requests.

It’s also important to focus on team education around candidate rights under the GDPR. If a colleague receives a candidate request to amend or remove their data, they will need to know how quickly they should respond (without ‘undue delay’), how they action that request in your ATS or CRM, and how they can then document or report on the change.

The GDPR is positive…yes really!

Despite the stringent new requirements (which will be introduced into UK law as a new Data Protection Bill), and the scaremongering of fines and sanctions, the GDPR does offer a positive opportunity to many organisations.

In terms of your talent pools, see it as an opportunity to review and cleanse the data you’re currently holding.

You can refocus what you want to achieve with your passive talent management, and it may give your team an opportunity to embrace some new initiatives. What’s more, you can be confident going forward that you’re only retaining relevant and valuable candidate data.

Find out more

Unsure where to start? Your first steps to GDPR compliance

Take a look at our GDPR jargon-busting infographic

Familiarise yourself with the key principles of the GDPR

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.

About the author

Tristan Potter

Tristan has a decade's worth of experience writing content and copy for organisations across Bristol and the Southwest of England. He has written on a diverse range of topics, including technology, philosophy, politics, and recruitment. His writing has appeared in The Drum, HR Grapevine, and The Guardian, among other publications. He joined Hireserve in March 2022.