The forthcoming General Data Protection Regulation (GDPR) is not just an issue for legal and IT teams; recruiters need to understand where it applies – and where it doesn’t – and act accordingly.
GDPR is the new European Union regulation on data protection which comes into force on 25 May this year. It provides a single set of rules on the use of ‘personal data’. The objectives are to improve trust in the digital economy and to standardise European laws by offering a more consistent legal framework for data protection.
Personal data is broadly defined as information that relates to an identifiable individual. For example their contact details, photograph, their computer IP address, their bank details, their social media posts or their health record. It also includes the results of their psychometric assessments. So, for recruiters, this impacts on how you collect, store, use and share assessment data on job candidates
Importantly, the GDPR will be strictly enforced. Organisations that fail to comply with the regulation risk fines of €20 million or four per cent of their annual global turnover, whichever is higher.
Impact on recruitment
The GDPR distinguishes between ‘data subjects’ (individuals), ‘data controllers’ (organisations that determine the purpose and use of the personal data) and ‘data processors’ (often third-party companies that process the data on behalf of the data controller). Depending on the contractual agreement, this usually means that a client organisation is the data controller; the candidates are the data subjects and your assessment provider and your Applicant Tracking System provider are data processors.
So not only do you have to guarantee that your own processes are compliant with the GDPR – when you internally process the personal data of job candidates and employees – you must also ensure that your suppliers have the technical and organisational measures in place to collect, process, manage and store personal data appropriately, so that the rights of your candidates are protected.
Specifically, recruiters now need to ensure that processes are in place to:
1. Confirm that a valid legal basis exists for processing and disclosing information: At the point of data collection, you’ll need to explain to candidates how their assessment data will be used and give them confidence that their personal data will be managed and stored securely. The data controller must ensure that only data which is necessary for the specific purpose is collected and processed.
2. Manage candidate queries: Because candidates have the right to know what information is held about them – and the right to have their personal data rectified or deleted – this will inevitably increase the number of candidate queries. Recruiters will therefore need to decide who will answer these requests, how they should be logged and what the flow of information will be. Candidates will typically contact whoever provides support for their application. If they contact your assessment or ATS provider, you’ll need to ensure that those queries are passed to you without delay.
3. Manage the data: Even encrypted data is subject to GDPR. You’ll need to put processes in place to amend or delete candidate data, if necessary. As the data controller, you’re ultimately responsible for amending or deleting data, although your data processor may action this on your behalf. Quick and effective responses to data requests need to be developed, to avoid a high penalty.
4. Conduct talent analytics: Analysing your assessment data to create talent insights that will support your future recruitment and development practices is achievable under GDPR. You’ll need to anonymise your candidate data and ensure that no individuals can be identified from it. The resultant psychometric data is NOT personal data, so GDPR doesn’t apply.
5. Manage any data security breaches: Your IT team will need to conduct data security audits and put protocols in place to deal with hacking, unauthorised access or disclosure and any other instance that might compromise the integrity or confidentiality of your data. The last thing any candidate wants is for their personality profile, video interview or ability test scores to be made public. In addition to the financial consequences, this could be disastrous for your organisation’s employer brand and reputation. In the event of a security breach, the data controller must be notified as soon as possible so they can assess its severity and report the incident without delay.
6. Train employees: To promote good practice – and mitigate the risks of data breaches and non-compliance with GDPR – every company should provide GDPR awareness and behavioural training. Recruiters will need to ensure that everyone in the team understands their obligations, as well as how and why they need to be vigilant in protecting personal data.
7. Demonstrate best practice: To achieve confidence in your supply chain, choose an assessment provider that is certified to ISO 27001. The International Organization for Standardization (ISO) sets industrial and commercial standards for quality, safety and efficiency. ISO 27001 is the worldwide standard for securely managing sensitive information such as personal records. Certified practitioners will have been thoroughly checked and independently verified.
Good data handling practices are not just essential for confidentiality, they’re also important for transparency and for maintaining your organisation’s reputation. As a recruiter, your challenge is not only to put in place the necessary procedures to meet your own GDPR obligations, you also have to guarantee that your assessment provider and any other data processors have taken the necessary technical and organisational steps to fully comply with this regulation.