Is IT recruitment GDPR compliant?
The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Every organization that collects and processes personal data of EU citizens and residents must comply with the new regulation approved by the European Parliament. The goal of GDPR is to reinforce people’s rights to their privacy and personal data protection.
Ensuring GDPR compliance within the whole organization can be a strenuous task for any organization, especially for IT recruitment departments, whose core function is to collect and process consultants’ personal data.
We prepared some questions and examples in order to check if your organization is GDPR compliant.
Please be advised: All the information in this post is of general use only.
Let’s start with some basic GDPR questions…
Does GDPR apply to your company?
Yes, since the main function of your operation is to process Curriculum Vitae and/or consultants’ data.
GDPR applies to every company that operates within the EU or processes EU citizens’ data. If you are hiring EU residents or EU citizens, GDPR applies to you.
What is personal data in recruiting?
Most of us think that personal data is restricted to our phone number, e-mail address, full name or date of birth. But the truth is that each combination of data that can be used to identify an individual should be considered personal data and handled accordingly. For example, a specific job title, a client’s name and the month in which a project started can easily identify an individual on LinkedIn.
Are you aware of the three basic GDPR terms?
There are 3 basic terms in GDPR that you need to be aware of:
- Consultants or “data subjects”. IT consultants that share their personal data and their professional experience in any format with recruiters and/or companies.
- Recruiters and all other employers or “data controllers.” IT recruiters, HR consultants, Managers, Sales Persons, and so on, that collect consultants’ personal data on behalf of their company. This makes them fully responsible for protecting the consultants’ data and enforcing GDPR.
- Databases, Applicant Tracking Systems, Customer Relationship Manager and other Recruitment Software/Services or “Data Processors.” The applications where you store and process data subjects’ data on behalf of the company are the data processors.
It means that every CV stored in your database, system and/or other software belongs to the consultant (the data subject) and, as such, his/her CV belongs to him/her. During the recruitment process, consultants express their consent to the employer or recruiter so as to process their data to apply for a specific job offer. If their CVs are inserted in another system, which will process the data, they must be aware and must give their consent.
In short, the consultant will always be the owner of the CV and the data included there. Companies only have the right to process data with the consultant’s consent. Even if it is a CV with the company’s branding, the data within the CV will always remain property of the consultant.
How does the GDPR impact your recruitment department?
Your recruiters and hiring teams need to be aware and respect a few key directives of GDPR:
- Legitimate interest to process consultant data. GDPR obliges you to collect data only for “specified, explicit and legitimate purposes”. This means, for instance, if a consultant is not selected for a job interview, you must contact the person within 30 days and ask him/her if you can keep his/her data for a specific period of time, which must be defined, for example, for 1 or 2 years.
- Consultant consent to process sensitive data. Sensitive data is everything that can be used as discrimination against the consultant, such as disability information, medical records, religion, sexual orientation, political views, race, genetic or biometric information. So, unless you really need this data, do not even save it in your database, because handling sensitive data is a different ball game.
- Transparency about processing consultants’ data. Your company must be transparent about how you are processing the consultant’s data, where it will be stored in our database or file system, who will have access to it and why are you storing it.
- Responsibility for compliance. Your company needs to be able to demonstrate compliance with GDPR. If your employees, partners and or software fail to comply with GDPR, your company is accountable, as well.
Furthermore, you are obliged to comply when consultants exercise their rights under GDPR:
- Right to be forgotten. Whenever they decide it, consultants have the right to ask you to delete their data and be forgotten. That means every single entry in the database, file system, spreadsheets, everything that has the consultant’s personal data must be deleted within a month after receiving the consultant’s request.
- Consultants have the right to know what you know about them. When considered relevant, consultants have the right to ask you about the data you hold about them. If a consultant asks you about what you know about him/her and how the data was used, you must be able to reply within a month; for example, which clients were the CV sent to, in which tenders was the CV included, and so on.
Are you complying with GDPR?
1 – Are you mapping where personal data is being used?
Your company must have a clear view of each data flow, data storage and data processing.
You must be clear about where and how you find and store consultants’ names and contact details, CV, as well as other identifying pieces of information. Some questions will help you in drawing the data flow map:
- Where did we get the consultants’ CV from and how did we handle their personal data?
- Do we need all the data we are processing?
- Is all the personal data we store well-identified?
- Where do we store data and who has access to it?
- How do we share data within our company across processes/ functions/ departments?
- Do we have processes for sharing, transferring, modifying and deleting data?
- Who is the data controller officer?
- Why are you collecting data?
- Where will you store data?
- For how long?
- Who will have access to it?
- What are the consultants’ rights?
- How can the consultants revoke given consent?
3 – Are you handling the sourced CV correctly?
Every time you download a consultant’s PDF profile from LinkedIn, or a CV from another job website or upload a consultant’s CV into your systems/database, you are storing the consultant’s personal data, so complying with GDPR all the way is imperative.
Keep in mind that you need legitimate interest and consent to store and process consultants’ personal data. Ensure that you:
- Always contact those consultants. Uploading every CV that you find is not legal under GDPR. Please contact the consultant and get consent before starting to process his/her data.
- Contact consultants as soon as possible. You can only keep a consultant’s data without consent for a maximum period of a month. Contact these consultants as soon as possible and delete their data if they ask you to.
- Only process the data that you need. Only process the data that will be used, and avoid processing sensitive data, especially if do not need it.
- Obtain data legally. Gathering data from social profiles, public websites, CV databases is legal under GDPR. If those profiles are publicly accessible, it is legal to assume that those consultants expect to be contacted. You can contact them but, before processing their data, you need to get their consent.
4 – Do you ask for renewed consent when a consultant does not get the job?
Sadly, you cannot hire all the consultants that apply for a job. In some cases, it is not possible to hire at the moment, but you may want to keep their data for future positions.
To remain compliant with GDPR, you need to make sure that you will not keep data for a period longer than the one originally mentioned. If, for example, you told consultants that you would keep their data for a year after they apply, you do not need to send them another email until that year has finished. But, if you told the consultants you would keep their data until you fill a particular position, then you need to ask them for new consent and inform them again that you want to keep the data you had collected.
5 – How do you handle paper CV?
Online channels are by far the most common way of recruiting a person but, quite frequently, at job fairs, networking events, etc., you may be handed a CV in a paper format. Before processing those CVs, you must have the consultant’s written consent.
Never forget to contact the consultants and ask for their consent before processing the data.
6 – How do you handle your old recruitment processes?
GDPR covers all personal data which your company has collected, even the data collected before GDPR came into force. This means that you must review your talent databases, systems, spreadsheets and other files where you store consultants’ data. All personal data stored without consent must be deleted, so make sure you contact the consultants to get new consent.
7 – Are your software and processes GDPR compliant?
Make sure that all applications and processes used in your organization are GDPR compliant.
Data processors (databases, application tracking systems, customer relationship managers, etc.) have full access to your consultants’ data. This is why GDPR expects you to be certain that your partners protect data the same way you do.
The famous Excel spreadsheets, which are very common, may expose you to risks concerning GDPR compliance, as they provide a poor audit trail, access control, and version control.
8 – Does your organization respect the consultants’ trust and will?
A big part of complying with GDPR is being able to help consultants exercise their rights and will. To do so, you must have clear and transparent processes which allow the consultant to enforce his/her rights, such as:
- Access to their data;
- Remove the consent given;
- Right to be forgotten;
GDPR is all about transparency, communication, handling data correctly and requesting consent from the data subject for each new data processing. If every individual within your organization respects those simple principles, a great part of GDPR is already implemented. Creating a trustworthy environment between your company and your consultants will lead to stronger relationships and, consequently, to more businesses and a more respected position in the market.
Sprint CV’s mission is to help IT consultants and IT companies to better collaborate and better protect their data. We have implemented a system which simplifies data sharing between consultants and companies, instead of working with CVs in a digital format like PDF or Docx. We enable data sharing by allowing consultants to share their data with companies in a structured and organized database that keeps the consultant’s data up-to-date, in real time. Our entire system was built using the latest privacy by design technics to assure total data privacy and consent management.