What GDPR means for hiring: Simply explained
9 basic GDPR hiring rules to follow that won’t leave you scratching your head.
GDPR might be complex and hard to deal with, but it's a great step towards protecting everyone's privacy. This includes the privacy of the candidates for your job openings. So where do you start when implementing these regulations in your hiring process? Our privacy officer, Rita dove deep with the help of a GDPR expert to figure this out. What we found out is that it's not as hard as you might think once you get past all the jargon.
In this article, we're sharing what we learned about being GDPR compliant while hiring. We're keeping it simple by giving you concrete examples on how to apply this law to hiring so that you can save time and an unnecessary headache. If you want to know how Homerun can help you be GDPR compliant, check out this article.
Why care about making your hiring process GDPR compliant?
Well besides the fact that it's the law and that it's good practice to value privacy as a company, it could also be quite important for your employer branding. A survey by Cisco shows that from 2,601 respondents worldwide, 32% care about privacy, are willing to act or have done so by switching products or services due to the data-sharing policies of these companies. It's a logical assumption that this large group of mostly young people will care about the data and privacy policies of the company they choose to work for as well.
What does GDPR have to do with hiring?
So, GDPR is a regulation in EU law that affects how you collect and store personal information from EU citizens. When it comes to hiring, this law applies to the personal information you collect from people who apply to jobs at your company (candidates). This includes all of the information in someone's CV, motivation letter as well as any other information you ask in your application process. Are you still with us? Good, then we'll get into the rules.
The rules: Collecting information
- You should always let candidates know what information you're collecting from them. If candidates are applying through an online application form then it's pretty clear what information you're collecting from them. However, it's good to be more explicit about it in a privacy statement. Your privacy statement should be short, understandable, transparent and easily accessible. For inspiration, check out Homerun's Privacy Statement for recruitment. Also, if you have cookies on your career page that track the candidates that are visiting your page, add a cookie consent bar.
- Let them know what you're using their information for and only use it for that. This is as simple as adding a line to your privacy statement along the lines of: "This information will be used for recruitment purposes". If you end up hiring a candidate you'll need to keep their information for their personnel file. This can be solved by adding this to your privacy statement: "We will keep your personal data only for the period necessary to fulfil the purposes of recruitment unless we have to keep it for tax or legal reasons. In practice, this means that if you are hired, the information related to your job application will end up in your personnel file."
- Don't ask candidates for any information that you don't need or that you don't have a good reason to need. For example, if you want to know if a candidate is located in the same area as your office, you don't need to know the exact building and floor they live on. Just ask what city they live in.
- Let candidates know how long you're going to keep their information stored. If you use an online application form, this means you should add a box for candidates to check that says "I agree that my data may be used for recruitment purposes and will be kept for a period of 12 months." Some application software has this built-in. If you're receiving applications over email then make a note in your job opening about how long you will keep the information they send over email.
- Apply these rules also when reaching out to candidates yourself. If you collect information from candidates you found on LinkedIn or another platform, with the intention of sending them a cold message about possibly hiring them, then be sure to let them know you've collected their info, what information you've collected for what purpose and if it's okay for you to keep it for a specific amount of time. This might sound like a weird thing to do, but it's as simple as messaging them something along the lines of "I came across your profile on LinkedIn and I'd really like to add you to our talent pool! This means I'll keep your name and email on file for a year and send you a message when we have a position we think might be a match for you. Would that be alright?" You don't have to do this if you collect their info within the platform that you found their information on. But as soon as you add their information to an internal Excel sheet or your application software for example, then send over this message within 4 weeks.
The rules: Storing information
- Don't keep candidate information indefinitely. GDPR won't let you. You'll have to pick a time frame. 6 months? 3 years? 5 years? You might not want to pick something too far in the future, because when that time has passed, someone has to delete the information. It's pretty hard to predict what the company will look like in 5 years, let alone know where you'll be storing old candidate info. Application software like Homerun is useful, since it has automated deletion when the retention period has passed so that you don't slip up.
- Make sure you delete all candidate information in every place you have it stored. This one is important for those of you hiring over email. Do you save or archive all of your emails? You're going to have to dive into that raging sea that is your inbox and delete all emails that contain candidate information. Do this every so often, before the time has passed for which you asked permission to keep candidate information. This might mean you'll need to organize your email more consistently. You can do this by having a folder for all email interactions with candidates or by using subject lines you can easily search. If you're using application software like Homerun then be sure to delete candidate information from the system if it's not already automated. This is a lot easier than manually deleting emails from your inbox. If you want to save candidate information longer than you've asked permission for, then you need to ask permission again by sending an email, for example. Don't forget to save the emails in which candidates give you permission or use application software that does this for you.
- Candidate information that you have stored should be correct. This is a good reason why you don't want to keep candidate information for too long. All information you keep needs to be accurate according to GDPR. So if a candidate gave you their address and moves away, then that information is no longer accurate. It's unrealistic to take on the responsibility of emailing old candidates to see if their information is still correct, so you're better off deleting the information every 6 months or so.
- Keep candidate information safe. This is all about making sure candidate information doesn't end up in the wrong hands. So make sure your computer and ATS are protected with good passwords or even better, use a password manager. Also if you're printing out CVs, shred them once you're done with them. This is pretty logical security stuff that you probably already do.
That's it! See, isn't it simpler than you thought? Despite it being a complex law, it's definitely doable to hire while being GDPR compliant. After putting in a bit of work to implement all this, you can rest assured that your candidate's info is safe and well protected.
To know more about Homerun's easy-to-use hiring tool can help you be GDPR compliant, have a look here.