What is the GDPR and what do you need to know about it? In a nutshell, this regulation outlines how businesses can “process” (in other words, collect and maintain) personal data of European Union residents. Whether you’re expanding to locations in the EU, opening up roles to distributed employees who can work from anywhere or just want to be extra responsible about the way you manage candidate data, it’s important to understand the basics of the GDPR and what it means for your work as a talent acquisition professional.
In this post, we’ll cover a quick overview of the regulation, outline a few scenarios for you to consider and make some recommendations to help you plan how to keep your hiring process GDPR compliant. Please note that the advice we’re sharing here is intended to be general and you’ll definitely need to work with your legal team to discuss the specifics of your company.
What is the GDPR?
Adopted by the European Parliament in April 2016, the General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of European citizens. Personal data is anything that can be used to identify an individual, including names, email addresses, online identifiers or even computer IP addresses.
The GDPR regulates all personal data of EU citizens. Whether or not you are geographically located within the European Union, the GDPR impacts your organization as long as you are processing and storing personal data of individuals who live there.
To put it in simple terms: If you’re gathering personal data from EU residents, you need to have a GDPR-sanctioned reason to hold it, and you must delete it when that reason no longer exists.
What does the GDPR mean for talent acquisition teams?
According to Article 6 of the GDPR, there are several legal bases you can use to justify your need to process personal data. Here’s the actual text from the law:
Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Each legal basis is a valid basis in and of itself under which a company can process personal data under the GDPR. Since the GDPR was intended to cover all types of data collection (not just within HR), the enumerated legal bases are applicable to a broad range of scenarios. In the talent acquisition space, where companies are collecting personal data from candidates with whom no contractual relationship exists, the two relevant legal bases are legitimate interest and consent. Let’s look at each more closely within the recruiting context.
Most Greenhouse customers have taken the position that companies that are hiring have a legitimate interest in collecting personal data (resumes and other application materials) from candidates. This is true even for candidates for whom there is not yet a specific role in mind, and is GDPR complaint as long as the data will be deleted when there is no longer a legitimate interest in retaining it.
If you opt to rely on consent as your legal basis under the GDPR, be aware that you’ll be placing many obligations on your team to get explicit approval from candidates any time you’d like to use their data – to consider them for a role other than the one they applied for or add them to your talent network, for example.
What are some recruiting situations that may give rise to GDPR concerns?
Here are a few common scenarios related to the processing of personal data of prospects and candidates with questions to discuss with your legal team as you consider how to best comply with the GDPR.
Scenario: You have applicants who are already in your system, such as current prospects, applicants and members of your talent community.
Questions to ask: If you are using legitimate interest as your legal basis, what is your timeline for continuing to process their data? What steps will you take when that timeline ends? If you are using consent as your legal basis, do you have their consent to consider them for other roles or to add them to your talent community? What steps will you take to obtain their consent? What actions will you take based on their response?
Scenario: You receive an inbound application from a candidate.
Questions to ask: If you are using legitimate interest as your legal basis, what is the timeline for how long you’ll continue to process their data if they’re not hired? What steps will you take when that timeline ends? If you are using consent as your legal basis, do you have their consent to consider them for other roles or to add them to your talent community? What steps will you take to obtain their consent? What actions will you take based on their response?
Scenario: You receive a referral from one of your employees.
Questions to ask: If you are using legitimate interest as your legal basis, have you determined how long you’ll continue to process their data? What steps will you take when that timeline ends? If you are using consent as your legal basis, how will you ask them for consent and what steps will you take based on their response?
Scenario: You’re sourcing passive candidates through an external source such as LinkedIn.
Questions to ask: If you are using legitimate interest as your legal basis, how will you communicate this to prospects? How long will you continue to process their data? If you are using consent as your legal basis, how will you ask them for consent and what steps will you take based on their response?
Your essential GDPR compliance checklist
Now that we’ve covered the basics of the GDPR and how it applies to talent acquisition, let’s explore the steps that can help you stay compliant. Keep in mind that this is not a project for you to undertake alone – you’ll want to work closely with your legal team as you go through these activities.
Start with the basics
Here are some helpful steps to review.
- Map out all the situations where you collect data from candidates and prospects – inbound applications, sourcing on LinkedIn, employee referrals, job fairs, etc. Outline how long this data is currently stored and any processes you have for updating or deleting it.
- Work with your legal team to define which legal basis you’ll be relying upon (this will most likely be legitimate interest or consent).
- If you opt for legitimate interest, establish how long you can store prospect and candidate data. Will you use different timelines for different roles or the same timeline for all candidates? Will you use a different timeline for especially promising “silver medalist” candidates or other prospects?
- If you opt for consent, determine all the scenarios where you’ll need to request it and what steps you’ll take based on the responses you receive. We briefly covered some common scenarios in the previous section, but be sure to be thorough here. Do you ever collect resumes outside your ATS? What happens when you meet someone at a job fair or other in-person event?
Define your processes
Spend time drafting your company’s position on data collection as well as the tools and internal policies that will help you uphold it. Questions to consider:
- What tools will you use to keep track of candidate data and how will you set them up to be in line with your policies? For example, your ATS may allow you to set an expiration date when you first collect a prospect or candidate’s information. Who will be responsible for setting the timeline and ensuring the ATS is configured properly to do this?
- How will someone notify you if they want their data to be removed from your system?
- Who will be responsible for carrying out these requests?
- How long will you have to fulfill them?
- Create your company’s GDPR notice for recruiting, which you are required to provide to all EU prospects and candidates at the time you collect their personal data. The specific information that is required to be included in the notice is set forth in Articles 13 and 14 of the GDPR, and includes:
- Your company’s name and contact details
- The reason you are collecting the personal data and the legal basis upon which you are relying to process it
- A description of the types of information you’ll collect about candidates, who you’ll share the information with, whether the personal data will be transferred outside of the EU, how long you’ll store the data, what you’re doing to protect the data and how candidates can take action on the processing of their personal data
- Decide when and where you will share the GDPR notice with prospects and candidates. Outline how this may vary in different scenarios (for example, for inbound applicants vs. referrals or sourced prospects).
- Do you use any third-party vendors to process candidate data? List each of these companies and reach out to each one to learn what they’re doing to remain GDPR compliant.
Many thanks to Greenhouse’s Head of Legal Kate Hooker for providing her insights for this post. As our Head of Legal, Kate also wanted to remind you that this blog post is written for informational purposes and not intended as legal advice. To ensure your company and talent acquisition practices are fully GDPR compliant, be sure to consult with your lawyer or legal team.
Learn more here
Learn more about Greenhouse’s stance on GDPR and how our features can help you remain compliant.