Data privacy is a hot topic in recruitment, particularly as GDPR guidance evolves in response to an ever-increasing body of online data.
If you’re recruiting for a client, or hiring candidates for your business, it’s really important to know the basics of data privacy and GDPR, in order to keep your company compliant with UK law and guidelines.
Here you’ll find a complete guide to data privacy and recruitment for the UK market, that gets straight to the point and skips the heavy legal jargon. Take a few minutes to read up, and you’ll be well on your way to making sure the way you hire is as it should be.
All recruiters know it’s important to be wise of GDPR in recruitment practice, but is it the case that we actually know what this means? There are many points of confusion surrounding data privacy, and most hirers assume they know the basics when in fact the regulations can be highly context-specific and continue to evolve over time, particularly in relation to the online data environment.
Don’t be caught out! Data privacy violations are a serious offence, and can impact on the reputation of your recruitment agency or company. A well-informed GDPR recruitment process ensures that the personal data of all parties—both hirer and candidate—are respected, with no cause for concern.
Let’s cover some of the basics of data privacy and recruitment, and build a better understanding of how to practically incorporate this into your hiring process.
All recruiters know it’s important to be wise of GDPR in recruitment practice, but is it the case that we actually know what this means? There are many points of confusion surrounding data privacy, and most hirers assume they know the basics when in fact the regulations can be highly context-specific and continue to evolve over time, particularly in relation to the online data environment.
Don’t be caught out! Data privacy violations are a serious offence, and can impact on the reputation of your recruitment agency or company. A well-informed GDPR recruitment process ensures that the personal data of all parties—both hirer and candidate—are respected, with no cause for concern.
Let’s cover some of the basics of data privacy and recruitment, and build a better understanding of how to practically incorporate this into your hiring process.
What are the regulations surrounding data privacy in the UK?
Cast your mind back to when the internet was in its infancy. It was possible for individuals to unwittingly or purposely share their personal data with companies without their consent, which led to a general misuse of private data by organisations.
As a result the EU introduced stricter guidance surrounding data privacy, called GDPR, which came into effect on May 25, 2018. This acted as the foundation for data privacy law and policy going forward, with the UK adopting their own version of the law post-Brexit.
What is GDPR?
The UK General Data Protection Regulation (GDPR) is the UK’s version of the EU’s GDPR law. It was retained after Brexit and amended by the Data Protection Act 2018. The regulation decrees how personal data is processed by companies operating in the UK.
The regulation is lengthy, and context-specific, but these are the must-know elements of GDPR that all businesses should be aware of:
GDPR gives an overall emphasis on legality and transparency. The processing of data must be done lawfully and fairly, and organisations must be transparent about how data is used and processed.
Data should only be collected for specific purposes, and the minimal amount of data should be collected in order to achieve this purpose.
Data should be accurate, and regularly updated.
Data should be retained only for as long as necessary, before being responsibly and securely deleted.
Data should be collected, used and stored securely, to protect data from unauthorised access, loss or misuse.
Companies should be accountable for the data they process, and should demonstrate their data responsibility.
How does GDPR relate to the recruitment process?
The core thing to know about best GDPR recruitment practice is that agencies and employers should obtain explicit consent from candidates before collecting, processing and/or sharing their personal data. This is usually undertaken in the form of sharing a privacy notice or privacy policy with candidates, before you take their expression of interest any further than the first point of contact.
GDPR for recruitment agencies also involves acknowledging and practicing data privacy legislation at every relevant stage in the hiring process. These include:
Job advertising
An advertisement for a job must make it clear that the data submitted by candidates will be processed and stored in accordance with GDPR regulations. You will need to request some form of contact details from a candidate in order to process an application, so with this in mind you will need to consider how this data will be stored and used in an ethical way.
Processing applications
On receipt of an application you will need to inform the applicant how the data they have provided will be used and stored. You will need to obtain their consent to send an application onwards to an employer or related agency.
A GDPR recruitment consent form may be appropriate to share with a candidate at this stage.
Performing interviews
If the applicant is successfully invited to interview, the recruiter and employer will need to ensure that the data provided in the candidate’s CV, portfolio and other materials, such as references, will be treated in accordance with GDPR regulations.
It’s important to make interview data as anonymous as possible pre-interview, before sharing with other clients or a wider team. Any personal information, such as the gender or personal contact details of the applicant should be removed before sharing with others.
If the interviewer wishes to record or transcribe an interview, they will need to obtain explicit consent from the candidate to do so.
Processing a rejection
If a candidate is rejected for the job role, it must be made clear to them how long their data will be retained by the company and the recruitment agency. If the agency would like to retain the candidate’s details in case of future prospective roles, they must obtain the consent of the individual to do so.
Processing an offer
As part of processing a job offer, you may subject the candidate to a background screening check. You must use a fully compliant background screening service to do so, either gaining consent for performing the check or using a pre-consent public data check like YOONO.
If requesting references, you must inform the reference giver that their personal data will be processed under similar ethical guidelines to the candidate, and share your privacy policy with them.
Responding to complaints
Complaints lodged by the applicant about the company who they are either rejected or accepted by are possible. This may be a complaint relating to the interview process, the recruitment process as a whole or a grievance about the job role or company.
To be compliant with GDPR, all complaints should be treated with sensitivity and remain anonymous. You must make it clear to the complainant how their data and that within the complaint will be treated, and who it will be shared with. You must obtain their consent to proceed with a complaint further.
What can I do to ensure my recruitment process is GDPR compliant?
Although GDPR can be intimidating for recruitment agencies, it needn’t be with these simple guidelines in place:
Gain explicit consent from any applicant, candidate or client. The consent can be given verbally, in writing, via email or through a consent box on your website.
Be transparent about how personal data is gathered, processed and stored.
Stay secure. Avoid data leaks or data going astray by ensuring you have data security measures in place, through sound choice of technical software and organisational measures. This will protect individuals’ data against unauthorised access, loss or disclosure.
Grant access. Under GDPR, individuals have a right to make a data access request to any company holding their data. They can also request corrections or deletions, which you must grant.
Create a privacy policy for your recruitment agency or company, which covers your GDPR policy in full and offers clarity on how data is used within your business. This should be hosted on your website or at least be shared with and easily accessible for any candidate.
Make sure data is anonymised where possible, and certainly when sharing an application with the wider team or a client.
If you use a third-party service for processing or storing data, such as interview recording software, you should check their data privacy policy and ensure that it is compliant with your own.
Your organisation…compliant
Getting in line with GDPR is not only fair for everyone, it’s essential for preserving your business’ legality and wider company reputation. By gaining the data consent of your clients and candidates, you can ensure that you can place individuals into job roles with complete confidence that their data is protected.
We hope this short guide has given you food for thought when it comes to GDPR and data privacy. Keep in mind that even if you run a tight ship within your business, you may be using third-party services that are missing the GDPR mark.
This is particularly important in relation to background screening, during which a high level of personal data is processed. Using a background screening service like YOONO ensures you will remain fully compliant with data privacy regulations, as YOONO processes only already publicly available data.
Try searching on YOONO today and see how compliant background screening can transform the way you hire.