As we discussed in Part 1, the best way to familiarize yourself with the GDPR is to read it. Then take appropriate steps, preferably with trained legal counsel, to make sure all your systems and data across the entire hiring process have been examined, and changed if necessary, to comply with a privacy-first approach. The next thing you need to do is:
Review and update privacy policy to ensure transparency
The GDPR is explicit in its instructions to Data Controllers that proper notice must be given to Data Subjects for how the Data Controller will use, store, transfer and protect their personal information. Relevant to your recruiting process, the most logical example of where employers might provide notice to job seekers is via a Privacy Policy (which you likely already have in place somewhere).
That said, the GDPR requires your privacy policy to be open, accessible and clearly understandable, while also meeting specific notice requirements that employers provide in their privacy policy before any information is gathered from job seekers. For example, with a digital recruiting process, where candidates complete an online application, employers can provide a privacy policy on their career site or as part of the application process. When reviewing and updating your privacy policies, be sure to review the GDPR to ensure the notice requirements are easily accessible and easy to understand by job seekers of all backgrounds and skill levels.
Under the GDPR, the processing of personal information must be fair, lawful and transparent to be legal. The transparency requirement is often satisfied by providing proper notice to a data subject – e.g. an updated privacy policy that identifies what data is processed, for what purpose it is used, and for how long. For processing to be fair and lawful, Data Controllers need to meet and demonstrate at least one of these conditions:
- Data Subject Consents to Data Processing
- Data Processing is Necessary for Contract Performance
- Data Processing is Part of a Legal Obligation
- Data Processing Protects Vital Interests of Data Subject
- Data Processing in the Public Interest
- Data Processing Necessary for Controller’s Legitimate Interest
While not all conditions are relevant to an organization’s hiring process, the most commonly used condition for justifying whether recruiting data is lawfully obtained is consent – i.e. the applicant consented to the application process and/or consented to be a part of the employer’s recruiting/sourcing activities for future job opportunities.
If you are a company that currently relies, or plans to rely, on the use of consent for conducting your recruiting activities, be sure you can demonstrate express consent and record such consent.
Having said that, consent is merely one of several options an organization may use to justify the lawfulness of its recruiting data. Please refer to the GDPR (Chapter 2: Lawfulness, Article 6 & GDPR Recitals – 40 through 47) for more detail around each of these conditions and their applicability to your operations.
For more information on getting your company ready for GDPR tune into one of our on-demand webinars.
GDPR Implications on Recruiting in the US
GDPR Implications on Recruiting in the UK