5 Alarming Ways Your Recruiting Process is Violating GDPR (Here’s Looking at You California, too)
Any organization that processes personal information about EU residents must comply with the GDPR, even if it lacks a physical presence within the EU. Ignorance isn't bliss here; overlooking these rules could push you into the quicksand of costly non-compliance.
The General Data Protection Regulation (GDPR) is the EU’s framework for data privacy laws. It serves as a set of rules to protect individuals from their data being mishandled or misused. Every business operating within the geographical scope of the GDPR must comply with its regulations, including recruiters.
If you're thinking, “Hey, my recruiting process isn't in the EU, I'm good,” think again.
The GDPR has extraterritorial applicability. This means that if you store or process the personal data of an EU or UK citizen, the GDPR applies no matter where you’re located. Someone from Germany applies to your job on Indeed? Congratulations—you're in the GDPR's jurisdiction. And if you hire in (or have candidates from) California, Australia, Brazil, Canada, India, South Africa and a whole bunch of other places, you're going to be up against similar legislation.
While the concept of data privacy has been around for decades, many recruiters are behind the curve when it comes to GDPR compliance. Here are five ways that your hiring practices may be violating these important laws. REMOVE THEM TODAY to create a legally defensible hiring process and protect your company from costly fines and damage to your reputation.
A word about terms in GDPR. Systems can be controllers or processors. A controller houses your information. It must keep record of when it received the data, how the data was used, and provide a way to purge data not in use or upon request. A processor only has data as long as it is needed to process a task or set of tasks.
For most companies, controllers and processors are clearly defined both in the contracting and in the ongoing usage of those systems. Where it gets difficult is in secondary systems: email, Google or Excel sheets, cell phones and other platforms that may have some or all of a candidate’s PII for legitimate reasons, but not as easily trackable as GDPR requires.
#1: Disconnected Hiring Systems
❌ If you're using multiple hiring systems such as an applicant tracking system (ATS) and a recruitment marketing platform to manage your talent pipeline, check they are all GDPR compliant and talking to each other. Disconnected systems can lose the integrity of data as it flows between systems and may not purge every trace of data when it's no longer needed. This opens you to violation of the candidate’s right to be forgotten.
✔️ Use tools like Job Sync to ensure that all the tools in your tech stack are fully integrated from sourcing to hire. Compliance becomes precarious if you're exporting data from System A then uploading the spreadsheet into System B, because this is how errors creep in. Your goal is to keep the data in one integrated system that's GDPR compliant, end-to-end.
#2: Overuse of Email
❌ Email is an easy way to communicate with candidates but it can be dangerous territory for GDPR compliance. An application sent by email contains plenty of sensitive data and you need the candidate’s explicit consent to use your inbox as a storage method for this data—are you collecting the candidate’s consent as part of the job application?
❌ Features like autofill predict the recipient when you start typing someone’s name in the ‘To’ field. But the few seconds you save using autofill could be costly if you send personal data to the wrong person by mistake.
✔️ Bypass email and have applications land directly in a secure ATS. That way, all your sensitive candidate information is in one place and you can easily remove their personal data when it’s no longer necessary for you to hold it as part of their job application.
#3: Spreadsheets Galore
❌ It's incredibly tempting to make a spreadsheet to track the status of applicants but when it comes to GDPR, spreadsheets are a definite no-no. Anyone with permission has the ability to copy and save the data in a spreadsheet without anyone else’s knowledge, which means they have only limited security and lack the necessary audit trails. Once the data is out there, you can never be sure of who has seen it, or how it's being used.
❌ GDPR dictates that all the personal data you hold should be accurate and complete and be put right when it’s not. However, studies show that 88 percent of all spreadsheets have significant errors in them. Do you have a rigorous process for sharing, transferring, modifying, correcting and, most importantly, deleting data to ensure the spreadsheet is always accurate? If not, then you may find it impossible to demonstrate compliance with the GDPR.
✔️ When it comes to GDPR compliance, an ATS is your best pal. It provides the necessary security and transparency as information moves through the system and makes sure that all data is tracked in a single place.
#4: Manual Processes
❌ If you're manually collecting applications, logging them into a system, tracking progress with post-it notes, and asking questions over email, think again! It's nearly impossible to keep up with GDPR if your processes are paper-based and scattered across multiple sheets, files and systems, or if everyone’s doing their own thing. The legislation requires you to be transparent about what data you hold and how you use it and process it. Undocumented, unclear manual processes means it’s almost impossible to explain your practices regarding data processing.
✔️ Automation makes GDPR compliance a lot easier to manage, especially when complying with time-critical rules like dealing with requests for information. By digitizing your processes, you'll quickly be able to answer any questions that candidates might have about their data.
#5: Conflating Voluntary Questions with Screening Questions
❌ Collecting more data than you need for your purpose is another no-no in the GDPR, so avoid collecting candidate data that you don’t need at that stage of the recruiting process. For example, it’s legitimate to ask candidates if they hold a relevant nursing certification in the state of Illinois as part of the job application since you can justify collecting this data to help you identify eligible candidates. But asking “What languages do you speak?” or “What's your Social Security Number?” could be seen as unnecessary or excessive.
✔️ Minimize your data collection to the data you actually need to contact the candidate and make a decision at that particular stage of the recruiting process. Be sure to phrase screening questions accurately and ensure they are consistent and necessary for the role in question.
GDPR is a complex subject and you may be worried there's a lot of work to be compliant. Generally, it's going to take an investment in technology to get it done right. Using a quality ATS checks one giant to-do off your list. And a tool like JobSync's talent acquisition automation platform can get your systems singing together and keep all your candidate data in one place. It's an easy way to bake compliance into your hiring process—give us a call and we'll set you up with what you need.