Looking to revamp your security and data collection policy? The General Data Protection Regulations (GDPR) have changed the game when it comes to data collection. Although these rules apply for EU companies and citizens (and anyone that handles data for EU companies and citizens), its impacts are far-reaching and will undoubtedly influence policy-makers the world over. This means it’s probably a good idea to align your security policies towards GDPR, just incase.
If you are new to GDPR or want to know more about how it impacts your handling of data for hiring purposes, then you’ve come to the right place. Keep in mind, GDPR as a whole is a very complex legal beast. We’re going to skim the surface for key changes for better data protection of your candidates.
Before we get started, please keep in mind this is not legal advice. This article is to give you a simple heads-up on some of the main changes surrounding data collection for hiring. If you want to be GDPR compliant or otherwise follow the laws for your own region, please consult an actual lawyer.
Collecting with Interest
A big part of GDPR is collecting information with legitimate interest. What does legitimate interest mean you ask? Well, essentially it means that you have a sincere reason for collecting that data. For example, if you collect resumes/data to fill an open position, that’s a legitimate interest. You are interested in collecting and reviewing that data to find someone for your team.
What’s not legitimate interest is collecting resumes just because you want lots of possible candidates to contact. Then, they sit idly collecting digital dust (or real dust if you have physical resumes). GDPR is a protection against data-hoarding, in a sense. This doesn’t mean that you can’t have a talent pool full of great potential people. I’ll discuss more about this in the next section, but it does mean you have to think about why you’re collecting this data.
Sweep Away Old Data
Deleting data is a big part of keeping data safe. It doesn’t get any safer than when it doesn’t exist. As such, GDPR talks a lot about the deletion of data or otherwise known as the right to erasure (article 17 describes it further). So knowing how you plan on deleting people’s data is a key part in becoming GDPR compliant.
So how does this impact hiring? It impacts it because you can’t hold people’s data forever anymore. You need to not only inform people when you plan on deleting their data, but you have to delete it once it is no longer relevant. If you do want to keep someone’s data for longer than first intended, you have to tell them that.
For example, let’s say that you collect someone’s data to fill a position and you plan on deleting their data after you make your hire. Once that position is filled, you should delete that person’s data. This is because that data is no longer relevant. If you want to keep that person in a talent pool, you can, but you have to reach out to that candidate and tell them you would like to keep their record on file for a specified time period. They then get the option to say “sure, keep me on file until then” or “nah, delete me”.
If a candidate asks you to delete or rectify their data, you must do it. This goes for any point in the hiring process. If someone doesn’t want you to have their data on file, you need to remove it in a timely manner (no longer than a month). Not only is it the nice thing to do, it’s the lawful thing to do (both of which should be sufficient motivators, considering the possible fines).
Generally speaking, you shouldn’t hang on to anyone’s data for over a year. By that time, it’s most likely inaccurate anyway and if you haven’t used it yet, you’re not going to. Declutter your talent pool like Marie Kondo declutters homes. This also applies to data you already have collected and physical resumes. GDPR impacts any and all of your current talent pools. Make sure to go through them and see if you still need that stellar candidate that didn’t quite cut it from 2014. Chances are you can delete a lot of the old data you have. If you do choose to keep some, remember to reach out to let the person know they’re still on file.
Communication is Key
As I said in the beginning, GDPR can be confusing and has many different articles (99 to be exact). While we obviously can’t cover everything in this post, we have gone over some of the bigger things that GDPR changes for recruiting. If you are still unsure about something, please seek professional legal advice.
Hopefully you can now start working towards better data security with a foundational knowledge on GDPR and how we manage data under it.