As we discussed in Part 1, the best way to familiarize yourself with the GDPR is to read it. Then take appropriate steps, preferably with trained legal counsel, to make sure all your systems and data across the entire hiring process have been examined, and changed if necessary, to comply with a privacy-first approach. The next thing you need to do is:
- Data Subject Consents to Data Processing
- Data Processing is Necessary for Contract Performance
- Data Processing is Part of a Legal Obligation
- Data Processing Protects Vital Interests of Data Subject
- Data Processing in the Public Interest
- Data Processing Necessary for Controller’s Legitimate Interest
While not all conditions are relevant to an organization’s hiring process, the most commonly used condition for justifying whether recruiting data is lawfully obtained is consent – i.e. the applicant consented to the application process and/or consented to be a part of the employer’s recruiting/sourcing activities for future job opportunities.
If you are a company that currently relies, or plans to rely, on the use of consent for conducting your recruiting activities, be sure you can demonstrate express consent and record such consent.
Having said that, consent is merely one of several options an organization may use to justify the lawfulness of its recruiting data. Please refer to the GDPR (Chapter 2: Lawfulness, Article 6 & GDPR Recitals – 40 through 47) for more detail around each of these conditions and their applicability to your operations.