On May 25th, all companies within the EU, doing business with EU companies, or with one EU citizen as an employee, must have systems in place to comply with Europe’s new personal data laws. How will this affect recruiters specifically? We asked our senior manager of solutions engagement, and this is what she had to say, in three easy parts.
If you’re an HR professional or a TA Leader, then you know the entire process of hiring and recruiting centers on the ability to evaluate a jobseeker, which includes relying on the personal data they supply for your team to make a hiring decision. This is true whether a job seeker is actively soliciting opportunities or passively open to a discussion. Examples of “personal data” that fall within the purview of the GDPR are names, contact information, resumes, social profiles, work history, education, experience, salary expectations, and even your existing talent pools, pipelines, and applicant databases.
So it goes without saying, GDPR obligations extend to employers and apply to the personal data that is collected, either directly or indirectly, from sourcing efforts and related hiring workflows that make up an employer’s recruitment processes.
At SmartRecruiters, we understand the implications of the GDPR can feel overwhelming. And while we can’t offer you legal advice (because we’re an HR tech company, not a law firm), we can offer some tips to help organize your thinking as you prepare to have GDPR be part of your recruiting process:
1 – Think “privacy first”.
The first step is often the simplest – start by reviewing the General Data Protection Regulation to familiarize yourself with the requirements, assess applicability, and identify any gaps or areas of risk relevant to your recruiting data and hiring processes. Understanding the the GDPR is crucial for developing and executing a plan to meet compliance objectives. Oftentimes, customers will partner with legal counsel or security/privacy-focused consulting firms at this stage, to navigate the complexity of GDPR requirements, understand obligations and create a plan for readiness. In some situations (as directed by the GDPR) it may be appropriate for an organization to appoint a Data Privacy Officer (DPO) to oversee ongoing compliance efforts and manage data protection risk.
The GDPR introduces us to the principles of “Privacy by Design” and “Privacy by Default,” which serve as a paradigm shift for how organizations think about, approach, implement and manage privacy. In essence, these principles require organizations to take proactive steps for the inclusion of privacy measures at every level of operations and for incorporation into every business process – this marks a shift from the typical control-based approach around data privacy, to a risk-based approach. Success in this endeavor truly requires an organization to adopt a “privacy-first” mindset, and often begins with launching an in-depth inventory of existing business applications, tools, resources, policies, processes, and data, to evaluate risk and potential risk exposure, and then formulate a proactive plan for data privacy measures. Enterprise customers will often work with legal counsel and privacy-focused consultants to facilitate this process given the expansiveness of their operations and systems.
Specific to hiring and recruiting, a good way for employers to get started is by taking inventory of your recruiting process(es). This helps identify areas where proactive privacy measures can be strengthened, and/or embedded into current processes and applications, and/or where privacy measures should be created and implemented to reduce risk and exposure of personal data.
Examples of a “privacy-first” approach as applied to recruiting may include:
- Identifying and labeling the systems used in your HR tech stack (ATS, CRM, HRIS, etc.) to identify risks and gaps between systems and/or for streamlining recruiting data
- Creating a data map specific to your recruiting process that documents both the manual and digital flow of candidates’ personal data (e.g. where sourced, gathered, collected, classified, stored etc.) for fostering transparent communications with job seekers regarding the use of their personal information.
- Identifying any third-party vendors or applications used in your recruiting efforts where data processing agreements may be required
- Noting any associated resources (people and tools) that may access or come into contact with personal data obtained in the recruiting process to implement or strengthen access management policies
Because your hiring process (and your business) is unique, there is no prescriptive template to follow for implementing the principles of Privacy by Design and Privacy by Default. They key is to be able to demonstrate a strategic, ongoing and proactive approach to data privacy across all areas of the organization.