How to make your hiring process GDPR proof
Six tips from Homerun’s GDPR ready to roll hiring guide
On May 25th the General Data Protection Regulation (GDPR) comes into effect, a very important law to improve the protection of personal data and privacy. At Homerun, we’ve worked really hard to get to know this new GDPR regulation inside out. We’ll share our knowledge with you in this article, in addition to that, we’ve launched specific, dedicated GDPR features that enable you to make your hiring GDPR compliant. For now, read all about what you should to do to make your hiring GDPR proof.
The impact on your hiring process
The GDPR affects any company worldwide that processes personal data from EU residents. So even if you’re planning on hiring just a single person for your company within the next years, this law will affect you too.
Before you hire someone, you usually collect a lot of personal data from a lot of candidates. Think names, resumes, telephone numbers and dates of birth, without even giving this very personal stuff a second thought. With the GDPR coming into effect, you’ll have to pay very close attention on how to deal with personal data from candidates.
Yes, the GDPR is going to have a big impact on your hiring process, but don’t worry! We’ll help you achieve compliance with the GDPR. First, read these handy tips! Second, if you use Homerun you’ll notice some new, specific features dedicated to help you adapt your recruitment process to meet the requirements of the GDPR.
(Do you want to know more about the GDPR and everything we do about it at Homerun. Check our GDPR ready to roll hiring guide)
Note: We’re not lawyers. The following is for general information purposes only and may not be relied upon as legal advice. You should talk to a licensed attorney before relying on any information here.
Six tips to make your hiring process GDPR proof
1. Decide how long your company wants to store candidate data and delete it properly once this period has expired
One of the bigger changes are that you’re no longer allowed to store candidate data indefinitely. You’ll have to decide with your team how long you want to keep candidate data and inform (potential) candidates about this in a privacy statement on your career site.
Make sure to put a workflow in place that fully deletes all data related to a candidate after the agreed period.
2. Actively ask candidates for consent
When someone actively applies to one of your job openings, you could argue that the candidate has given you consent to process their personal data. However, if you really want to make sure you have active consent, add a checkbox to your apply form where you explicitly ask for their consent.
3. Only ask for data you really need
Collect data with a legitimate purpose. The GDPR only allows you to collect data you really need. If you don’t need a candidate’s address for example, better not ask for it.
4. Draft a privacy statement for your career site and job posts
Just like your regular website, your career site needs a privacy statement too. In this statement you explain how and why you process the data of your applicants and visitors.
The statement should should be short, understandable, transparent and easily accessible. For inspiration, please have a look at our own Privacy Statement.
5. Protect and process all data
Make sure all measures are being taken to protect personal data from candidates. Data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. When you source a potential candidate, let them know
Whenever you source a potential candidate (store their personal info), let them know you processed their data, even if that data was publicly obtainable. Tell them who you are, the purpose behind storing their data, where you store the data, how long you intend to keep it, from which source you obtained their personal data and give them the ability to withdraw consent.