How GDPR has made hiring tricky for HR

Michael Gentle
Sep 30, 2018 · 3 min read

There are suddenly all kinds of consent issues to consider

Remember the days when the only thing you had to worry about when trying to hire someone was whether they were good enough for the job?

Now, as a result of GDPR, there are all kinds of privacy and consent issues to consider, and it suddenly makes the hiring process far more tricky. You’d think that candidates would not be that hung up about privacy and consent if it meant landing a job at your company. Well, you’d be wrong.

Consider the four most common ways in which a CV can reach you, and it soon becomes apparent that each has its own privacy and consent challenges.

1. The job ad is posted by your company

The candidate submits his CV on your company’s website, and provides consent for the use of his personal data by HR (the controller). This is the easy option, because as a controller, all you’d be subject to are the usual requirements such as adequate organisational and security measures, records of consent, data subject rights and a suitable retention period after which the CV has to be erased.

2. The job ad is published by a recruitment agency on your behalf

Here’s where it gets tricky. The candidate submits her CV on the agency website, and provides consent for the use of her personal data by the recruiter (a processor), who will then pass on suitable CVs to you, the employer (the controller). However, now it’s not just you as the company who is subject to organisational and security measures, records of consent, data subject rights and a suitable retention period — but the agency too. You now have an obligation to ensure that they have all these measures in place.

3. The candidate sends a speculative CV to an employer

This common pre-GDPR practice is no longer allowed, because there is no way to manage consent. What many companies now require is for the manager receiving the CV to either destroy it, or pass it on to HR, who will steer the candidate to the company’s website. Keeping promising CVs on file without consent is not compliant with GDPR.

4. The candidate posts a speculative CV on a job board

Now we’re getting into legal interpretations of legitimate interests. The candidate sends his CV to an agency or posts it online on a job board, in the hope that a potential recruiter will see it. So, implicitly, he is providing consent. However, one could also argue that he doesn’t need to provide consent since there’s a legitimate interest at play. After all, the mutual interest of both the candidate and the agency is to find the person a job. That said, the devil is in the detail; and after reviewing some of the tricky aspects around legitimate interests, it would seem that consent remains the preferred option. This article, entitled Is Legitimate Interest an Appropriate Legal Basis for Recruitment?, explains why.

In conclusion, GDPR does throw up issues of consent that you perhaps never gave thought to as an employer in the old days. However, it’s nothing that cannot be managed through a proper understanding of GDPR, and how it impacts recruitment.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further Reading

GDPR for Recruitment: the Candidate CV

Is Legitimate Interest an Appropriate Legal Basis for Recruitment?

How does GDPR affect the processing and retention of recruitment data by employers?

The Balance of Privacy

Data privacy is the new normal

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade