How GDPR has made hiring tricky for HR

Michael Gentle
Sep 30, 2018 · 3 min read

There are suddenly all kinds of consent issues to consider

Image for post
Image for post

Remember the days when the only thing you had to worry about when trying to hire someone was whether they were good enough for the job?

Now, as a result of GDPR, there are all kinds of privacy and consent issues to consider, and it suddenly makes the hiring process far more tricky. You’d think that candidates would not be that hung up about privacy and consent if it meant landing a job at your company. Well, you’d be wrong.

Consider the four most common ways in which a CV can reach you, and it soon becomes apparent that each has its own privacy and consent challenges.

1. The job ad is posted by your company

The candidate submits his CV on your company’s website, and provides consent for the use of his personal data by HR (the controller). This is the easy option, because as a controller, all you’d be subject to are the usual requirements such as adequate organisational and security measures, records of consent, data subject rights and a suitable retention period after which the CV has to be erased.

2. The job ad is published by a recruitment agency on your behalf

Here’s where it gets tricky. The candidate submits her CV on the agency website, and provides consent for the use of her personal data by the recruiter (a processor), who will then pass on suitable CVs to you, the employer (the controller). However, now it’s not just you as the company who is subject to organisational and security measures, records of consent, data subject rights and a suitable retention period — but the agency too. You now have an obligation to ensure that they have all these measures in place.

3. The candidate sends a speculative CV to an employer

This common pre-GDPR practice is no longer allowed, because there is no way to manage consent. What many companies now require is for the manager receiving the CV to either destroy it, or pass it on to HR, who will steer the candidate to the company’s website. Keeping promising CVs on file without consent is not compliant with GDPR.

4. The candidate posts a speculative CV on a job board

Now we’re getting into legal interpretations of legitimate interests. The candidate sends his CV to an agency or posts it online on a job board, in the hope that a potential recruiter will see it. So, implicitly, he is providing consent. However, one could also argue that he doesn’t need to provide consent since there’s a legitimate interest at play. After all, the mutual interest of both the candidate and the agency is to find the person a job. That said, the devil is in the detail; and after reviewing some of the tricky aspects around legitimate interests, it would seem that consent remains the preferred option. This article, entitled Is Legitimate Interest an Appropriate Legal Basis for Recruitment?, explains why.

In conclusion, GDPR does throw up issues of consent that you perhaps never gave thought to as an employer in the old days. However, it’s nothing that cannot be managed through a proper understanding of GDPR, and how it impacts recruitment.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further Reading

GDPR for Recruitment: the Candidate CV

Is Legitimate Interest an Appropriate Legal Basis for Recruitment?

How does GDPR affect the processing and retention of recruitment data by employers?

The Balance of Privacy

Data privacy is the new normal

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store