How to comply with GDPR in your recruitment process
A recruitment process for an organization will always involve contact with personal data. But have you ever considered whether your recruitment processes live up to what is required by the General Data Protection (GDPR) in the EU? If not, then keep reading and gain insight into some of the aspects that you need to consider in order to comply with the law and ensure GDPR compliance in your recruitment process.
You may be thinking; ”I would like to obtain a reference from the applicant’s previous place of employment, but am I even allowed to do this?” This is a good question and the answer is not straightforward.
As a starting point, obtaining information from previous or current place of employment must only be done with the consent of the applicant. An organization must not pass on the information that the applicant is applying for a position - unless the person has given his or her consent to do so. Therefore, an applicant’s consent is crucial, if an organization wishes to gather that kind of information during a recruitment.
However, there is nothing wrong with obtaining information that the applicant has made publicly available himself – for instance, on a website. Albeit, the organization must always abide by its duty of disclosure, if it chooses to do so. This means that the applicant has the right to be informed of which information the organization is obtaining and the purpose of this.
Many organizations use personality tests in their recruitment process in order to make sure that the candidate has the right qualities. In situations like these, there is no need to obtain consent since the applicant voluntarily chose to take the test.
However, the results of the test must be regarded as data, which means that the handling of these must comply with the General Data Protection Regulation.
Obtaining criminal records and statements of no previous convictions in respect of children
In connection to a recruitment process, it may be relevant to gain information about an applicant’s criminal offenses. In such cases, it is important for an organization to assess whether it is factual and proportionate to obtain a criminal record. In other words; An organization is only allowed to ask for information regarding an applicant’s criminal offense, if the person is eligible for the position, and if it is considered a relevant aspect to take into account. Thus, it cannot be a demand to attach one’s criminal record when applying for a job.
If the position involves direct contact with children under the age of 15, it will be mandatory for the organization to obtain a statement of no previous convictions in respect of children - however, this must always be done with consent from the applicant.
Information from Social Media
In this era of Social media, you can find a large amount of information online and, contrary to the belief of many, it is okay for an organization to look and process information from Social Media platforms. Although, the duty of disclosure compels the organization to inform the applicant, if this kind of information is being obtained. At the same time, the organization must assess whether it is factual and proportionate to do so.
Applicants who are not hired: Storing of their personal data afterwards
When you are at the end of your recruitment process, you need to consider what to do with the personal information about the non-recruited applicants. If you want to keep the information, due to a possible employment in the future, be sure to get consent from the people in question. If you get consent, it is beneficial to have a fixed deletion deadline on the obtained personal data – because the General Personal Data Regulation requires that you do not store personal data longer than necessary.