GDPR and Recruitment: How Does GDPR Influence Recruitment Process?
Data protection in recruitment has always been taken seriously, as the breach of employee data protection policy is an integral part of any corporate protocol. However, the introduction of GDPR changed the subject completely by offering an entirely different perspective on the data flows in companies. Thus, making recruitment GDPR-compliant requires much more than a simple change of some policy. GDPR makes a great impact on of it requires a broader cultural change in companies based on awareness of data sensitivity and the importance of keeping it intact.
Recruitment and GDPR are very closely tied since HR managers handle large volumes of candidate data during the hiring and firing processes. Therefore, they face the need to manage increasingly large volumes of personal data that often remains dramatically unprotected. What could be previously tolerated to a certain degree is now illegal; hence, not to breach the laws of data protection in recruitment and to avoid litigation on these grounds, companies now struggle to adapt to the GDPR-induced changes.
What is GDPR?
The General Data Protection Regulation (GDPR, or recruitment GDPR) was introduced in May 2018 as a mandatory EU regulation for the enforcement and unification of employee data protection policies. In simple words, it is a set of new rules regulating data privacy of the EU citizens, and at the heart of these rules lies the principle that using “data subject’s” personal data without their permission is severely punished.
To be able to apply recruitment GDPR properly, you need to understand such concepts as “personal data,” “data controller,” and “data processor.”
When we speak of personal data covered by the GDPR, this includes any personally identifying information like a personal name, a photo, an email address, or even the person’s posts in social networks. Other examples of personal data covered by recruitment GDPR include his/her banking details, details of the medical record, and even the computer IP address. Thus, under GDPR, all data subjects (that is, EU citizens) have data rights such as breach notification, right to access, right to be forgotten, data portability, and privacy by design.
Data controllers under the GDPR are entities authorized to determine the purposes, conditions, and means of personal data processing. In other words, a controller is a person or business organization able to use personal data for specific purposes in compliance with GDPR.
Data processors are entities that hold personal data on behalf of the controllers. Thus, a processor is a recruiting firm holding a database of candidate resumes or the company employing staff and storing their personal records.
GDPR and Recruitment
Recruitment GDPR rules have affected recruitment and recruitment agencies to a large degree. It is hard to deny the fact that GDPR has actually made the work of recruiters harder by creating additional challenges and risks in the process. Here are the most important issues to keep in mind when thinking of GDPR and recruitment:
Requirement Apps and Tools
It’s imperative to update the recruitment software currently used, with new privacy requirements in mind. This change is costly and time-consuming, while recruiters will also need some training and time to learn to navigate new programs. Thus, the process of recruitment may stall for the transition period.
New Rules for Data Mapping
Recruiting firms have to conduct thorough data mapping now by determining which candidate data is collected in the recruitment process, through which processing stages it goes, and where it is stored. If you have a separate recruiting department, the process of establishing data mapping as a new procedure may take quite a lot of time and effort.
New Legal Policies
Recruitment Agency Evaluation
If you don’t have a recruitment department and rely on the assistance of external recruitment firms, be sure to check their policies regarding GDPR compliance. It’s imperative to work only with firms that comply with GDPR to avoid employee litigation.
More Complex Recruitment Workflow
According to GDPR, all personal data should be removed from the company’s database after the job interview (upon the candidate’s request). So, for larger companies, this means harder recruitment because of slower processes and inability to store candidate data for easier recruitment for new opening vacancies.
Selective Data Collection Requirements
GDPR allow the collection of personal data only for active vacancies and only about people with whom a job interview will be held.
It is important to keep in mind that even though individuals may post their personal data in social profiles like LinkedIn, recruiters do not have the right to retrieve and store that data in their databases; they need to ask candidates for permission to process their personal information by indicating a specific purpose of data use and clarifying the procedure by which the candidate may withdraw that consent. Such changes will definitely complicate recruiters’ work, as the latter used to store some “hot candidates” list for specific positions and contact the most suitable candidates in case a proper vacancy arises.
As you can see, GDPR and hiring are very closely linked since recruiters of candidates from the EU or EU companies recruiting employees from outside the EU all need to comply with the new rules. Any breach of the recruitment GDPR, no matter how insignificant it is, may cause serious consequences discussed below, so being aware of the GDPR peculiarities, employing GDPR-friendly practices, and providing additional training to recruiters is a pressing necessity in every firm today.
Can You Ignore GDPR?
Due to the pervasive outreach of new GDPR regulations, GDPR and outsourcing now go hand in hand, and it’s quite hard to imagine a situation in which an employer or recruiter might breach the GDPR employee data protection policy without any consequences. Just think of it: a violation of the GDPR rules is punished with a €20,000,000 fine or a penalty equaling 4% of your company’s total annual revenue (depending on which sum is larger).
A huge sum to pay, isn’t it? Such a serious penalty may undermine the health of your business and pose its survival into question. It’s highly undesirable to take risks and ignore the recruitment GDPR requirements.
Just recollect the misfortunes of Cambridge Analytica because of its unauthorized personal Facebook data use! Smaller fines have already been applied across the EU (e.g., a €4,800 fine for the company that recorded data in front of its establishment with a CCTV camera) and the Canadian AggregateIQ already received a notice from the GDPR authorities regarding its personal data use in analytics and advertising. So, fines are a reality of the present, not a matter of the distant future.
How Does GDPR Affect Outsourcing?
Though the GDPR impact on offshoring and outsourcing may not be immediately evident, it is still pervasive. The need to change practices and policies in compliance with GDPR requirements relates to companies involved in
- Rendering services and selling products to the EU clients;
- Behavior monitoring and analysis of the EU citizens and residents;
- Rendering services to the EU companies, conducting web development under their name, and personal data storage and transfer of EU citizens who are the clients of these companies.
Thus, as you can see, GDPR and outsourcing are closely interlinked, and if you are an outsourcing company fitting any of the aforementioned criteria, then you need to adopt new rigorous measures for data protection in recruitment to avoid GDPR-related litigation.
Can You Hire IT Recruitment Agency from Eastern Europe to Make Your Life Easier?
GDPR and outsourcing have a strong bond since outsourcing is primarily about processing candidate data and searching for fitting specialists. This may be done only by scanning available resumes or storing a database of candidates in a company. Since the GDPR transform the overall method of dealing with personal data, each outsourcing company has to adapt to the recruitment GDPR policies by putting proper practices and installing new software, training HR managers, and finding other ways to guarantee data privacy throughout the recruitment process.
Avoiding the GDPR recruitment difficulties is possible if you hire developers outside the EU or address a company that relocates developers from Eastern Europe. In this case, the recruiters of the vending company will not come across any GDPR-related hardships as it does not cover non-EU workforce. As a result, you may reap the following set of advantages:
- Access to the best job candidates (you can reach a much larger number of potential developers in non-EU countries);
- A broad choice of qualified candidates;
- No need to make adjustments of recruiting policies and procedures, to provide additional training to HR managers, and to invent any new approaches to address the GDPR challenges.
GDPR definitely has sense in terms of providing more security to personal data, more respect to people’s privacy, and a greater degree of awareness concerning how each individual’s personal data is used by any data processor.
If you want to follow the data security rules but avoid GDPR recruitment hurdles, you can address a recruitment company from the Eastern Europe. Qubit Labs is an IT staffing company based in Kyiv, Ukraine, that hires dedciated developers and builds mini R&D offices. We also provide recruitment and relocation services to give you a chance to work with your developers on your territory.