Data protection: understanding the impact of GDPR in HR and applying it to recruitment

GDPR, HR and recruitment: definition and key points

The General Data Protection Regulation (GDPR), which entered fully operational in May 2018, is a European regulation designed to protect European Union citizens' personal data. In the HR and recruitment industry, GDPR is crucial because it frames the way companies collect, process and stock the personal information of applicants and employees.

Why are HR and recruitment concerned?

HR departments handle personal data on a daily basis:

• CVS,
• cover letters,
• LinkedIn profiles,
• practical or personality test results,
• identity documents when creating employment contracts,
• and even sensitive data (ethnic origins, political opinions, religious affiliation, health and physical appearance, etc.).

This information must be carefully handled to respect the privacy of candidates and future employees. Just as it does for other areas of corporate life, the GDPR applies to recruitment processes and imposes strict rules that guarantee the protection of those specific profiles that are candidates.

Without this abidance, known as “compliance”, the company incurs fines of up to 20 million euros or 4% of a company's worldwide annual revenue.

Good to know: The GDPR applies to all companies processing the data of European citizens, even if these companies are based outside the EU. This concerns applicants and workers with European citizenship.

You should know that the CNIL ("Commission nationale de l'informatique et des libertés", in France) has moreover designed practical sheets dedicated to recruitment professionals, to better grasp the theme of data protection in the HR world. This shows just how important this subject can be for HR teams, and recruiters in particular. 

GDPR and its European impact on recruiters and candidates

Although it's European legislation, the GDPR has a global impact. Any company, no matter where in the world it's located, must comply if it processes the data of European Union citizens. And this is true whether that citizen is a partner, a customer, a prospect or... a candidate.

The GDPR replaces disparate national regulations with a single framework applicable in all EU member countries. This simplifies data management for companies operating in several countries, but also imposes high standards to be respected.

Example: an American company recruiting in Germany must apply the same rules as local companies, particularly on candidate consent and their rights regarding their personal data. 

The fundamental principles of GDPR applied to HR

To comply with the GDPR, companies need to follow several key principles, tailored to the HR and recruitment context. Here are the main examples. 

Transparency and consent for candidates

Candidates need to know what data is collected, why and for how long. This requires a clear and accessible privacy policy. In addition, explicit consent must be obtained for any use of their personal information, regardless of the context (emailing, SMS, newsletter, etc.).

Example: A candidate should be informed that his or her CV will be kept for two years for future opportunities, and offered a link to withdraw consent at any time.

It's also important to specify that data may be collected from talents who are not necessarily candidates. In other words, people whose information you collect without them officially applying for a job. Let's take a few examples:

• profiles met at a job event
• profiles found on professional networks such as LinkedIn
• subscribers to your newsletter or talent pool

In these cases (and in all others as soon as data is collected), transparency and explicit information are also mandatory.

Data minimization: only data required for recruitment purposes

Il ne faut collecter que les données nécessaires au processus de recrutement et, dans un deuxième temps, à l'établissement du contrat de travail. 

Seules les informations qui peuvent aider le recruteur à définir si un profil correspond au poste sont collectables : connaissances, compétences, savoir-faire, savoir-être, formations, expériences professionnelles… 

Globalement, quand le RGPD s’applique au recrutement, toutes les données qui sortent du contexte professionnel ne rentrent pas dans le cadre légal de collecte et d’utilisation. 

Dans ce cadre qu’est le recrutement, il est cependant possible de demander des documents justifiant les informations données par le candidat. Par exemple une attestation de diplôme ou un certificat de travail d’un ancien employeur. En revanche, certains documents comportant d’autres données non pertinentes concernant les capacités du candidat à exercer le poste ne devraient pas être demandés. C’est le cas d’un bulletin de paie par exemple.

Les données sensibles des candidats 

D’autres données, dîtes “sensibles”, ne sont pas non plus autorisées car elles n’ont absolument rien à voir avec les prises de décisions concernant la pertinence d’une candidature : 

• origine,
• opinions politiques ou religieuses, 
• appartenances syndicales (même si cela s’apparente en quelque sorte à la vie professionnelle),
• informations sur la santé (y compris les potentiels projets de grossesse, qui font parfois partie des critères de sélection de façon totalement discriminante et abusive)
• situation familiale (statut marital, enfants, aidant, etc.)
• etc.

Les données pour le recrutement puis pour le contrat de travail

You must only collect the data required for the recruitment process and, subsequently, to draw up the employment contract.

Only information that can help the recruiter define whether a profile matches the position can be collected: knowledge, skills, know-how, interpersonal skills, training, professional experience...

Overall, when the GDPR applies to recruitment, all data outside the professional context does not come within the legal framework for collection and use.

Within this framework, which is recruitment, it is however possible to request documents justifying the information given by the candidate. For example, a diploma or work certificate from a former employer. On the other hand, some documents that contain other irrelevant data regarding the candidate's ability to perform the job should not be requested. A pay slip, for example.

Candidates' right of access

Every candidate has this right, whether they are recruited directly by a company or through intermediaries such as recruitment agencies, temporary employment agencies and so on.

3 elements are part of this right

1. to know whether the recruitment manager holds data on his/her profile,
2. to obtain a copy of this data
3. to know the purpose of this data processing.

You should therefore always give your talent pool members the opportunity to exercise this right of access, for example via a dedicated email address. Take care to respond to requests within a short period of time, no more than one month.

Good to know: this also applies to the results of tests conducted during the recruitment process, as well as their analysis, with the following subtleties in mind:

• The name of a potential external organization must not appear (intellectual or industrial property).
• The names of people who have annotated comments in the test must not appear.
• Data concerning other candidates (e.g. in a group test) must not appear.

The Right to erasure, Right to object and Right of restriction: the candidate is in control!

Candidates have the right to ask for their personal data to be permanently deleted. This Right to erasure can be effective in many cases, the simplest being: a candidate applies and then decides to withdraw his or her application, requesting that his or her data be deleted as there is no longer any legitimate interest in the company keeping it.

The Right to object is a little different, as it gives the applicant the possibility of requesting that the company no longer use his/her data. However, data deletion is not mandatory. If a candidate wishes to object to the use of his or her data for certain purposes only, he or she has the Right of restriction. This may concern a specific period of time, for example.

Other rights exist and have an impact on the link between data, recruiters and candidates:

• Right to rectification: the possibility of correcting data collected and stored by a company (updating CV data in particular).
• Right to data portability: the possibility of requesting the data to be transferred to another organization.

All these rights can be exercised free of charge by candidates. 

AI and data use: candidates' rights expanded

In today's world, where AI plays an important role in recruitment processes, other rights are becoming increasingly important. One example is the following, linked to the analysis of candidate data. Lawyer Benjamin Greze (cio-online.com) explains:

"In the case of a decision based exclusively on automated processing, the recruiter must inform the persons concerned of their rights, and in particular that of obtaining human intervention in the recruitment process. In concrete terms, this means that a candidate has the right to have a human recruiter analyze his or her application to decide what action to take. If this is not respected, the recruiter is in breach with the GDPR."

This kind of question also matters when it comes to recruitment chatbots, as the data collection and analysis process is often at least partly in the “hands” of an AI.

In the future, this kind of topic will become increasingly prevalent. And human intervention will remain essential in recruitment, even if facilitated by tools and algorithms. 

GDPR and HR: risks of non-compliance and precautions to take

Companies not complying with the GDPR face financial and legal penalties. Depending on the gravity of the breaches to the Regulation, the fines are higher or lower.

The CNIL specifies: “An administrative fine not exceeding 10 million euros or 2% of the company's worldwide annual sales. For the most serious breaches, this amount can rise to 20 million euros or 4% of worldwide annual sales.”

In 2019, for example, the CNIL fined Sergic, a real estate administrator, €400,000. As Le Monde points out, “Thousands of candidates' documents found themselves in open access following an IT security flaw”.

The reliability of the tools and data hosting system is therefore just as important as the reliability of the established processes and rules.

Good to know: according to a Gartner study, 65% of global businesses would not be fully GDPR-compliant by 2024.

GDPR compliance depends on many factors (respect for processes, IT security, data processing record-keeping, etc.), so it's not just a task for HR and recruitment teams.

It all starts with an audit of the company's GDPR practices as a whole, whether concerning candidate and employee data, but also partners, customers, prospects, subcontractors and so on.

Most of the time, one person - a DPO (Data Protection Officer) - or a team is in charge of all GDPR compliance; it's with these experts that you need to discuss the topic, to implement the necessary corrective measures and better understand how to manage day-to-day GDPR compliance.

If this isn't the case, you can always call on the services of an expert GDPR consultancy. It's always wise to be sure of your compliance.

GDPR compliance for HRIS and recruitment software partners: how to ensure it?

Why is this crucial? Digital tools used in HR, such as ATS (Applicant Tracking Systems) or CRM (Candidate Relationship Management), must comply with the GDPR.

If these tools are non-compliant, the using company is unfortunately liable. So take care with your choices. How can you do this?

• Audit service providers : ask for certifications or proof of compliance, and be sure to ask all your questions during discussions before choosing a final service provider.
• Include GDPR clauses in contracts: compliance obligations for your partners can be included. Your legal department can help.
• Choose European solutions in priority: they are often better aligned with the requirements of the GDPR, which concerns European citizens. This is also the case for hosting data in Europe.

You should also know that some tools can help you make your recruitment and candidate relationship processes compliant effortlessly. This is the case with our Candidate Relationship Management software, adapted to GDPR requirements, which enables you to automate:

• consent requests,
• profile data updates within your talent pool
• data deletion within a given timeframe, relieving recruiters of this manual burden.

The choice of tool and technology must therefore be based on the prism of data protection and processing.

Please note: tools and technologies are not responsible for the way they are used by recruiters. For example, parsing and matching technologies are used to extract, analyze and compare information about candidates (CVs, profiles, etc.). The recruiter is responsible for setting the parameters of these algorithms. So, be careful to use the tools you work with appropriately; if you ask the tool to select only candidates under 50 years of age, for instance, the discrimination is obvious, but not due to the tool.

GDPR compliance: HR and recruiters also play up employer brand credibility

Compliance with the GDPR is more than just a legal obligation; it directly impacts a company's brand reputation and its ability to attract talent.

Transparent and respectful management of personal data strengthens the trust of candidates and enhances the employer brand. On the contrary, non-compliance with the GDPR, such as a data leak or lack of consent, can seriously damage a company's image.

In a market where candidates are attentive to employers' values, HR teams have every interest in considering GDPR compliance as a driver of credibility and attractiveness.

Summary: 3 best practices for compliant HR data management

1. Implement a clear privacy policy: explain how you manage candidate data and make this information readily available.
2. Automate data deletion: program deadlines to automatically delete the information of unsuccessful candidates (e.g. 2 years after the end of a process).
3. Train your HR and recruitment teams: make them aware of the issues and GDPR obligations.

GDPR and HR: recruiters' most frequently asked questions in 1 minute

Can I keep a CV after a refusal?

Yes, but only with the candidate's consent and for a specified limited period. Besides, building talent pools is an excellent practice for your recruitment strategy. Choose a tool that facilitates your GDPR compliance!

What to do if a candidate requests the deletion of their data?

Ensure that all his or her information is deleted, unless its retention is legally required or you have a valid reason to retain it (e.g. in case of litigation).

Can I use LinkedIn to source candidates?

Yes, but be careful not to collect and store data without consent. Our Chrome extension (available on our CRM tool) extracts all information from LinkedIn profiles and automatically requests consent: request a demo!

How long can we keep a database of candidates?

As a general rule, no more than two years after the last contact, unless otherwise stipulated by specific regulations. It can also be less, depending on your objectives.

Can CVs be shared with a partner or customer?

Yes, but only if the candidate has given explicit consent.

Are HR tools (ATS, CRM) responsible for the GDPR compliance of the companies that use them?

No, it's the user company that remains responsible for compliance, both in its tool selection and in its data management and protection processes.

What happens in the event of a security breach involving my candidates' data?

You must notify the CNIL (or other competent authority) within 72 hours. You must also communicate the information directly to the persons concerned.

Can I keep unsolicited applications for future recruitment?

Yes, unsolicited applications are treated in the same way as regular job applications, including general referrals. You can therefore do so if the candidate gives his or her explicit consent and you define a limited data retention period (e.g. 2 years).

Are CVs collected at trade fairs or events affected by the GDPR?

Yes, but you must inform candidates about the use of their data and obtain their consent. With a CRM tool, collecting data at an event can be very profitable for future recruitment.

Good to know: at CleverConnect, GDPR compliance is one of our commitments, as we have specifically designed our entire platform to support European companies.