• Header Guides Gdpr

4 steps that ensure your recruitment process is GDPR compliant

Europe is now covered by the world’s strongest data protection rules, the General Data Protection Regulation (GDPR) which came into force back in May in 2018. The regulation was implemented in order to modernise laws that protect the personal information of individuals.

Before GDPR started to be enforced, the previous data protection rules across Europe were first created during the 1990s and had struggled to keep pace with the rapid technological changes we have witnessed today. GDPR alters how businesses and public sector organisations can handle the information of their customers.

So, what should you have in place to ensure your business is operating compliantly under GDPR?

Download Full Guide

  1. Do you have a privacy policy for Applicants?

    Root2 Recruit provides recruitment services for a wide range of clients throughout Greater Lincolnshire, the East Midlands and the rest of the UK.

    A privacy policy is a legal requirement that a business puts together that discloses the way it uses, manages and protects individuals’ personal data that is collected. All UK-based online companies are required to be open with any users about how their personal data will be used.

    When GDPR came effectively into place back in May 2018, the regulation included a requirement for companies to implement privacy policies that were concise, clearly worded and transparent in how they would collect and store personally identifiable information.

    If you are detected without a privacy policy, the Information Commissioner’s Office (ICO) has the power to bring about criminal proceedings or impose fines up to £5,000, which can rise if the case is tried and heard by a Crown Court. If any of the GDPR is breached, a company can also be fined up to 4% of their global turnover or €20 million (£17.7 million), whichever is greater. This is the most a company can be fined, and smaller fines will occur if a company doesn’t have their records organised appropriately.

    The Solution

    You should ensure your privacy policy is as accessible as possible. Design it like the rest of your site with a clearly marked link on the main menu. It’s also essential that it’s easy to understand, so it is advisable to use simple language and avoid complex legal or technical terms. Click here for a recruitment-specific privacy policy template.

    Below are some points to discuss in your privacy policy:
    (download our Guide for more)

    • How you will be storing and managing personal data
    • How you will be using their data and for how long
    • The types of information about a candidate that reside in your company’s files
    • Who you will share the data with
    • The portability and access Applicants have to their data
    • How Applicants have the right to be forgotten
  2. Do you save your Applicants data in folders on your computer desktop?

    Under GDPR, it is absolutely critical that you have robust data management. If you have inconsistencies with the way folders containing personal data are named and structured, you are breaching the GDPR and it is essential that any files containing personal data, are managed in such a way as to be compliant.

    Root2 Recruit provides recruitment services for a wide range of clients throughout Greater Lincolnshire, the East Midlands and the rest of the UK.

    GDPR applies to ALL personal data about EU citizens, wherever that data is held and wherever the organisation holding it resides. So, if an Applicant asks you to remove their details from your software and you cannot locate it, you’re going to be in a spot of bother.

    The penalties for non-compliance are up to 4% of your annual Turnover (up to 20 million Euros), and in some cases prison!

    The Solution

    • Keep any relevant files together – they will be easier to archive or delete as a group
    • Update (or put in place) GDPR compliant procedures for managing consent, storage and breaches
    • Identify your data ‘processors’ and ‘data ‘controllers’ and make sure they understand the new rules
    • Clearly define the responsibilities and accountabilities for processing and controlling data, especially where there is a deadline for responding
    • Be consistent and don’t allow exceptions
  3. How do you store data?

    Root2 Recruit provides recruitment services for a wide range of clients throughout Greater Lincolnshire, the East Midlands and the rest of the UK.

    If you have been saving and sharing data without thinking about the GDPR, it’s crucial that you prioritise getting effective data management protection in place – and fast.

    Remember, not everyone needs the same access to all personal information that has been gathered overtime. If you have been saving personal data that can be accessed by anyone and everyone, think about what is necessary to share and with who. Managing the accessibility of your shared files is a great place to start, so take the time to organise your files and know exactly how much personal data you store.

    The Solution

    • Know how much personal data about individuals you hold and how to access it quickly by individual
    • Have a defined process for retrieving personal data, and for changing/deleting it
    • Manage the accessibility of your files
    • Choose a file sharing solution that stores data in the EU and encrypts your data securely
  4. Do you keep track of when Applicants’ data is received?

    Root2 Recruit provides recruitment services for a wide range of clients throughout Greater Lincolnshire, the East Midlands and the rest of the UK.

    Keeping documents of data is a common problem when using online systems. Documents should not be retained for longer than they should be and under GDPR it is important know not only what is in your archived files, but how long you have retained all data.

    When someone’s personal information is no longer relevant to you and your organisation no longer has a legitimate need for retaining someone’s data, you must delete it.

    The Solution

    • Make note of when data is received and for how long it can be retained
    • Delete, or move to an encrypted and managed archive