Over the last few months or so, you won’t have been able to escape it: GDPR. It wasn’t just the date it came into force – the 25th May 2018 - but the months prior when your personal and professional inboxes were likely flooded with emails from a variety of companies asking if you’d be happy to hear from them. You, or the company you work for, will have probably been doing the same.

And though you’ll have legitimate reasons and consent for holding data on your employees, the law might appear a little trickier around individuals you assess for recruitment – especially if you don’t eventually end up hiring them. It might seem scary but it’s a necessary minefield you have to step through. Although you should have a compliance strategy in place already, HR Grapevine spoke to the experts to reassure you that the processes you are using are actually the right ones and what to do if they aren’t.

Who holds responsibility?

Monica Atwal, Director, Forbury People explained that under GDPR, it’s integral that everyone involved in the data journey understands what their responsibility is. “Data is one of the most valuable assets, both on an individual and an organisational level,” she said. “Protecting data is therefore everyone’s responsibility and helps build brands and reputations. A common misconception people make with the GDPR, is that they underestimate its importance in building their business, believing that compliance can be dealt with by one department, such as HR. Organisations should realise that GDPR compliance requires input from across the business (including marketing, HR, IT across managers and employees within the organisation).”

Helen Farr, Partner, Fox Williams LLP adds: “All employers are responsible for the data they process of those they recruit. Legally they are classed as data controllers, whether they deal with recruitment in-house or outsource it using a recruitment agency.”

What’s the legal basis I need to process candidate data?

According to XPertHR, provided that the processing is limited to what is necessary for the recruitment process, the employer will not need to ask job applicants for their consent to process their personal data.

However, an employer must show that it has a legal basis when it processes personal data.In the case of personal data provided by job applicants as part of a recruitment process, the legal basis is likely to be that processing is necessary for the purposes of the legitimate interests of the employer.

The employer will need to process personal data provided by candidates when conducting the recruitment exercise; for example, it will need to assess and record information about their qualifications as part of the selection process. It has a legitimate interest in managing the recruitment exercise effectively to decide to whom to offer a job.

What does this mean I should be doing?

Helen Farr, Partner, Fox Williams LLP: “All employers must give job applicants a privacy notice to ensure they understand the lawful basis for holding and processing their information. This should be easily accessible on the organisation’s career page or website.

Recruitment processes need reviewing, including developing a policy for storing and managing recruitment information, including processes to deal with unsolicited information and how long data is retained.”

And, if you’re going to utilise a recruitment company, Daniel Austin, Data Protection Officer at Opus energy warns: “GDPR will mean a change in supplier relationships, as suppliers not being compliant could jeopardise a business’ security and data management.” Practically, this should mean adding addendums to the contracts of relationships with recruitment and employment agencies, ensuring that your partners are aware they have to alert your business if there are any data breaches.

Understand what the uses of the data are and the limits to it

Time is a central consideration under GDPR. One of the key principles of the legislation is that data is kept for no longer than necessary, meaning employers should have a data retention and removal policy.

GDPR also lays out that those having their personal data processed will need to receive a clear notification of how it is being used. In recruitment, this will mean the potential employer will have to explain how long they plan on keeping a candidate’s data. A notice of this should include:

• The identity and contact details of the Data Controller (in this case, the potential employer or recruitment agency; if it is the recruitment agency this should be made clear)
• The purpose of the processing of that data
• The categories of data being process and details of recipients of that data
• The retention period of that data
• The existence of the data subject’s rights
• The individuals right to complaint

What should I be worried about now?

If you’re worried you’ve not got yourself in line, there are a few crucial things you can do. Sarah Williamson, Lead Partner at Boyes Turner advises asking yourself the following questions about how you use candidate data: “Where does it go? Who does it relate to? Do your workers know what to do if the data your organisation holds is it at risk?” Though it may seem like a lot, they pertain to issues that can be easily resolved.