One of the key principles outlined by GDPR is the need to provide candidates with a clear outline of how their information will be used, how it will be stored, who has access to it and who the information will be shared with.
When it comes to recruitment, several of these aspects will change according to the type of role being recruited for and the processes adopted.
Therefore in order to provide candidates with the right information every time, you will need to use a different Privacy Statement for each role.
Without an automated solution, this can obviously prove a time consuming task that also puts your organisation at risk of obtaining, managing and storing data without the necessary consent.
So what types of things would require a change to your Privacy Statement?
Automated Filtering Tools – If you process candidates by automated means for example, automatically decline candidates based on their answers to pre-app questions or if they fail to meet essential criteria then this needs to be outlined in your Privacy Statement.
(Candidates should not only be made aware of the process but also have the right to object if they feel that they may be declined / shortlisted unfairly as a result.)
Online Testing Providers – If you use online testing for some of your vacancies, you will need to ensure that for these vacancies your Privacy Statement includes the relevant details. This will include who the third party are, what information you share with them as well as how they process and store the data.
Sharing a candidate’s information to a 3rd party without their permission is considered unlawful.
Background Checking Providers – Just like the use of Online Testing Providers, if you use a Background Checking service, you will need to inform candidates of this before they submit any information. Although the data will be only be shared for one or at most a handful of candidates who will actually reach this stage, the candidate must give their consent for you to do so.
It is also important to consider the fact a different policy/ statement will also be required for those simply registering with your organisation to set up job alerts etc
As an organisation, networx have undergone extensive GDPR training and are recognised as fully Certified GDPR Practitioners.
Whilst every effort has been made to ensure that the information included in this article is accurate at the point of release this should not be relied upon as legal advice or be used to determine how GDPR will apply to your organisations.
We encourage all organisations to seek the advice of a legally qualified professional to discuss GDPR and how best to ensure compliance.