A guide to GDPR and understanding the key requirements

a. processed lawfully, fairly and in a transparent manner in relation to individuals

Your responsibility
Organisations will need to update their Privacy Policy to include their legal basis for processing the data, how long they will keep the data and inform candidates they have a right to complain to the ICO if they are unhappy with the way their data is handled.
If you use auto declines, or external services such as online testing providers or video interview tools, you will also need to notify the candidate at this stage.

Previously registered candidates
You will need to ensure that all candidates held in your talent pool have given consent for their data to be held and stored for recruitment purposes. If you do not have consent to store a candidate’s data you will need to contact them and ask them to re-register. Any candidate information held without consent will need to be deleted before 25th May 2018.

Agency candidates
Agencies will be responsible for obtaining and recording consent from the candidate to have their details processed by the software provider and controlled by you. Organisations need to ensure the agency has signed an agreement to this effect. If an agency submits a candidate they have not obtained consent from, then the agency will be liable.

Manually added candidates
Organisations need to be extremely careful when manually adding an application on behalf of a candidate, or creating a candidate account. Consent must be obtained from the candidate and recorded.

How recruitment software can help
A simple candidate registration process will help to obtain the necessary consent from all candidates before any data is stored. The registration process should provide candidates with access to your GDPR compliant privacy policy and manually tick a box to say that they are providing consent to have their data processed by the software provider and controlled by you.
Candidates should also be able to opt out of job alerts and deactivate their account at anytime.

b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Your responsibility
Organisations need to ensure that their Privacy Policy states how the candidates personal data will be used, including if any external services such as online testing or video interviews will be used, and if their data will be transferred to a HR system if they are successful. It is also important to educate all system users so that they are aware they should not export or transfer the candidate data from the system for any reasons other than recruitment.

How recruitment software can help
As with point (a) your recruitment software should ensure all candidates to agree to your privacy statement before any of their data is stored. Your recruitment software should also provide adequate security settings to control which users have access to the functionality that allows candidate data to be exported or transmitted externally.

c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Your responsibility
In order to understand the current level of data compliance across your organisation the ICO states you may need to organise an information audit across the organisation or within particular business areas. You can then use this information to understand how you meet with the new regulations imposed by the GDPR and allow you to address any issues. The GDPR requires you to maintain records of your processing activities.

How recruitment software can help
Your recruitment software should offer the level of flexibility required to support your specific recruitment process and will help you address any potential compliance issues through workflow, structure levels, user group security settings etc. Your recruitment software should also maintain a record of all processing activities.

d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Your responsibility
If you can provide candidates with access to their data and allow them to manage it themselves then very little will need to be done by an organisation. If you do not provide candidates with access to their own account, this can become a very manual and difficult task to manage.

How recruitment software can help
Your software should provide candidates with the ability to manage the data you store about them. They should also be to update this information, make amendments, control their job alert preferences (including the option to opt out completely) and deactivate their account at any time. It is also important that your software stores the date the candidate account was last updated, and the date applications are submitted to ensure you know how current the data is. Data Purge settings within your recruitment software should also help facilitate the process of removing inactive candidate accounts on your system.

e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Your responsibility
You need to outline how long various types of data are retained within your system and put the necessary processes in place to facilitate this.

How recruitment software can help
Data purge settings within your software will allow you to control the length of time data is retained in the system.

f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Your responsibility
The ICO advises that:
“You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data. You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.”

How recruitment software can help
Access to candidate data and the security measures in place to minimise unauthorised access to information, should be a key consideration when choosing a recruitment software provider.

Security measures offered should include:
• Constant monitoring of network activity to highlight any suspicious activity.
• Controlled access to information using user groups and structure levels to control what each user can see and do.
• Prevent users from logging in after a set number of unsuccessful attempts to login.
• Automatically logging users out of the system after a set period of inactivity.
• Access to a full audit trail to identify who did what and when
• Anonymisation of all equal opportunities monitoring information and the ability to store this data separately from the candidate account.
• Rigorous security tests from external penetration testing companies.
• Create support verification codes for candidates and users to allow you to verify who you are speaking with before disclosing any information. This is a new feature that will be implemented within the system prior to May 2018.