A guide to data privacy and protection in recruitment

There’s no question that data is a highly valuable asset for companies today and will continue to be in the future. Understanding the importance of data protection is crucial for businesses to protect themselves and their customers against cyber crime.

At the same time, employers have a liability to their employees and candidates to protect their personal information. Every business handles personal data. So, under the General Data Protection Regulation (GDPR), they must take certain data privacy and protection measures.

In this article, we discuss the dos and don’ts of data protection and privacy during the hiring process.

DO – Have a data protection policy in place that concerns recruitment

Data protection and privacy policies outline the scope of the data your company stores, how it’s stored and processed, how long it’s retained and the legal requirements that apply to the data. It should also include data breach notification procedures, the rights of ‘data subjects’ (e.g., candidates) and a contact information for incoming questions and personal data requests.

As candidates share their private details such as name, address, phone number, educational background and more, ‘data controllers’ – employers and recruiters – are obliged to collect data only for “specified, explicit and legitimate purposes.” Meaning, employers, and recruiters must use the data collected for job-related purposes and contact the candidates within 30 days.

DO – Make it easy for candidates to exercise their privacy rights 

All data subjects possess the right to be forgotten, to restrict processing, withdraw their consent, access, or change their personal data and demand information about the processing of it.

Therefore, your data protection and privacy policy must clarify how candidates can exercise these rights. When you receive any of these requests from a candidate, you must action it within one month.

DO – Update data security trainings

Your legal team keeps an eye on any changes and updates that occur in the data privacy legislation. However, it’s not only your legal team who must be notified. It’s important that your employees are trained on GDPR and data protection regulations within your organisation. This protects your business and any data that you handle (including those of your employees and candidates).

DO – Have a plan for data breaches

Mistakes do happen, even if your company does everything right. Your IT department must have a response plan that usually involves reporting the breach to the Information Commissioner’s Office (ICO) – if it’s likely to cause a risk to the rights of affected individuals – repairing the breach and contacting the affected persons with the next steps.

DO – Use a GDPR compliant ATS

Applicant Tracking Systems (ATS) store and process candidate data, so you should opt for a GDPR compliant ATS. Not only does it make collecting and categorising candidate data more efficient, an ATS also helps you see active and inactive candidates when you need to remind them to renew their consent for storing their personal data.

DON’T – Forget to train your entire team on data protection

In most cases, human errors are the cause of data breaches. In fact, most common reason behind them is weak credentials. That’s why it’s key to provide regular training to your entire team on how to protect themselves and your business from potential ransomware. Regularly updating passwords, and reviewing encryption practices are also ways to

DON’T – Contact candidates about your products or services

Although this may seem straightforward, it’s still important to remember that you must streamline your registration process, so candidates aren’t contacted by your marketing or sales department. They are sharing their personal data to be contacted about job opportunities only.

DON’T – Forget to pay your data protection fee

Companies that store and process personal data are required by law to pay a data protection fee to ICO every year. If you don’t pay your data protection fee, you could be fined up to £17.5 million, or 4% of your total worldwide annual turnover (ending up paying higher of the two). ICO’s mission is to provide advisory services to businesses and improve data protection and privacy.

Companies like Yahoo, LinkedIn, Facebook, EasyJet, and Zoom have encountered data breaches in recent years. Although they may be inevitable for some businesses, it’s never a bad idea to tighten your company’s security measures. GDPR compliance helps you avoid fines, protect your reputation, and prevent cyber crime.

At Totaljobs, we have a responsibility to protect candidate information on behalf of both jobseekers and our customers. Our ATS is GDPR compliant, and we ensure that the information shared by candidates are relevant and don’t put them in danger of cyber crime.