Some time has passed since the GDPR regulations came into effect, and following the flurry of e-mails asking for contact consent and informing people of changes to privacy policies flooding peoples’ inboxes, now would be a good time to revisit the ways in which these vital changes to personal data processing have affected the recruitment process and in how both companies and consultancies must handle their obligations in order to maintain compliance and harness a culture of transparency in their actions.
Another aspect that is crucial is that the information provided by the candidate is both sufficient and not unnecessarily revelatory. An example of this would be in the submission of a CV to a hiring manager on behalf of the candidate. Quite often, a candidate’s CV would have to be edited, either to clear up some potential formatting issues or to add in additional details as illuminated during contact with the candidates that may draw a bigger parallel with the role than the base document would suggest. In some instances, candidate CVs can contain unnecessary personal details, such as their home address, phone numbers, personal e-mail addresses, and in some cases, even those with PPS and Passport numbers have crossed my desk. In such cases, it is vital that the recruiter edit this information and indeed any information that is not relevant to the application or would be necessary for the process at whatever stage it is at. Any editing, of course, must be approved of by the candidate, even an act of censure.
At each stage, we must keep candidates informed as to how their information is being controlled and reviewed. As with anyone with initial contact practices, it must be very easy for a candidate to withdraw themselves from the process for whatever reason, and as part of that, it must also be easy for all information pertaining to the candidate’s application be similarly expunged at all stages of processing. The retention of this information, for candidates successful and unsuccessful, must also be clearly outlined and time specific and subject to expiration and deletion. One must also ensure that the candidate is fully aware of how that information will be accessed and, particularly, for what purposes.
Being GDPR compliant is not a once-off flurry of activity, we should note. Rather, it is imperative that all those who handle personal data not only monitor and enforce their own obligations, but also ensure that all those connected with the process, be that clients or even ATS providers, ensure that they are compliant on a time-dynamic basis, ensuring that all those concerned know their partnering policies and processes for data retention, processing, and deletion, including noting how easily accessible this information would be to your candidates. Similarly, due diligence must be done on prospective partners or service providers involved in the data handling process. This is especially pertinent with non-EU based groups, which would also require the drafting and signing of a data processing agreement duly binding them to GDPR-compliant policies and processes.
In essence, a higher standard is expected of personal data processors, especially in recruitment. The days of keeping a candidate in your back pocket or having an ad-hoc attitude to privacy are gone, replaced by an opportunity to make the process altogether more personal in terms of interaction and in tailoring services provided to both candidate and client. However, it is important to note that while GDPR is very much here to stay and regulatory obligations are being adhered to as of the May 25th deadline, the intricacies of how businesses interpret and correspondingly fettle their approaches, processes, and policy documentation will be an ongoing process in the coming months and, indeed, years. This and any period of refinement is ultimately a positive thing, as it allows said business to harness the positives brought about by GDPR whilst not compromising on their service standards. Both during and following this period, through harbouring a culture and attitude of transparency of operations and respect towards the candidate, we can hope to strengthen the relationships we build in our operations, and in doing so re-establish what an engaged and dutiful recruitment consultant can really do.