Ensuring Your Recruitment Process Is GDPR Compliant

[object Object]
CT TeamApril 05, 2021

Data is one of the most valuable assets a company can own today. 

Businesses are collecting a wide range of customer data to understand and serve their consumers better. Consequently, it’s more important than ever for companies to do everything in their power to ensure their customer data is protected.

As a tech company with AI at its heart, Curious Thing’s core competency is its data. Our AI voice interviewing tool offers valuable information about candidates, empowering recruiters to make strategic, data-driven hiring decisions.

Information security and privacy has always been a top priority for our team. And so, we’re excited to announce that Curious Thing is officially compliant with the GDPR.

But what is the GDPR and why does it matter?

The GDPR explained

The GDPR or General Data Protection Regulation is a set of laws regulating how businesses collect and process the personal data of European Union (EU) citizens.

Personal data or personally identifiable information (PII) is any data that can be used to identify an individual.

Like many industries, the recruiting field is highly reliant on personal data. Information used to place a candidate can include their name, email address, phone number or indirect identifiers such as their IP address or applicant number. 

In essence, GDPR laws give EU citizens, in this case candidates, greater control and transparency over their personal data by placing checks on how their data is collected, used and stored.

Who does the GDPR apply to?

The GDPR involves three main parties - data subjects, data controllers and data processors.

Data subjects are individuals who share their personal data. In the recruiting industry, these are candidates that are EU citizens who share PII data as part of their job applications. 

Data controllers are the employers or recruiting teams who determine the reason for collecting data from these candidates.

Data processors are recruitment software and service providers like Curious Thing who process data regarding EU candidates on behalf of the employers in accordance with set guidelines.

Why should the GDPR matter to recruiters?

Recruiting teams are privy to highly confidential candidate information that doesn’t belong to them. Ensuring data protection and privacy is crucial to building candidate trust and promoting data security.

GDPR compliance is mandatory for recruiters who are based in the EU or control data of EU citizens. Although not compulsory for other recruiters, it gives them a chance to shape employer perception and enhance the wider candidate experience beyond just the hiring process. 

Recruiters need to abide by seven core principles to be compliant with the GDPR.

Principle 1: Lawfulness, fairness and transparency

Do you have a justified purpose for collecting personal data?

As a recruiter, be transparent about the data you’re collecting, how it will be used and stored. Provide this information to candidates in simple language and clearly state it in your privacy policy.

Principle 2: Purpose limitation

Are you using candidate data only for the specified purpose? 

Collect and use data only for the initial purpose you’ve disclosed to your candidates and for which you’ve received consent from them. Make sure to include this information in your privacy guidelines.

Principle 3: Data minimisation

Are you collecting only job-related information that is necessary for your recruitment process?

Collect the least required data from candidates. That way, in case of an unfortunate breach, unauthorised access to information is minimised.

Principle 4: Accuracy

Is your candidate data accurate and kept up to date?

To comply with the GDPR, every reasonable step must be taken to correct any data inaccuracies and keep information updated. 

If candidates ask for incorrect or incomplete personal data to be rectified or erased, you have 30 days to action this request.

Principle 5: Storage limitation

Are you retaining data for the necessary limited period only? 

Outline, justify and follow the retention period for your candidates’ personal data. Once you use the data for the intended purpose, delete the information. If you’re allowed to hold on to the data by law for statistical purposes, it needs to be anonymised first.

Candidates can also ask for their personal data to be erased or withheld from processing.

Principle 6: Integrity and confidentiality

Are you ensuring data security?

Candidates’ identity and information must be safeguarded. This means data needs to be properly deidentified, stored or deleted as per regulations. You can also get an ISO 27001 accreditation to increase systems and information security.

Principle 7: Accountability

Are you able to demonstrate compliance with the GDPR?

Define and document every step in your data management process. Under the GDPR, your company is responsible for who you partner with and can be held accountable if they fail to comply with the law.

By choosing GDPR compliant vendors, your recruiting team can share data security responsibilities and make sure the tools and practices you use to hire candidates abide by the guidelines.

For more information on how data is collected and processed by Curious Thing, read our Privacy Policy.

Note: All information stated above is general information only and is not intended to address specific requirements. Organisations should seek independent legal advice regarding their own data protection requirements.