• 1. How confident are you in your knowledge of GDPR requirements?

    Everyone in each company is responsible for compliance - especially those who handle personal data often. Get familiar with GDPR’s requirements to make sure you won’t create compliance risks to your company.

  • 2. Have you defined and documented your legal basis for processing personal data as part of recruiting?

    The GDPR accountability principle obliges you to demonstrate compliance when needed. You need to prove you have legal basis to process data and that it doesn’t override your candidates’ rights. You should also proactively mention your legal basis to candidates the first time you contact them (either in your job ads or sourcing emails).

  • 3. Do you know what types of candidate data you process, how you collect it and where it’s stored?

    GDPR obliges you to know what personal data you process, where you keep it and who has access to it. You should be able to have available a record of processing activities. If you don’t know all this by 25th of May, you might be exposed to GDPR sanctions.

  • 4. Have you created or reviewed a privacy notice for recruitment in light of GDPR?

    A recruitment privacy notice makes it easier for candidates to learn about their rights and follow instructions to exercise them. This strengthens your company’s chances to comply with the GDPR.

  • 5. Does your team use spreadsheets to store candidate personal data?

    Spreadsheets create a high compliance risk. It’s difficult to rectify or delete candidate data properly when your team has multiple copies of the same file. Spreadsheets don’t provide adequate access controls either - anyone can download, copy or share them.

  • 6. What do you plan to do with candidate data you’ve already processed?

    GDPR allows you to keep personal data only if it's relevant. Candidate data older than a year is most likely not relevant anymore and should be deleted.

  • 7. If you have old candidate data that is still relevant, how are you handling it?

    If candidate data you collected some time ago is still relevant for the purposes you collected it, then you can still keep it - provided you let candidates know. Keep in mind that if candidates tell you to delete their personal details, you have to do it.

  • 8. Have you established a process to delete old candidate data in the future?

    It’s important to set a data retention period, and delete old, irrelevant data when it reaches the deadline. Recruiting software that does this automatically removes the risk of human error and will alert you if you try to contact one of the deleted candidates again.

  • 9. Does your recruiting team know what information to include in job ads and candidate sourcing emails to be compliant with GDPR?

    As of 25 May 2018, you must include information required by GDPR articles 13 & 14 (like your legitimate interest, how long you keep this data and a link to your privacy notice) on emails to candidates and published job ads.

  • 10. If you’ve decided to rely on candidate consent as a legitimate basis or if you need to process sensitive personal data of candidates (like disability or cultural information), how do you ask for consent?

    Legitimate interest isn’t enough when it comes to sensitive data. Consent should be specific, freely-given and well-documented. Pre-ticked boxes do not amount to consent under these circumstances and thus aren’t acceptable (or appropriate).

  • 11. What steps does your team take to ensure GDPR compliance when sourcing candidates on social media?

    Just because a profile is publicly-available doesn’t mean you have the right to collect information from it. You need to make sure that there’s a reasonable expectation of contact on the candidate’s part and that you only look for information you absolutely need to evaluate a candidate’s fit for a particular position.

  • 12. What method do you use to inform candidates how they can exercise their rights under GDPR?

    GDPR obliges you to be completely transparent and give candidate the means and clear instructions on how to exercise their rights (e.g. the right to erasure.)

  • 13. Are candidates able to remove their data from your system, or withdraw from further communication with you?

    Article 17 of the GDPR provides candidates with the ‘right to erasure’. This means you must provide a way for them to remove themselves from your system. A good Applicant Tracking System will provide this option to every candidate. To maintain consistent recruiting reports, your ATS should include but anonymise withdrawn candidate data.

  • 14. Have you reviewed the data protection policies and practices of your software providers/ data processors?

    Under GDPR, you’re accountable for the compliance of those that process data on your behalf. Make sure all your vendors give you adequate assurance that they can protect and process personal data in the way GDPR requires. If they don’t, you need to have found other data processors by the 25th of May.