The new General Data Protection Regulation (GDPR) will change the way we advertise jobs and recruitment in general. Get ahead in your recruitment efforts with some more information.
Article updated in May 2018.
The General Data Protection Regulation is changing the way companies recruit – this is generally good, but it will increase the complexity of online recruitment for some companies.
In this article, we will focus on what you need to ask in your job postings and what data you must collect from potential candidates in the future when the new Personal Data Regulation enters into force at the end of this week, on May 25, 2018.
You will find answers to the following questions regarding online recruitment:
- What kind of data will be allowed in recruitment?
- What are you allowed to ask your candidates according to GDPR?
- What you should be able to document for data protection?
- How to avoid unwanted information?
What does the new General Data Protection Regulation allow?
In reality, there is not a big difference in the kind of data you are allowed to collect before and after the General Data Protection Regulation. The key difference is in your documentation and in the processing of data.
Therefore, you can expect some extra work in the processes before and after the collection of data. For example, it is necessary to argue the reason behind the collection of certain kinds of data in connection with recruitment.
Therefore, as a recruitment officer, you need to cast a critical look at the data you collect about your candidates.
A critical eye for your vacancies
Not all the knowledge and data you collect is relevant to evaluate the best candidate for a specific job vacancy.
With the new Personal Data Regulation you need to look at the application form(s) you use and answer the following questions:
- Are all questions relevant to find the right candidate?
- Do you collect sensitive information?
- Have you documented your assessment and positioning of the above?
When the General Data Protection Regulation comes into force on Friday, it is important, that you have thought about and implemented these questions in your recruitment routine, so your online recruitment process meets the requirements of GDPR.
Try the risk assessment tool provided by HR-ON.
Important knowledge or indifferent information?
To start with the first question, it is important that you do not have unnecessary questions on your application form.
Is it still relevant to know your applicant’s place of residence, or is it a superfluous information that can be substituted with the candidate’s general zip-code, to know if they live nearby? Most people already communicate by phone or e-mail, so you probably do not need to send a letter to any of your candidates via mail.
Place of residence is, therefore, in most cases, an example of unnecessary information from your applicants.
When the General Data Protection Regulation comes into force on May 25th, it is important that you expound the information and data, that you gather from candidates. The Data Protection Agency will be critical to both redundant and useless data collection from candidates, which can be at risk – especially if there is sensitive information among them.
Which leads us to the next important point.
What kinds of data does the GDPR allow you to collect and store?
In the European Regulation, it is distinguished between two kinds of personal data: general information and sensitive information.
The level of data security and documentation depends on the type of data you want to collect. Especially your measures in case of data breaches and leaks.
Examples of the two different kinds of personal data can be seen in the table:
|General information||Sensitive information|
If you only want to collect just general information, it makes sense to obtain a so-called ISO 27001 certification.
You can read about ISO 27001 certification here.
As a general rule, you should only collect common information, as sensitive information has much higher information security requirements.
GDPR requires documentation
One of the most important points in the new General Personal Data Regulation, in relation to your recruitment and job creation, is documentation.
In order to be GDPR-compliant with your questions in the job posting, it is important that you not only have a critical look at the data and questions you ask your applicants – you must also prove that you have been critical of them.
In practice, this means, that you will need a handbook or documented guidelines for questions in vacancies that you can refer to if the Personal Data Agency comes knocking at the door.
For many recruitment officers, it will therefore make sense to use standardized questions in job vacancies to avoid documentation and argumentation for data collection in all job listings and posts.
How do I avoid sensitive information?
Now you know, what you are allowed to ask your candidates and how to document your recruitment process.
But your applicants can still send you sensitive information through mail or your recruitment system – and that can actually become a problem for you. According to the General Data Protection Regulation, you are still obliged to take measures to ensure that you do not receive sensitive information from people.
In the vast majority of cases, it will probably be enough to point out, that you do not want to receive your applicants’ social security number, health history, information about political or religious beliefs and other sensitive information.
In other cases it’s hard to get rid of them; for example on exam papers, which almost always have the social security number printed on them.
But since HR-ON has as its declared purpose to make recruitment easier, we have implemented technical solutions that can automatically sort out much of the sensitive information.
Read about the future of e-recruitment here get a demo before the GDPR is coming into force on May 25, 2018.