Keep up to date /

Protecting candidate data during and after recruitment

Posted in Employers on Jun 19, 2018 by Keeley Edge

We’re sure, like us, you’ve been overloaded with emails, advice and information about GDPR. You’re probably fed up of hearing about it; we are. 

Unfortunately, it’s not something that can be easily ignored if you want to avoid the risk of fines.


The main aim of GDPR is to protect personal data and the key thing for businesses is transparency. Individuals need to know what data you are collecting, how you are using it and that you are taking adequate steps to keep it secure.

Many businesses have focussed their GDPR efforts on the marketing side of their business, but recruitment comes with its own GDPR implications. If you’re recruiting, you need to be aware of the pitfalls when it comes to sourcing, protecting and using candidate data.


Sourcing applicants

When you advertise a job and have CVs sent to you, it’s easy to assume that the candidate is consenting to you holding their data and contacting them. Whilst a candidate is probably expecting contact if they have applied for a job, they aren’t necessarily consenting to you adding their details to a database or storing their CV online or printing out hard copies and sharing with the team.

To prevent any misunderstandings, it is a good idea to reply to CV submissions with a link to your privacy policy and a request for consent to process the application, outlining what this will involve.

A system that records the time and date that consent is given is the best way to cover yourself. You should also make it clear to the candidate how they can opt out and request that you delete their data.


Storing applicant data

You should have a clear policy for how long you will retain data. If you receive a CV but decide not to take a candidate through to interview stage, do you need to keep their details? If you are inviting a candidate to interview, will you retain their data after the recruitment process ends?

If you decide to keep unsuccessful candidates on file after the position has been filled, you need their consent to do this. It should be clear how long you intend on keeping their details and what details you will store. For example, if you run a graduate scheme each year, you may want to keep a summary of a candidate’s skills and their contact details until the next recruitment cycle.

Interview notes

Candidates have the right to request to see any notes you made during the interview, so you will need a policy for how you will store these. If you are typing these up or uploading them to a system, then you need to ensure that it is secure and that you only retain these for as long as is reasonable to do so.

Any comments in the notes that could be viewed as discriminatory can cause big problems for companies. A structured scoring system with minimal notes can be a good option.


Contacting references

When offering a position to a candidate it is common practice to obtain references from previous employers. The former employer should not give any personal information about the candidate without their consent. You will find it easier to get references if you can prove the candidate has consented to you obtaining this information.

You should be as explicit as possible in what the consent covers. Is the new employee giving consent for the previous employer to disclose absence records, details of their role, comments around specific areas of their performance? Alternatively, are they consenting only to the previous employer confirming the dates they worked for them and the position they held?


Working with recruitment specialists

If you don’t recruit regularly or you don’t have a dedicated recruitment department, it is beneficial to work with a recruitment company. It is imperative that you only work with recruiters who meet GDPR requirements. The recruiter will be the ‘processor’ and will have very strict obligations. If they have taken the appropriate measures to meet their obligations, then it can mean less pressure on you, as their CV databases should all be protected and compliant.

There will still be requirements for you to ensure data is processed securely and within the parameters of the consent given. However, a recruitment specialist that is adhering to GDPR will be able to give you guidance on this.


Working with Key Appointments

At Key Appointments, we have gone to great lengths to ensure that we are protecting ourselves, our candidates and our clients when it comes to GDPR. We have clear policies and secure systems surrounding CV collection, obtaining consent and processing data.

You can be confident that when you work with us, we are taking all necessary precautions to protect you and the candidates.

If you would like to know more about how we are managing GDPR and how we can help you remain compliant during your recruitment process, then we’d love to chat.

Contact our friendly consultants to discuss any of your recruitment needs.

Latest from the blog

1st February 2024

How candidate behaviour and interview etiquette has changed over recent years

I began my career in the world of recruitment more... Read more

9th January 2024

Recruiting the Right Talent in 2024

As we have now bid farewell to 2023, so let's take... Read more

6th November 2023

Attracting Top Talent: The SME Advantage

Small and Medium-sized Enterprises (SMEs) are the... Read more

Read all blog posts