With the exception of one-man businesses, there are few companies that don’t have to deal with recruitment in their day-to-day operations. Awareness, transparency, continuity (documentation) and security should be the baseline values of any company. They also form the basis of data protection, which is becoming an increasingly important metric in the image of a desirable employer.
Marit Alaväli, founder of recruitment software Recrur, has made it her mission to improve the overall quality of recruitment in Estonia. The focus of this article is data protection, as looking after candidates’ data gives companies an advantage on the labour market regarding finding talent. At the request of Recrur, Piia Laks-Järve, data protection specialist and the founder of data protection service DataVie, has narrowed down the primary data protection-related weaknesses in the recruitment process.
1. There is no recruitment process.
Let’s forget the bureaucratic term “process” for a moment and look at its actual meaning and purpose. Companies that have recruitment figured out – from the position profile and job ad to formal rejection – understand that you have only one chance to make a first impression. Unfortunately, it is still all too common for candidates to invest their time in a so-called sinkhole, with no feedback whatsoever. Most of us have been there and know how unpleasant this feels. Agreed practices not only help ensure quality recruitment, but they also create the preconditions for better GDPR compliance.
2. There is no overview of data processing.
In order to ensure an overview of all personal data obtained during recruitment and their processing, it is necessary to document the data processing – this is required by law, and the Data Protection Inspectorate can request it at any time. Even personal data requested in job ads – such as the phone number in your CV – is the collection of personal data, which can prompt numerous questions in the candidate, such as where the data are sent, who has access to them, where they are stored, for how long, etc.
Documented data processing answers these questions, but it can also reveal shortcomings. In short, documentation raises the awareness of companies, which allows them to improve the situation. For example, it may turn out that the data collected do not have any retention periods set. This is not advisable for several reasons – aside from non-compliance with the law, it makes no sense to keep digital waste forever or to increase data sets and thus increase the risk of cyberattacks and data leaks.
3. Legitimate interest has not been analysed.
The data processing overview must also specify the legal basis for the collection of data, which in the case of recruitment is usually legitimate interest. However, in order to process data due to legitimate interest, it is necessary to carry out a legitimate interest analysis, which weighs the interests of both parties (the recruiter, ie the company, and the candidate, ie the data subject) and describes the advantages and disadvantages of data collection. The analysis determines whether the interests of the employer outweigh the interests of the candidate or their fundamental rights and freedoms.
For example, when recruiting a kindergarten teacher, it makes sense to request information from the Criminal Records Database, while requesting information about the solvency of a warehouse worker may not be justified. Therefore, any background checks should also be justified and proportionate to the position and its specifics. The employer must be prepared for the candidate or the Data Protection Inspectorate to request this analysis.
4. Copying a similar company’s privacy notice.
Companies are also legally obliged to prepare and publish a privacy notice that gives candidates detailed answers on how their data will be processed: their purpose and legal basis, which data are collected and processed, to whom they are forwarded, for how long they are stored etc. In order to ensure clarity and transparency, it makes sense to prepare a separate privacy policy for recruitment. While it may seem like a good idea to copy and paste a similar company’s privacy notice and modify it slightly, this is not appropriate, as privacy policies are based on the previously mentioned data processing overview (see point 2), which is unique for every company.
5. The job ad has no reference to a privacy notice.
It’s best to include a link or reference to your privacy notice in the job ad. This ensures that candidates can review the conditions of personal data processing before submitting their data. For example, if the company conducts background checks as part of the recruitment process, it is included in their privacy notice and the applicant can take that into consideration. Having a privacy notice also shows potential candidates the employer’s data protection maturity and the overall work culture.
6. Believing that your recruitment partner is GDPR-compliant without making sure.
Let’s start with a simple example: in the case of the recent Asper Biogene data leak, Asper had 42 partners, who were most likely the data controllers, while Asper itself was the data processor, ie the one ordering the genetic tests. Patients/clients/data subjects entrusted their data to the medical institution for whom Asper performed genetic tests through subcontracting. It raises the question of whether those 42 partners were aware of how Asper Biogene was processing such sensitive data. This means that if a company uses the help of a recruitment agency or even a software application in the recruitment process, the company as the data controller must ensure that their partner is also GDPR-compliant.
7. There is no data protection agreement with the recruitment agency or software company.
Data protection agreements regulate the partnership and provide both parties with legal clarity and awareness of expectations for GDPR compliance. If there is no data protection agreement, the data controller is liable for the breach.
8. Forgetting that you have given indefinite access to personal data.
The company’s privacy policy may be insufficient: proper procedures are not in place and security measures are lacking and undocumented. For example, your partner from the recruitment agency is given access (including to personal data), but it is procedurally and technically unregulated. It is not uncommon for partners to still have access to data after the agreement has expired.
9. Sending large amounts of personal data by email.
Companies and HR departments that don’t use recruitment software may generate huge Excel files containing candidates’ personal data, which they share internally by email. While sending a personal identification code by email isn’t necessarily risky, it’s irresponsible to send large volumes of personal data in this way. The issue can however be solved by recruitment software, encryption or secure hard drives with restricted access. Nobody is safe from accidentally sending an email to the wrong person – for example if the company employs several people with the same first name and the email system suggests potential recipients as you type.
10. Asking a past employer for feedback without the employee’s consent.
Understandably, it’s tempting to research the candidate’s background by contacting their previous employer, which is a familiar yet often underused practice due to time constraints. However, it’s important to understand that doing so requires the consent of both the candidate and the previous employer’s contact person. It should be noted that if a candidate lists references in their CV, they should also ask for consent beforehand.
11. Unwillingness or inability to forward to candidates the data collected about them.
Legally, everything is clear: candidates have the right to request all data gathered about them during the recruitment process, and the data must be provided. Such data includes contact information required for the application, the results of any background checks and even the notes that the HR specialist makes on the computer during the interview. Candidates also have the right to know which databases were accessed during the background check and what the results were. Having a criminal record for theft can’t be a surprise to the candidate, yet it seems like this information is being kept hidden from the person themselves.
12. Keeping candidates’ data indefinitely, ie for more than a year.
By law, employers have the right to preserve candidates’ data for up to a year. This need primarily stems from potential disputes, giving the employer the ability to defend themselves. However, the interest in storing data for more than a year principally stems from employers wanting to keep the data of strong candidates in order to contact them in case a new position arises. It is more rarely used to keep note of serial applicants, but making a blacklist without a legitimate interest analysis is not allowed.
In conclusion, candidates’ personal data can be kept for more than a year, but this requires the person’s consent, preferably in a reproducible form. The person must also be able to revoke their consent at any time, after which the data must be deleted.
Marit Alaväli believes that recruitment determines the first impression of the company and, in reality, it’s the first and most essential part of employment and the employer’s reputation. Even if the company can hire only one person, smart recruiters and employers know that unsuccessful candidates may be a powerful asset in the future. According to Piia Laks-Järve, recruitment should make a positive impression on all candidates, so that its professionalism sets an example from the data protection standpoint as well.