GDPR officially came into effect in May 2018. Companies are now required to obtain permission from candidates on how they process their information and should be able to process and store those details accordingly.
They must also be able to show that candidates gave permission for those details to be kept on file. The easiest way of doing this is by centralizing your recruitment process as this allows you to request permission from the candidates when they process their applications.
What happens when you receive a CV by email?
Even if the candidate has applied for a specific role and you have manually received their email this does not give you the consent you require from them for you to add them to your recruitment software or to keep their CV in your email inbox or even to share that CV with other people within your organization.
It also by no means, means you can’t store that CV in a filing cabinet.
The fact is that every candidate has to agree to your privacy policy, which includes how you are going to process this data, where it will be stored and who you will be sharing their data with. Some companies may argue that by personally sending a CV to an inbox email gives enough consent for you to contact that candidate this really isn’t the case.
If you choose to make contact it should be merely to tell that person to apply for the role through your online career portal.
As mentioned in our previous article When spreadsheets go bad it is also imperative that you do not store candidate details in spreadsheets as this is a huge security risk and a GDPR flaw. Another thing to note is that you provide your candidates with the correct version of your privacy policy.
Although it may be easy to obtain consent manually from candidates (sending candidates an email asking for them to agree to the privacy policy provided) it is also time-consuming
What can be done to solve this challenge?
Although consent may be obtained from candidates whilst using email by reaching out to them personally to acquire it, this has proven to be very time-consuming. Your most important asset at this time would be an ATS. If you aren’t using an ATS, consider investing in one. Spreadsheets, which are the most common alternative to software may expose you to risks concerning GDPR compliance. One of the key benefits of spreadsheets is also a big flaw as they can be easily duplicated. An ATS, on the other hand, will be a great ally in ensuring your company complies well.
When planning to purchase an ATS you should ask :
- Whether GDPR applies to them as processors. If they aren’t an EU company, they should either be part of the Privacy Shield (for U.S. companies) or be ready to sign effective data processing agreements that oblige them to follow GDPR’s guidelines.
- How they plan to become GDPR compliant. They should also be able to tell you where they store their data and how they ensure this data is protected.
- Whether they use compliant vendors. They should have data processing agreements in place with those subcontractors.
- Whether they have clear privacy policies. Review their privacy policies to ensure they comply with GDPR and can adequately protect candidate data.
Looking for a recruitment solution for your team?
Attract candidates and make a great first impression. Engage with and give them the best experience manage reports, centralize your whole recruitment process and allow for collaboration. Book your online demo today.