The best online recruiting resource for HR Teams,   

In-house Recruiters and Hiring Managers

How to get your in-house recruitment team GDPR-ready

GDPR Ready In House Recruiters.png

As a recap, and for those that didn’t read our last GDPR blog, the General Data Protection Regulation comes into place on the 25th May 2018. The new rules have allowed for an increased level of legal certainty for data that travels within the EU. This forces organisation’s to be more transparent about the way they are using consumer data.

The new regulations have been heavily marketed and a number of horror stories have started to surface. We know that the legislation can sound scary, especially with the fines for non-compliance, but this is an essential regulation that will help to prevent our own personal data from being stolen, misused or sent to third parties without our prior consent – so it’s a good thing!

What does my recruitment team need to know?

Data Consent

GDPR is raising the bar for consent which could have implications on the way you share candidate CVs and application forms. Under GDPR, consent needs to be clear, simple and concise but, more importantly, consent will need to have clear, affirmative actions. These affirmative actions mean the practice of pre-checked boxes can no longer be classified as consent.

Separate consent must now be sought for separate processing activities. Candidate CVs will not be allowed to be forwarded on to other vacancies without permission from the candidate. This can make the practice of speculating CVs, more difficult.

Another key takeaway is the sharing of data with third parties, previously it has been concerning to see companies hide something regarding disclosure of information to a third party. They might even use the term ‘we will not usually share information’ the key word here is usually; without knowing it, your data could be shared with these third parties. There can no longer be a workaround on consent; an opt-in box will now be needed.


Data Storage

Storing candidate data in multiple locations can present a big challenge, if you have multiple methods of storing client data, how can you comply with the GDPR?

If a candidate asks for its data to be deleted, how quickly can you find their documents? It could be in multiple places, it could be in a different location. What if this data has been printed out on multiple occasions, can you know for sure if these extra copies have been disposed of in a secure manner?

Recording of data on spreadsheets could be susceptible to data breaches, what then happens if this data gets into the wrong hands? An organisation will now be responsible for providing a paper trail that documents the data processes of their candidates. This data could be extremely difficult to record if there are multiple methods of storing information.

Retention of Data

When you’ve applied for a job in the past, how long should you be on the company’s list of potential candidates? Imagine being contacted for a job with an agent a couple of years after you applied for a position through them? Not only is this data probably out of date, but you would probably question their reason for keeping your data for so long.

GDPR does not give you a specific time limit but there is a requirement that it is only kept as long as necessary. This presents a challenge to those who don’t have an Applicant Tracking System, how can they make sure data is only retained for as long as needed. Will they notify all of their candidates each year asking if they wish to remain on their list? If your receiving unwanted application offers three years later, this is probably not GDPR compliant.

Feedback Requests

If a client has an interview in which they thought they performed well but were surprised to find that their application had not progressed any further, they might feel aggrieved and want to know, in detail, why they were not chosen. Equally, if they receive an email saying that they lacked the relevant experience, they could feel hard done by, especially if they believe that they have the experience. With GDPR, candidates can now, at any point, make a Subject Access Request (SAR).

A Subject Access Request (SAR) gives the company 30 days to produce a candidate’s data, however, what happens if all your data on that candidate is in multiple locations? The candidate’s interview feedback could have been jotted down on paper and then thrown away, or misplaced.

How can Vacancy Filler help my team to be GDPR compliant?

When looking at the GDPR requirements around data opt-in, with Vacancy Filler, we have an obligation to provide information to candidates on how their data is being managed by us on behalf of our clients. The ‘opt-in’ or ‘consent’ statement is visible at every available candidate entry point. This statement is configurable and can be extended to cover the whole recruitment process.

In terms of storing that data in a manner that complies with GDPR, a single system that handles all your candidate and client data is essential under GDPR. Vacancy Filler stores all data within the EU; this data is encrypted with an encryption key per customer. With an Application Tracking System such as Vacancy Filler, all candidate data can be kept in one place, making it easier to demonstrate a clear trail of all your candidate data and compliances. We will also NEVER share your data to any third party – the candidate data in our system is owned by you, and only you.

To comply with GDPR’s data retention regulations, we manage this through our dedicated ‘Client Portal’ where your candidates can manage their own applications. With their own username and password, a candidate can view and withdraw their own applications, as well as having the ability to edit or remove all of their data held within the system.

With Vacancy Filler, we have a requirement to capture all of our clients’ data retention periods. Each candidate’s data file is time-stamped. This data retention period becomes effective from the point that a candidate’s data reaches the Vacancy Filler database. Once it reaches its deletion date, all personal data is deleted. This data is generally kept for 6 – 12 months.

GDPR has now made it even easier, and free, for candidates to request all information that you have stored on them – this could cause significant issues for any business currently not GDPR compliant. Through Vacancy Filler’s Applicant Tracking System, all information is stored on a centralised system, a candidate can make a request, if they pass validation checks, data can then be extracted and provided within a timely manner, and with minimal effort.

If you would like to speak with our Data Protection Officer, please email with your name, company name and the best number to contact you on, or click below to request a call.


Your Comments :