What is GDPR and why is it relevant to recruitment?

The Data Protection Act was updated in 2018 to incorporate the digital world. GDPR was created to protect individual's who shared their information with a company - this includes recruitment.

So, what is GDPR and why is it so important that it is adhered to?

What is GDPR and why is it relevant to recruitment? Feature

In 2006, the Council of Europe launched Data Protection Day, a day designated to educate the public on data protection. Data Protection Day has since been marked annually on 28 January - the date that the Council of Europe's data protection convention, (Convention 108), was opened for signing.

UK General Data Protection Regulation (UK GDPR) protects individuals' data in any circumstances where it is handed over to a company, so recruitment is no different!

The Data Protection Act was updated in 2018 to bring the regulations in line with the modern world, specifically how much we all rely on the Internet to provide and store data.The act is the UK’s implementation of GDPR and remains relevant until a time when it is superseded.

GDPR not only protects individuals’ data but also prevents the misuse of data by third parties, this includes fraud, identity theft, phishing and more.

GDPR can be complex to adhere to but there are seven data protection principles of GDPR that any company that handles data follow, they are;

  • lawfulness, fairness, and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality (security)
  • accountability

The principles lie at the heart of UK GDPR, and although strict rules that are considered to be the building blocks for any good data protection practice.

You may be wondering how GDPR relates to your recruitment process? Well, data is collected at every stage of the recruitment process ranging from application forms, shortlisting forms, and reports, but there is a difference between what is considered personal and sensitive data.

Personal data relates to information that can directly or indirectly identify an individual, such as name, address or even an ID number. Whereas sensitive data is information that relates to an individual's race, gender or religion - key information to them but doesn't identify them. Sensitive data is typically collected for equal opportunity reasons, and therefore, should only be used for this purpose.

When handling personal data, it is a company's responsibility to safeguard confidentiality. Employers must provide a link to their privacy policy and make it accessible throughout the recruitment process. The policy notice must tell candidates why they are collecting the information, what will happen to it and who will see it. Employers also need to explain their reasons behind any data being used for any other purpose than the one the candidate is providing data for.

It is down to the employer to keep a candidate's data safe and secure - but what if there is a breach of data?

A breach is considered to be any incident that leads to a loss of personal data, whether it is stolen, destroyed or changed without permission If data has been breached then companies can face a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – no company wants this to happen to them, which is why complying with GDPR is so vital!

Therefore, it is beneficial that any company that collects data during the recruitment process do everything they can to protect candidate’s personal information - whether that is through implementing stringent security measures or using recruitment technology that puts data security at the forefront of their values.

Did you know that candidates can exercise their rights to submit data requests? They can ask a company to access their personal data at any time within the retention period, as well as rectify any information that may be incorrect, or even request their data is deleted before the end of the retention period. Therefore, it is always worth remembering that if you or your hiring manager are making any notes against a candidate's data, they are entitled to view that information and act accordingly, if necessary! It’s worth incorporating your company’s GDPR policies into training new hires and communicating regular updates to protect yourself and your company.

At Reach, we have gone above and beyond to protect data stored within our systems – our entire organisation is ISO 27001 accredited. This certification is the globally accepted standard for information security and demonstrates to customers and candidates that we take their information security seriously.

St John Ambulance

We use Reach to hire several thousand volunteers each year and employees across all departments from Administration to IT to HR. We've recruited some great talent through the Reach system.

Emma Evans, HR Manager