Both technology and the Internet may have given us massive improvements in many aspects of our lives, but there are some cons that we must deal with, too.

For the past years, issues regarding privacy and all the information being shared without permission have emerged, and it’s about time the authorities did something about it.

Enter the General Data Protection Regulation (GDPR), which is a new European Union law that aims to protect its citizens’ personal data and their rights to privacy. GDPR requires EU organizations and other global companies that offer goods or services to EU organizations to comply each time they collect and process data to make sure they are transparent to all the candidates during the hiring process while upholding their rights.

The EU government is strict in executing this law and has imposed stiff fines with two tiers, the lower level amounting to either €10 million or 2% of the organization’s annual global revenue, whichever is higher, and the upper level hitting the €20 million mark or 4% of the annual global revenue, whichever is higher.

Organizations must ensure the rights of their candidates are upheld throughout the recruitment process. Go through each of these directives so that no laws are broken as discussed by engageSPARK’s VP for sales, Eli Harrell, at the last Asia CEO HR Summit.


Legitimate interest in collecting data

The GDPR requires you to collect candidate data only for specific, explicit, and legitimate purposes, which means that you can only do so if it is related to the job and you have the intention to contact these candidates within 30 days.


Consent for sensitive data

Consent has since been elevated to one of the most relevant words in the last few years, so you need to ask for this in a clear and comprehensible manner whenever you want to process a candidate’s sensitive data. They should also be notified as to how they can withdraw consent if they wish to.



Your company must put in place privacy policies readily available to candidates including full disclosure regarding the location of where you store all their data while letting them know that their data will be used exclusively for recruitment purposes.


Right to access and remove data

Each candidate also has the right to know the details of their data that are in your possession. This includes granting any request to correct any inaccuracies, giving you a month to give them a free, electronic copy of their personal data.



Your company should have the initiative to demonstrate compliance with all the regulations listed in the GDPR and if any other parties involved failed to comply, your company should be accountable, too.


Here are the necessary steps so that you and your company can comply with all the regulations:

Map your recruiting data

To prepare your company for complying with the regulations, you must first conduct a companywide audit of all the data in your possession. This will help you know what kind of data your company collects, how it’s done, why, and from where.

After going through this process, you can now make the necessary adjustments to conform to regulations in case you’ve found some issues.


Create a privacy policy for recruiting

Transparency is of utmost importance when handling other people’s information, so your company should have its own privacy policy that explains how it collects, processes, and keeps data. This should include instructions on how to have data deleted and rectified, with a privacy notice for recruitment that addresses candidates directly.

Finally, the policy should also have all the necessary information required by the regulation, particularly articles 13 and 14, including the steps in place to ensure data protection.


Amend your sourcing practices to comply with regulations

You must first have legitimate interest purely for the sake of recruitment before collecting data from a lawful and reputable source and storing them in your applicant tracking system for future reference.


Ensure your job application process complies with GDPR

It is imperative to be fully compliant to all the regulations in the GDPR for data processing from the moment you receive application forms and resumes up to the point of rejection despite not needing explicit consent since they correspond to actual job openings.


Update your processes as needed to grant candidate requests

You will have to establish certain processes to let candidates access all their personal data that are in your possession, have them delete or rectify their data, and let them withdraw consent if they wish.

Make sure these processes are clearly stated on your website or under your terms and conditions.


In the best interest of both the recruiter and job candidates, strictly sticking to the regulations stated in the GDPR will ensure a smoother recruitment process. Through these regulations, you can handle information given to you in good faith using GDPR-compliant recruiting tools and make sure your candidates could trust you with all their data, knowing they are safe and won’t ever be misused in any way.