What is the real impact of GDPR on recruiting?

By Jerome Ternynck – Founder & CEO of SmartRecruiters, the Hiring Success Company
Presenter, “Measuring the Return on Hiring Success” – NCHRA Talent Acquisition Conference, June 7, 2018.

Unfortunately for recruiting organizations, GDPR will be the end of an age where privacy wasn’t the main imperative. Sometimes governments put out regulations that don’t make a lot of sense.

Thankfully, Europe’s new General Data Protection Regulation (GDPR), which comes into effect, today, the 25th of May, 2018, isn’t one of those.

It is actually a much needed and straightforward set of rules to govern how businesses treat data privacy in our digital world.

For those of us in the recruiting business, GDPR specifies the rights of the Data Subjects (the candidates), the obligations of the Data Controller (you as a recruiting organization), and the Data Processor (your ATS and other systems). Amongst other things, the law requires that Data Controllers follow five core principles: That they be fair and lawful in their execution, that their usage be explicitly specified, that the only data kept is that which is necessary, that it is both current and accurate and kept for a limited retention time.

Details of how GDPR applies to recruiting can be found here.

The new regulations require that companies operating in Europe or collecting data about EU citizens take appropriate Technical and Organizational Measures (TOMs), and that recruiting organizations turn to their Data Processors for technical measures to make them GDPR compliant. While it is true that technology providers have a number of obligations and standards to meet before the deadline, that’s not where the main difficulty lies. The real challenge for recruiting organizations is not technical, but organizational.

For years, recruiting departments have operated with limited scrutiny from their organizations. The first question the Data Privacy Officer is going to ask is: Where is the data?

Unlike other corporate functions, like Marketing or Customer Success, the inflow of private data in recruiting is very hard to control. In most organizations, resumes are coming in from dozens of channels and stored, willingly or not, in various places including the ATS, CRM, job board accounts, linkedin, sourcing tools, emails, spreadsheets, etc…

The situation raises a number of other questions recruiting organizations will have a hard time answering. Such as, do we have a unique Candidate Record for each individual that has interacted in any way with our recruiting teams? Is our database current and accurate? Have all the individuals we store data about given explicit consent? Do we store the data only for as long as necessary? Can candidates access all their data? Is all the data collected fair and lawful?

The bottom line is that GDPR compliance possible, with the current standards and practices?

Unfortunately, it is not.

The first step towards GDPR compliance is to have control over all the data you collect and how it is subsequently processed. That means you need to have 100 percent of your data in one place. A single system where all recruiting activities happen.

This System of Record is an end-to-end Talent Acquisition Suite that consolidates all your CRM/Marketing/Sourcing efforts in one place, following candidates through the entire recruiting cycle. The recruiting system keeps a unique candidate ID, just like your HR system keeps the employee ID.

Organizationally, this means 3 things:

1) All resumes in one place.

Channel ALL resumes from ALL sources (advertising, referrals, sourcing, events, agencies….) into the Talent Acquisition Suite. Easier said than done but it is critical that no resumes left behind, no unknown sources or storage (in an Inbox for eg).

2) No activity outside the system.

Ensure that ALL recruiting activities occur inside the system. Everything from initial contact to manager review, interview feedback, assessment, offers… Personal Data should never leave the system. No emailing of resumes or side spreadsheets or activity outside the system.

3) No exceptions to points 1 and 2…

With this in place, you now have control over all your data, will be able to start applying the technical and organizational measures that GDPR requires, and work with your technology provider to ensure they do their part.

GDPR is going to change recruiting forever, do not to be left behind!


Meet up with Jerome Ternynck at the NCHRA Talent Acquisition Conference, June 7, 2018 in San Francisco. His session, Measuring the Return on Hiring Success will be held at 10a.m.

At the Talent Acquisition Conference you’ll hear from and engage with talent acquisition pros, including Jerome, who have amazing results to show for their efforts, and they want to share their best practices with you!

Prepare to cover topics ranging from employer branding, employee value propositions, inclusive job descriptions, effective job postings, engaging interview techniques, up to measuring your return on hiring success.

This full-day event will definitely propel your recruiting efforts forward into “What’s Next” for your organization’s talent!

Get the full agenda and register here. 

Share HR West 2018 Details! > HR in the most innovative place on earth! #HRWest18
Posted in HR BLOG and tagged , .

Leave a Reply