Recruiting and GDPR: Complying With New Data Privacy Regulations

by Steven Dashiell

recruiting and gdpr

With a host of improvements to the way they approach hiring, the talent acquisition industry has embraced the technological innovations that are bringing so much change to businesses across all verticals. However, new regulations out of the EU on how organizations can collect and use user data means that the talent acquisition industry will need to tread more carefully into the realm of automation and artificial intelligence.

The Rise and Fall of Cambridge Analytica

What companies do with collected user data has come under greater fire since it came to light that political consulting firm Cambridge Analytica scraped information from nearly 87 million Facebook users without their consent, using this information to help political clients win campaigns. They obtained this user information through supposedly innocent apps, such as “personality tests,” with Facebook providing little oversight at the time on what ultimately happened with that data. Cambridge Analytica has since filed for bankruptcy following the controversy.

The lack of transparency creates problems for other companies that rely on user data, even if they don’t necessarily do anything unscrupulous with the information. When a candidate uploads a resume to a job board such as Monster or connect with a placement agency to find work, what do those companies do with that information? And how many other companies have access?

These questions hurt trust from potential candidates. What’s more, many automated candidate filtering systems rely on gathered data, but where is that data coming from? And can an automated system know whether it truly has the consent of the candidate?

Enter the GDPR

The fallout of the Cambridge Analytica scandal forced Mark Zuckerberg, and in turn, much of the world, to acknowledge the dangers of poorly controlled user information. But in other parts of the world, the privacy of user data has been a subject in debate for some time now, and chief among the efforts to standardize how this data is collected is the EU’s General Data Protection Regulation (GDPR).

After years of preparation on how the GDPR would help regulate the collection and use of user data, the protections are going into place in May of 2018. There are a few major provisions in place that will have a direct impact on talent acquisition and recruiters in the EU and potentially the United States:

The scope of applicability

Where EU data privacy in the past was limited to only those businesses operating within the EU, the GDPR expands compliance to businesses outside of the EU that nonetheless sell or target individuals living in the EU.

Clear consent

Under the GDPR, businesses must clearly state the intended use of user data and must do so in a clear and direct manner. Obfuscating this intent with “legalese” will not be tolerated under the new GDPR requirements


Failure for businesses to comply with any of the new requirements under GDPR can lead to some hefty fines: either 4 percent of annual global turnover or up to 20 million euros – 23 million US dollars – is the price to pay for lack of compliance.

How Will Recruiters Need To Prepare?

These provisions, coupled with other parts of the GDPR that focus on a user’s rights to access their information, a right to be “forgotten,” and notification of when and how their data is being processed, means that all businesses need to treat user data with much greater importance. Below are a few items that talent acquisition leaders and recruiters will want to perform if they intend on searching for candidates in the EU, or working with contractors that pull from this client pool:

Be mindful of the protected candidate data that falls under GDPR provision

What data does that include for recruiters? Just about any information willingly submitted by individuals in the EU that are likely to be found on a resume, including email addresses featuring aspects of a user’s name, home addresses, phone numbers, an IP address, and even job preferences attributed to that individual.

Audit existing candidate information

Your existing candidate information needs to be thoroughly audited to ensure that any candidates within the EU are aware you have their user information and know what you do with that information.

Check in with your partners

Recruiters that work with data collection agencies or other additional services need to make sure those agencies are compliant with GDPR requirements and can produce proof of that compliance.

Update your privacy policy

Your privacy policy and all documentation related to collected data must be updated to reflect acknowledgement and adherence to the GDPR. This includes items on your website, such as the “cookie” warning for new visitors.

Redouble your data security

The GDPR requires businesses handling EU data to assign a data protection officer. This role is responsible for overseeing the protection of user data, including the tasks that lead to this protection, such as management of data security processes. You don’t necessarily have to hire a new individual for this position, but whoever is assigned the role must understand and be able to execute the role requirements.

While these are all good places to start your compliance efforts, these changes can’t happen overnight. Recruiters and talent acquisition leaders will have to work closely with all touch points of user data to make sure they comply with new regulations where necessary. Stay tuned to the RPOA for the latest need-to-know information and advice on handling candidate data.

No Items Found!

Become an RPOA Member
rpoa annual conference 2024

RPO Academy

Search and access free RPO ebooks, webinars, research reports and more

Browse Content
Blog Template Academy Image

RPO Leadership Forum

Browse and access RPO webinars by top industry leaders on-demand

Browse Webinars

iCoCo Marketplace

Find and connect with technology and service providers that are part of the iCoCo partner community.

Find Providers