If you are handling data of candidates from the European Union and the United Kingdom, it is essential to be aligned with the General Data Protection Regulation (GDPR) and the UK GDPR. In this article, you will see how to inform active and passive candidates about your privacy policy, how to create application forms that only require data relevant to the job, how to manage information from social media, and how to handle data deletion requests.
Informing candidates about your Privacy Policy
Ensure that active and passive candidates in your Workable account are informed about your Privacy Policy and that their data is in your organization’s possession.
Active candidates are those who applied to your jobs themselves, either from the job boards, from social media, or anywhere else that you shared your job opening. Passive candidates are those that have not filled out the application form and are: uploaded by members of your account or external recruiters, sourced via People Search/AI Recruiter, referred by other members of your organization or even handed out their CV to your team at a career fair.
With the GDPR features, you can automatically include a link to your Privacy Policy in the candidate’s application confirmation email. Click here to check the full list of the GDPR features.
Engaging with applied candidates
In line with the GDPR principle of 'data minimization', ensure that as a company you are requesting only what is 'adequate, relevant and limited to what is necessary' in your application forms, and that you have a full understanding of exactly why that data is required.
Your organization will need to take responsibility for your own GDPR and UK GDPR compliance and make sure that your team is using Workable correctly. Of course, as a recruiter, you have a legitimate interest in collecting data from candidates who want to work at your company and candidates choose the information they submit and should understand that their data will be used for hiring purposes.
Workable’s customizable application form requests only the essential information required for recruiting purposes. The default question structure of the application form can be used as a starting point, but you can always add more questions relevant to the job you’re recruiting for.
Get some inspiration before creating your next application form from our resources page.
Handling data from passive candidates
Whether you’re using People Search or any other sourcing tool after adding passive candidates into the pipeline for a job or to your Talent Pool, the GDPR and the UK GDPR state that you must email these candidates 'within a reasonable period after obtaining the personal data, but at the latest within one month’ to notify them that you are processing their information and to provide them with details of the processing.
There are two ways to ensure that sourced candidates are aware of your Privacy Policy:
- You can email the candidates separately or in bulk using an email template that can be used to contact passive candidates with a consistent approach.
- The first time you email a sourced candidate or invite them to an event, a footer will be automatically added to the email. The footer includes a link to your organization’s Privacy Notice and an option for the candidate to delete their own data and withdraw from your process. The details in the footer can be edited if needed.
GDPR and automatic social media profile retrieval
When a candidate is added to your account (either through applying or being sourced), Workable's People Search technology will automatically enrich their profile with links to their social media accounts.
As a ‘data processor’ Workable searches publicly available profiles and opt-in databases for information about candidates and prospects. By clicking the links provided, Workable users (‘data controllers’) can view only the information that candidates and prospects have chosen to make available.
On June 29, 2017, the EU's Article 29 Working Party (the collection of data protection authorities) released guidance on the privacy of employees and candidates. This specifies that employers may process social media profile information if there is a legitimate interest.
Quoting from Section 5.1:
Therefore, any potential employer using People Search, whether directly or via the automatic social media profile retrieval, must be able to justify its use on the basis that this is ‘necessary and relevant’ for the job for which the candidate is being evaluated.
For example, an employer might want to review an applicant’s LinkedIn profile since employment history and skill sets are integral information to the hiring process. The employer might not need to inspect an applicant’s X feed, which is likely to contain extraneous information that is not relevant to hiring them.
Note that the option to turn off automatic social media retrieval on the candidate profile is available via the account settings.
Candidates’ deletion requests
Deleting candidate data is a simple process within Workable. You might do this if a candidate has requested deletion, if you never plan to contact the candidate again, or if you’ve held the candidate’s data for a long period without any further follow-up or review.
Candidates can elect to delete their data via a link in their application confirmation email. Alternatively, if a candidate requests to have their data removed from your system, you need to comply immediately and delete their profile and timeline from any jobs they might have been considered for.
To ensure that all their data is removed, we suggest running a quick search with their name or email on the Candidate page to check that all their information is removed from your Workable account.