EU-GDPR: Challenges for Recruiters and HR domain


As mentioned in our previous blog posts, from May, the Federal Data Protection Act is no longer valid, because then ends the transitional period of the new, General Data Protection Regulation. Together with all other domains, there are also basic obligations in the area of human resources: although a recruiter must already be careful to ensure that data are particularly protected by applicants, the protection is significantly expanded.

Especially with data collection, processing and security, a recruiter should be well informed, otherwise, it’ll endanger high penalties. Here below, we’ve listed the biggest challenges possible for recruiters vis-à-vis EU GDPR:


Profiling – Changes in the recruitment research


In case of a shortage of skilled workers, the active search for personnel becomes more and more important. To do this, a recruiter must actively collect data. Consequently, this data collection will not change. However, as soon as this information is reused, there is a lot to consider. Affected individuals must be informed before data processing that their data will be used for profiling. Recruiters have to provide information at this point, what happens to the data afterward.

If a candidate is suitable for the job then the HR must inform other candidates immediately about the planned duration of their data storage and their right to delete the data. This becomes particularly problematic for companies that specialize in data collection. The reason for this is that the new regulation sets a short deadline of 72 hours for the publication and deletion of data. For long-term storage of data, there is a case-dependent period of two to six months. A declaration of consent provides a remedy at this point, this way, the recruiter gets the ability to save data longer. The purpose of the stored data, transparent information, communication and modalities of data subject should always be indicated. (Chapter 3 of the EU GDPR “Rights of the data subject”, Art. 12-23).


Data Processing – What must be considered for public sources?


EU GDPR does not have any exemption for data processing from publicly available sources. Means recruiters are required to provide the data collection. However, this communication does not have to be direct, because a reference in a publicly accessible privacy policy of the companies involved is sufficient.

However, a nonspecific survey and its analysis, keyword: Big Data, is strictly regulated by the EU GDPR. This is because the related data are not kept. Rather, in the case of large data collections, the collected information is checked for value only afterward. These data must be anonymized and may only be used for statistical evaluation (Chapter 9 of the EU-GDPR “Provisions relating to specific processing situations”, in particular Art. 89).


Privacy – How does sensitive information remain confidential?


It is important for recruiters and businesses to review and align privacy information. Because the burden of proof in the case of non-compliance with data protection lies not with the person who identifies a security deficiency, but with the respective company. An offense in data protection is not only the missing deletion or informing a data collection: It is already sufficient if the purpose of the data processing is not specified or there is no regular check on the security of the personal data.

The financial consequences increase with the new regulation and amount to up to 4% of the total worldwide achieved annual turnover of the previous business year. It should, therefore, be ensured a data management system that guarantees a secure, confidential storage of personal data (Chapter 8 of the EU-GDPR “Remedies, Liability and Penalties”, in particular, Art 83).


Conclusion: Recruiters and HR companies must act compelling


No secret: recruiter will also change a lot from May 2018 at the latest because they handle sensitive information about potential job candidates on a daily basis. Recruiters must communicate much more openly with their data collections and their use. Big data handling will be much more severe and IT security will play a crucial role in 2018 and later on. For this reason, recruiter, but also companies should be informed in detail about the EU GDPR. It is not only a challenge but also a great opportunity for recruiters and HR companies to set themselves apart from the competition on an international level with the new standard.