New Research Reveals Majority of Recruiters Ready for GDPR

A regulation out of the European Union meant to go into effect in May could cause recruitment issues for companies all over the world. Nearly three quarters of organizations feel confident in their ability to be GDPR-compliant by the May 25th deadline, but most are worried how the regulations will impact the hiring process. That’s according to Lever.

What is GDPR?

The regulation is known as the General Data Protection Regulation, or GDPR. It was agreed upon by the European Parliament and Council in April 2016. When it goes into effect, the GDPR will be the primary law regulating how companies protect European Union citizens’ personal data.

Each member of the European Union must comply with the regulations. Those that miss the deadline will face penalties and fines.

Some of the key requirements of the GDPR include

• Requiring the consent of subjects for data processing
• Anonymizing collected data to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

Who is subject to GDPR Compliance?

The GDPR will put in place a uniform data security law on all EU members. This brings consistency to the European Union meaning member states do not have to write their own data protection laws. So, who is subject to GDPR compliance? Any company that markets goods or services in the EU, regardless of location, must follow GDPR guidelines. As a result, the GDPR will have an impact on data protection globally.

In its research, Lever surveyed 500 professionals across the EU and the United States directly involved in preparing their organizations for GDPR compliance for recruiting.

According to the survey results, 70 percent of respondents believe they will be prepared for GDPR compliant recruiting by May 25th, but preparation doesn’t come overnight, or in a silo. Nearly a third of respondents say they are investing significant time and resources into becoming GDPR compliant and 73 percent are working with external or internal legal counsel to prepare.

Despite this high level of preparedness, 61 percent of respondents are concerned about the impact of GDPR on their recruiting and hiring processes, including how they source potential candidates. Respondents were also either ‘very concerned’ or ‘extremely concerned’ about adhering to specific requirements included in the regulations, such as:

• Maintaining full records of recruiting processing activities (52 percent)
• Determining when to get consent from candidates (50 percent)
• Determining how long to store a candidate’s personal data before deleting it or obtaining consent (47 percent)
• Selecting software vendors who will enter into GDPR compliant contracts and meet data security requirements (46 percent)

Regardless of these concerns, the overwhelming majority (90 percent) of respondents who are already engaged in sourcing will continue to do so under GDPR.

“The GDPR deadline is quickly approaching, but few are discussing the potential impact these regulations will have on how organizations source, recruit and hire their talent,” said Mike Walsh, Director of Product Marketing of Lever. “We hope this research serves as a catalyst within organizations to begin discussing in detail how they will move forward with sourcing candidates under GDPR and the lengths they will go to protect candidate data. At

Lever, we have spent significant time working on these issues on behalf of our clients and hope to continue to serve as a resource for recruiters worldwide.”

Lever’s research also revealed some organizations are unsure how to adhere to regulations related to candidate data. According to the GDPR, organizations must identify their own “lawful basis” for processing personal candidate data. For recruiting, the most common lawful bases are consent and legitimate interest, but it can be a grey area for many recruiters.

For example, respondents are split regarding when to collect consent from candidates. Only 40 percent of respondents will collect consent to contact for jobs they did not apply to, 37 percent will collect consent in order to email candidates they source and 25.5 percent will collect consent when they plan to keep data from candidates who were in their ATS before May 25th, 2018.

Another grey area the survey addressed was determining how long to store candidate data. While GDPR requires companies to only keep personal data for “no longer than is necessary for the purposes for which the personal data are processed,” the data showed great variation in how organizations are interpreting this obligation. Some companies will delete candidate data as soon as the job they were tied to closes (23 percent), while others plan to retain candidate data for a year or more (23 percent).

The full research report can be downloaded at this link.