Skip to main content
Bluecoders

GDPR compliance: the practices to know

Ambroise BréantFebruary 13, 2023

Recruiting new team members calls on specific expertise. But on top of the usual HR questions, you also have to follow certain rules around handling personal data. To bring yourself into GDPR compliance, several practices can be adopted by your company. Far from being an insurmountable task, these few techniques give you a double benefit. Beyond avoiding the penalties tied to non-compliance with European directives, you strengthen your brand image.

What is the GDPR?

Since May 2018, the General Data Protection Regulation applies to any organization processing personal data for its own account or that of a third party.

These European provisions address the right to privacy and the protection of personal information. They aim to harmonize how this data is handled across the EU, in line with the free movement of individuals.

The GDPR imposes 3 principles on personal data processing: transparency, fairness, and lawfulness of the process.

A company subject to the regulation must be clear about its data collection and management, as well as its legal basis.

If GDPR applies to you, know that it carries several guarantees:

  • The right to be forgotten, or the candidate's ability to request the deletion of their data stored by a company.
  • The right of access, which lets a person know the details of the personal data the company has collected about them.
  • The right to data portability, where the individual concerned can require the export of their data.
  • The security of collected data, where the entity collecting the information must prevent it from being disclosed to outside third parties.
  • The right to rectification, where a candidate can request a change to the collected information in case of inaccuracy, for example.

To know whether you're GDPR-compliant, you have to be able to identify the data that is genuinely necessary in your hiring process.

In the event of an audit, you must be able to explain why you need this information. You'll also need the candidates' consent to the processing and storage of their data.

Why is it necessary to apply GDPR principles during hiring?

Avoid administrative and criminal penalties

Failure to comply with GDPR principles is sanctioned by Article 83. The legal regime of this regulation is built on a deterrent spirit. In other words, the penalty varies depending on the importance and severity of the breach, and how long it has lasted.

If you have taken steps to try to remedy harm suffered by candidates as a result of this breach, the penalty will be adjusted accordingly.

In the event your organization is convicted, the punishment can first take the form of a fine. That fine can reach up to 4% of your company's revenue.

The French Penal Code also includes provisions tied to data processing. The criminal penalty can include several years of imprisonment, and a fine of up to €300,000.

You get the idea: applying GDPR principles in your hiring process will help you avoid various penalties.

Project the image of a rigorous, reliable employer

A recruiter who cares about how candidate data is handled will always project a more positive image to those candidates.

That's all the more true in tech. Beyond a greater sensitivity to data management and data protection, individuals can expect a certain ethical standard from organizations.

In sectors marked by hiring tensions, GDPR compliance can make the difference and position you as a more attractive company.

For all these reasons, some companies consider that establishing a GDPR-compliant data policy is part of the data engineer's role.

Concrete advice for protecting your candidates' data

In practice, protecting candidate data breaks down into several possible actions.

Designate someone responsible for the personal data protection policy

Internally, you can choose to bring data management under a Full-Time Equivalent (FTE). By naming a person in charge of the data processing policy, you ensure smoother, more transparent practices.

Of course, outside consultants can also support you in establishing your data processing policy.

Apply the principle of transparency by following the CNIL's recommendations

In practice, you can add a concise but precise paragraph at the end of your questionnaires and emails. This short text in small print reassures candidates that their data is secure, and informs them of their rights under GDPR (right to be forgotten, right to rectification, etc.).

Finally, this reminder of users' rights must be accompanied by a contact address so the individual can submit their requests.

Set a deadline for retaining data

You don't normally need to store candidate information indefinitely.

In practice, companies generally set a maximum duration of 2 years for data storage. This limitation makes it easier to comply with GDPR principles.

Pay attention to the data processing policies of your providers and networks

Considering or already integrating other entities into your hiring process? Professional networks like LinkedIn, or specialized organizations like APEC, Pôle Emploi, or Indeed, can indeed be effective partners.

Whether you work with a recruitment agency or a platform, you have to pay attention to the provisions in your partnership contract.

These must include the regime and the methods for processing personal data. Here too, you must ensure proper GDPR compliance.

Develop your team's skills

Handling your candidates' personal data requires specific expertise — and a certain ethical standard. The GDPR covers sensitive information strictly framed by law.

Alongside training in specialized recruiting roles, the recruiting teams of a company can upskill on the GDPR question. That helps them know what information is essential for the company and which questions to ask candidates.

What common mistakes should you avoid on GDPR?

As you build your GDPR compliance, you'll need to avoid certain practices and certain mistakes.

Duplicate candidate and employee data

Once you've hired a new employee, remember to transfer the data from their candidate file to their internal company profile.

That avoids unnecessary duplicates, and the storage of data that has become obsolete in your candidate database and ATS.

Storing data beyond 2 years

To purge your database and stay compliant with the regulation, organize the deletion of candidate information carefully.

Some ATSs or recruiting tools include options for automatic deletion of personal data.

Storing criminal records

Depending on your industry or the role on offer, you may need access to highly sensitive data, and therefore to the candidate's criminal record.

Whether it's bulletin n°2 or bulletin n°3, the employer has absolutely no right to store this data in their database.

Neglecting accessibility rules

In practice, you can use a cookie banner to display your personal data processing policy. That's also where the user's rights will be mentioned.

Make sure the characters are sufficiently visible, and therefore accessible. To do that, use an appropriate size and font, and don't forget that color contrast must be high enough.

Choosing a one-shot policy

To bring yourself into GDPR compliance, you'll have to put in the work over time. The CNIL's recommendations and European requirements are in constant evolution. That's why organizations subject to GDPR have to adapt continuously.

A simple monitoring mechanism is enough to keep you informed of regulatory changes. That keeps you from having a mismatch between your practices and any new legal provisions.

Related reads

All articles

Ready to find the missing piece of your team?

Let's talk about your hiring needs. A team member will get back to you quickly to qualify the brief and kick off the search.

Start a searchI'm a candidate