HR and the GDPR: keeping your HR technology compliant

What you need to know

If you are unfamiliar with the GDPR, it’s time to get acquainted! The GDPR, or General Data Protection Regulation, increases the rights of individuals to decide what you do with their data. These rights will be granted to any European citizen, so businesses that acquire any of their information will have to adhere to certain rules and regulations put forth by the GDPR.

Your HR software and tools used to process this sensitive information have to comply, as well. This includes anything used to compile or analyze personal data. For example, your ATS tracks and organizes applicant and potential candidate information like resumes/CVs. With this abundance of useful information for HR, the GDPR puts forth that you and your data processors must be transparent, secure, and accountable. Are you prepared?


Six rights granted by the GDPR (and how this impacts your HR tools)

1. Right of access by the data subject

What this means: Individuals can request to be informed of what you’re going to do with their data or even request a record of their personal data you collect. For instance, if you are using an assessment tool, like HackerRank, during the hiring process, the candidates in the EU you are assessing will be able to ask where their data is headed or ask for a record of what you do with it.


Covering the key issues faced by businesses selecting, implementing and managing HRMS


What to do: Make sure that any HR tech you use clearly states how data privacy is handled. If there is a request for information, you should be able to gather that info quickly and easily, as well as explain to them how it has been handled. The data processing should be responsible and secure.

 2. Right to rectification

What this means: Candidates can request you to correct or update their data in your database.

What to do: Ensure that your database is private and updated frequently. For instance, human error can lead to incorrect information being entered into your payroll and benefits system. In this case, employees can request for it to be corrected, and you should be prepared/able to do so on short notice.

3. Right to erasure (“right to be forgotten”)

What this means: Individuals can request you to delete their data from your database.

What to do: Use a cloud-based ATS with a great privacy policy and GDPR recognition. This will allow you to sleep easy knowing that if a candidate asks for their data to be deleted, your ATS will allow it. What’s better, your ATS should allow deletion of candidates after a certain time (e.g. one month after the job opening closes), and candidate profiles can be deleted upon request as well.

4. Right to restriction of processing

What this means: Individuals can request you to suspend their data from being processed in your database.

What to do: If you have talent pools with potential candidate information, make sure that you have someone on the team updating the information periodically, or at least give them the ability to do so. This way, candidates are able to pause their candidacy for a period of time without opting out completely.

5. Right to data portability

What this means: Individuals can request you to export all their data from your database.

What to do: For example, you may use a feedback tool like Impraise. It should keep track of all the recorded feedback in order for it to be exported when requested.

6. Right to object

What this means: Individuals can request you to stop processing their data indefinitely.

What to do: Make sure that all of the HR tools you use have a feature that allows you to block certain individuals from being processed through their system. You don’t want to slip up here, or you may be hit with fines.

Where to start

Review your tools and adjust accordingly.

Download this free handbook on the GDPR in HR.

Bookmark it, and refer to it often.

Make sure your whole hiring team is on the same page and understands the new regulations.

Most importantly, don’t let the GDPR scare you! Your HR processes will be just fine as long as you are prepared. You may also consider using the GDPR to your advantage by touting data security that is compliant with the new rules on your careers site! This way, potential candidates will see that you care about their information and get insight into your values as an employer. Prepare, reference, and adhere to the GDPR regulations, and you will be in the clear.

author image
Perry Oostdam

About the author…

Perry is co-founder and CEO of Recruitee, a collaborative hiring platform for teams of all sizes that optimizes the entire hiring process. The company has offices and Amsterdam, The Netherlands, and Poznań, Poland and works with companies around the world.

author image
Perry Oostdam