Is your recruitment strategy ready for GDPR?


Is your recruitment strategy ready for GDPR?


When the EU Data Protection Regulation, also known as the GDPR (General Data Protection Regulation), comes into force on May 25, 2018, strict requirements for processing personal data are introduced. The personal data regulation must therefore be perceived as the "main law" of the future in regards to when and how personal data are to be processed.

At Bysted & Thielsen, we continuously monitor how and when we and our customers will implement new business practices for conducting and storing personal data. Heidi Thielsen, co-owner and Head of Research, has followed every step of this regulation for the last couple of years and has participated in both domestic and foreign conferences regarding this topic.

This interest is partly because the new regulation will have great influence on the search and recruitment companies' ability to communicate with their candidates and customers.

But customers HR functions must also consider how they treat candidates' personal information; both before, during, and after selection- i.e. recruitment procedures, including data flow, security, and registration as well as exchange of information and cooperation with external recruitment partners.

The collaboration, with compliance, is therefore extremely important.

When we work with a CV (or an application) from a candidate, this will always contain personal information such as: Name, E-mail, Address, Date of Birth; which is information covered by the personal data regulation.

However, one must keep in mind; in the future there will be a distinction between several categories in terms of personal data; the general information and the personally sensitive information:

The first category contains information such as name, address, email, workplace, education - where the personally sensitive information includes race, political or religious beliefs, health and sexual relations. Social Security Number is an entirely different category in itself.

The distinction exists because different conditions and procedures depends on the information’s sensitivity.

At Bysted & Thielsen, candidates are invited to only provide information necessary to meet the requirements of the specific job. Applicants should therefore not provide sensitive personal information, as these will require special handling procedures from both Bysted & Thielsen and our clients. However, test results are also covered by personally sensitive information, so this area requires particular care.

Bysted & Thielsen has prepared an action plan, and is implementing how we will govern compliance in relation to the regulation in the future; including our cooperation with customers and suppliers.

Examples of actions are: We have begun the preparation of a new data processing agreement for cooperation with external partners (which is required), including the preparation of a data policy regarding acceptance, storage, IT security as well as documentation and data deletion - i.e. personal data life cycle; from the moment we collect them until we delete them again.

As a standard process, we are already following these procedures with our customers, including instructions and reminders to continuously protect personal data internally, relating to our collaboration with candidates.

In other words: Support to HR departments.

If you have questions or comments about this, please feel free to contact Heidi Thielsen at Bysted & Thielsen at either ht@bystedthielsen or mobile +45 42 73 07 02.