As you probably already know, GDPR aims to regulate how companies “process” (i.e. collect, store, and use) individuals’ data. “Legitimate interest” and “Consent” are two of the six grounds on which a company can legally process that data, and the ones that are most likely to concern recruiters.
The ICO says that you can use “legitimate interests” as legal ground to use people’s data if you’re doing it “in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” Keep in mind that “using data” means everything from writing down an email on a post-it to grabbing a social media profile using a Chrome extension.
The GDPR’s version of “legitimate interest” is slightly different. From their perspective, you need to show that whenever you are processing candidate data, there is a balance between their interests and yours as a company. You can read the exact wording in Article 6 of the regulation, but the idea is that the candidate's interests and fundamental rights are not overridden by the company’s pursuit of their own.
If a candidate publishes, say, a knitting blog, it could be argued that one of their interest in doing that might be to let others know that they are good knitters, or good bloggers, or both. If you contact that candidate to ask them whether they are interested in a job as an Arts and Crafts blogger, then you have served some of their interests as well as your own by getting in touch. If you’re using their data to send them generic company hiring updates...not so much.
Notice how many “might” and “could” are in that sentence? That’s because Legitimate Interest is pretty ambiguous.
The concept of Consent, on the other hand, is more clear-cut. If the candidate agreed at some point to your use of their personal data, then you have a legal ground to do it.
The difficulty with consent comes more from all the conditions attached to it: it has to be freely and actively given, specific, informed, and unambiguous, to mention just a few.
You know how, for instance, when you spotted someone on a LoveAngularJS Facebook group, you used to reach out to tell them about a new developer opening you had? You might not be able to just do that anymore.
What you can do is take a look at the infographic below; it’s a helpful first step in figuring out whether your existing process passes the smell test…
Hopefully, this helps you get started on making your processes compliant. Don’t forget, though: there are many more aspects of the GDPR that could affect your company and your team. While they will probably not have as much of an impact on your day-to-day, they need to be addressed at some point.
So if you haven’t yet, clear out an afternoon, sit in your favorite armchair and take the time to go through the full guide.
Disclaimer: We hope that this blogpost will help demystify the GDPR regulation and introduce you to the subject. However, while we have consulted legal teams specialising in data protection throughout our research on the subject, Beamery is not a law firm, and does not give legal advice specific to any organisation.
If you're looking for more advice on the best way to tackle GDPR, look no further than our complete guide. Inside is everything you need to know about preparing your team, systems and processes for the new legislation.