Starting a new recruiting process fresh for every new position is highly inefficient.
That’s why, to streamline recruitment, many companies leverage ‘candidate pipelines’: the process of collecting and maintaining a pool of potential candidates. When a role becomes available, companies can inform (and hire) qualified candidates faster.
Candidate Pipelines and Data Privacy
Candidate pipelines—also known as talent or recruitment pipelines—usually include:
- Applicants who unsuccessfully applied for other roles within your company
- Anyone who has expressed an interest in learning about future vacancies
- Those referred by current employees
Although there are so many benefits of candidate pipelines, could they soon be a threat to your compliance?
Think about all the data your candidate pipeline houses:
- Date of births
- Gender information
- Personal addresses
- Phone numbers
- Email addresses
- And more
With new laws being put in place to protect personal data, it’s possible that your candidate pipeline could soon be illegal.
GDPR is Making its Way Across the Pond
The most important data privacy law to be aware of is the General Data Protection Regulation (GDPR), passed by the European Union in 2018. While GDPR only affects recruitment if a company is hiring employees who currently live in the EU, similar regulations are a hot topic in many American state legislatures—so it’s essential for HR leaders to be aware of what GDPR contains and how it could affect candidate pipelines.
What Does GDPR mean for Recruiters?
The GDPR strengthened and widened previous European data privacy laws, imposing big potential fines for non-compliance: up to 4% of global annual turnover or €20m ($21.7m), depending on which is higher. In 2019, Google was fined around $57 million for failing to disclose how it uses collected data.
Essentially, GDPR limits the data companies can keep without permission, requires companies to inform users about data collection, regulates the use of data and restricts how long data can be kept before it must be deleted.
As for recruiting, GPDR gives job candidates the right to:
- Notification if (and for how long) their data is kept and why
- Be told who will have access to their data
- Be asked consent for data to be stored
- Ask for access to their information
- Download their information
- Correct any incorrect information
- Restrict how their data is used
- Request that their data be removed
How Can A Candidate Pipeline Remain Compliant?
If your company stores the data of candidates who are based in the European Union without their consent, then you are at risk of a big fine. However, it is possible to for candidate pipelines to comply with GDPR, if companies take certain measures:
- Companies must ask for consent. This can be done by explicitly asking candidates (by email or as part of the recruitment process) whether they accept that their details will be stored so that they can be considered for future vacancies, job alerts or other forms of communication. If consent is not explicitly given, the candidate’s details must be deleted when the position they applied for is filled.
- Companies must disclose exactly what they will do with this information and if any third-parties (e.g. those hired for the purposes of background screening) will be given the data.
- Companies must only retain candidate data for as long as is necessary.
- Companies must provide, correct or delete the relevant data if requested by the candidate.
State-Level Data Protection Laws
Since GDPR was enacted, US companies have feared similar legislation would soon be enacted at a state-level. And for good reason… In 2019, California and Nevada both passed post-GDPR privacy laws (with New York currently passing more data security laws with the potential of privacy laws being passed soon).
The California Consumer Privacy Act (CCPA)
The most prominent US-based data privacy legislation is the California Consumer Privacy Act (CCPA), applying to companies with at least $25m gross revenue offers similar protections to GDPR but with an emphasis on the right to know what data is used, rather than necessarily requiring consent.
Though effective January 1, 2020, there is a one year moratorium on regulations relating to data stored solely for employment reasons. But that doesn’t mean recruiters are entirely in the clear—you’re still obliged to inform candidates of what data you collect and big fines are still possible in the case of data breaches.
Hope for the Best. Prepare for the Worst.
So, while candidate pipelines are not currently illegal, it’s important to stay up-to-date if you want to avoid blind-side penalties. Now’s the time to ensure that you have consent for any candidate data you currently store and that procedures for collecting consent are integrated into your current recruitment process.
Keep Your Recruiting Compliant
Paycor Recruiting offers streamlined applicant tracking services while preventing compliance headaches. Data protection features include enabling you to capture candidate consent, label candidates who do not wish to be contacted, and easily delete records whenever required. To view our product, take a self-guided tour.