Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

New EU Data Law Will Change How You Engage with Job Applicants

U.S. employers must be compliant by May 25

The EU flag waving in the wind.

​The European Union's (EU's) newly enhanced data protection regulations go into effect May 25. U.S. organizations that want to recruit workers living in the EU will need to understand how the General Data Protection Regulation (GDPR) applies to them.

Full compliance is expected to be challenging—technology research firm Forrester forecast that 80 percent of organizations will not be compliant by the effective date—but failing to comply could result in fines of up to 4 percent of annual revenue or €20 million, whichever is higher.

"It is critical that recruiting teams and leaders understand how GDPR affects them directly … your business will need to undergo a complete self-assessment," said Jack Davies, operations lead at recruitment marketing platform Beamery, based in London.

[SHRM members-only online discussion platform: SHRM Connect]

What Is the GDPR?

The GDPR strengthens privacy rules for EU residents, giving them more control over how their data is collected, stored, processed and transferred. The 28 EU member states can enact additional or stricter requirements for processing HR data, and employers must also comply with country-specific labor laws that regulate when and how HR data can be processed.

It's not entirely clear how the GDPR will be enforced, explained Carol Umhoefer, data protection and privacy expert and partner in the Miami office of global law firm DLA Piper. But it is certainly comprehensive. The GDPR "applies to every single phase of the data lifecycle, even before the data exists," she said. "It includes notices to candidates before or at the time you collect their data [and it] regulates data use and reuse and what to do with data you don't need anymore. In some cases, you'll need to appoint a data protection officer or conduct data impact assessments before processing any data."

It generally applies to all companies—regardless of location—that handle personal information belonging to anyone living within the borders of the EU.

Audit Your Recruiting Data

"Data collected during the recruitment process and the data that already exist in your ATS or talent database are covered," said Jennifer Goode, product marketing manager for talent acquisition system SmartRecruiters, based in San Francisco. That includes any information provided by job seekers or candidates, including through careers site interactions or in response to recruitment marketing campaigns, as well as through direct sourcing.

"It doesn't matter if you keep data in e-mails or Excel spreadsheets or you keep the data in your ATS or onboarding platform, GDPR applies to all of it," Goode said.

She stressed that it is the employer's responsibility to be GDPR-compliant, even when processing candidate data through third-party vendors.

Nathan Aker, director of IT at recruiting software company Symphony Talent, recommended that any employers with operations in the EU or that may recruit in the EU undergo a recruitment data audit, which could begin with an internal assessment, but should also include external experts for a final review. "[There are] individuals who focus solely on European data privacy law—GDPR penalties are so significant, you'll likely want to go with experience on this one," he said.

Create a GDPR-Compliant Policy

The GDPR puts added accountability and documenting obligations on employers, Umhoefer said. "This will require beefing up written policies and procedures and keeping track of how you monitor compliance, train to it, and audit it for improvement."

A recruitment-specific GDPR-compliant policy should include direction on:

Consent. Without a lawful reason, employers are not permitted to collect or process personal information at all. "In the recruitment space, this means you need either a legitimate interest or direct consent," Aker said. "But even sending an opt-in e-mail requires processing; therefore, you need a lawful basis such as legitimate interest to contact a candidate."

Proactive sourcing on LinkedIn or other public sites can fall under legitimate interest if the candidate is truly being considered for a role—not just for talent pipelining. Consent can be achieved by sending a sourced candidate an e-mail asking him to join your talent pool, where he will consent to your GDPR-compliant disclosure statement in the process, Aker said.

"If they don't respond to your outreach, you need to delete their information immediately, as you no longer have a legitimate interest for having that information," Goode added.

Applicants can provide consent when they fill out a job application, but implied consent, such as sending in a resume, is not sufficient. "Consent must allow an active opt-in," Goode said. "A checkbox must be unticked to be valid. It must also stand out. You can't hide it on your careers site or in your general terms and conditions. Consent must also be easy to withdraw."

It's important to keep in mind that personal data can only be processed for a specific and limited purpose. Considering a candidate for a certain role means that you can't place her data in your talent network for future roles. "This means that if a candidate applies for a specific vacancy you must seek additional consent for any processing that is not related and limited to the job the candidate applied for," Davies said. "For example, if you're planning on communicating with unsuccessful applicants after the job has closed, you need to obtain specific consent for further contact. If you plan to send candidates different types of communication, such as a monthly newsletter, or job alerts, it's incumbent on you to seek consent for each type of communication you plan to send."

Disclosure. When collecting applicant information, let job seekers know how their data will be used; how long it will be stored; and how to access, modify or delete it. "Transparency also applies to sourced candidates," Goode said. "When you reach out, let them know how their information will be collected, how you found their information and how long you intend to consider them for a position. You must also be explicit about who will have access to this data, including any third-party vendors you use like reference-checking or screening providers."

Retention and deletion of data. "GDPR makes it clear that you cannot hold on to data longer than necessary," Goode said. "It also requires deletion of candidate data when it is no longer relevant; the candidate withdraws consent or objects to the processing; or it is obtained unlawfully. The data must be removed from all third-party vendors as well."

Candidates' rights. They include the right of access to all personal data held, the right to correct the information, the right to restrict processing of data if its accuracy is contested and the right to have all information erased from employers' databases. "Having procedures to deal with these rights requests is very important," Umhoefer said.

Applicants also have the right not to be subject to a selection decision based solely on automated processing such as commonly occurs when applicants are filtered out by keywords in applicant tracking software. Individuals must be told when a decision has been taken solely using automated processing and they have the right to request a review of the decision.

"If you are using systems to filter out candidates on the basis of personal information, such as qualifications or grades, you must consider whether this constitutes automated processing without any human review, and, if so, a candidate's explicit consent must be obtained beforehand," Davies said.

The employer must also explain the data sources used and the main characteristics of the automated process.

This article just scratches the surface of GDPR compliance and the law's impact on talent acquisition processes. There are numerous online resources to provide more details on GDPR compliance and recruiting, including these from Beamery and SmartRecruiters.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.


​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.