GDPR: Candidates CVs are not just a Concern for HR

With just over a month to go before the General Data Protection Regulation (GDPR) comes into effect, most commercial teams have a plan in place to handle prospect, customer and even influencer personal data in a compliant manner. But what about CVs?

Nikita Smits-Jørgensen, co-founder of inbound marketing and GDPR consultancy BusinessBrew, talks us through the six steps you need to take to ensure you can handle CVs in a compliant manner that adheres to the GDPR regulations.

9 out of 10 hiring managers have a CV folder

At BusinessBrew we work with commercial teams such as sales, marketing, support or customer account management on their GDPR compliance. We discuss at length the need to obtain consent for marketing email, how sales teams can run successful business development campaigns and how to run effective cross and upsell campaigns with existing customers that adhere to the GDPR.

In our discussions we always ask managers: “Do you have a CV folder?” After a quick think, 9 out of 10 respond with “Oh yeah, somewhere on my desktop/hard drive I have a copy of CVs sent to me by HR or directly. Is that a problem?”

Applicant data is personal data

The GDPR regulates how all personal data is handled. This defines personal data in the first instance as:

‘Any information relating to an identified or identifiable natural person.’

Let’s break that statement down:

Business Brew, CVs, personal data, talenthub, blog, GDPR, TalentHub,

Source: Business Brew

An applicant’s CV, whether you review their details, interview them, employ them or not, is personal data and it must therefore be handled in a compliant manner.

Steps hiring managers should take

Let’s run through a few simple steps that hiring managers can take to ensure they handle applicant data in a compliant manner:

1. Check your devices for CVs
The first thing you can do right now is search your devices (laptop, mobile, tablet, etc) for any CVs and place them in one location / folder.

2. Delete CVs that are currently not in a hiring process
There shouldn’t be a reason for hiring managers to hold on to CVs of applicants that are not currently in a hiring process. Securely delete any CVs (even those of employees you hired) you are not currently working on. If you are unsure how to completely delete something, speak to your IT team. A good self check: after you delete a file, search for it on your device. If no results come up you should be fine. If you need to keep CVs on file, this is possible but there are a few things to consider. We’ve described how to do this in a separate paragraph below.

3. Develop a process for CVs sent directly to you
If applicants send CVs and cover letters directly to you develop a compliant process to handle the data. A suggested process would be to forward the CV to HR and remove the details from your device while also informing the applicant that you have forwarded the CV to the HR team. Should you not have a HR team decide whether you will be working with the CV on a currently open role. If so go ahead and use it, remember to delete it when the process has been completed. If you don’t have a suitable role for the applicant, inform them of same and that you will be deleting their details in accordance with the GDPR.

4. Work with HR to develop a secure process of sharing CVs internally
Email isn’t the safest way of sharing personal data. No email just goes from A to B. They bounce through a number of servers and are far from being Fort Knox secure. Consider secure data sharing programs instead and make sure the systems you and HR use to store CVs are fully secure and compliant. Have a conversation with HR about the GDPR and how you, as the hiring manager, are planning to adhere to it when it comes to applications. We are sure your HR team will appreciate your compliance efforts!

5. Update your privacy policy
Encourage your HR team or speak to your legal team directly to update your privacy policy to include how you handle applicant data under the GDPR.

6. Document your process
Just as any other data process should be documented in case of an audit, so should this one (Article 30). Add it to your data processing inventory or alternative documentation.

Keeping CVs on file

“Thank you for your application. We don’t have a current role, but will keep your details on file.” We’ve all heard this in our careers, right? In the above steps we’ve recommended to delete Vs after a set timeframe and we believe this is your safest option. Let’s be honest, when do we ever go over old applications to see if there is a suitable past candidate for a new role?
However, if your company is the exception, you can certainly hold the data.

Make sure that you refer in your privacy policy how you handle applicant data (you should do this even if you delete it – see step 5). This should include explanations on items such as how you store them, for how long, whether you are sharing details with third parties and why you do it. In addition, you should inform the candidates of this process and give them the opportunity to object and have their data removed.

Learning more about personal data

Personal data and what this means is handle in the GDPR under Article 2 “Material Scope”. Click here to have a read through it and get familiar with full scope.

When we speak about personal data in one of our workshops or consultancy sessions we put it simply: Any data that allows you to identify a person is personal data. This includes IP addresses, company names of sole traders or in the context of a room “the lady in the red sweater” if there is only one person wearing a red sweater.

If you are in any doubt whether the GDPR applies to data you hold or you’d like to learn more about how to tackle compliance, get in touch with BusinessBrew and we’d be delighted to have a conversation with you.

About Nikita

Nikita Smits-Jørgensen is co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR /PECR) she aims to work with marketers in plain English to get GDPR-ready.

Nikita Smits-Jørgensen, BusinessBrew, CVs, GDPR, TalentHub

Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketing powerhouse HubSpot, where they assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.

BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.

Not connected with us on social? Follow us and keep up-to-date with all the latest industry news, jobs and tips.
• Follow us on LinkedIn
• Follow us on Twitter
• Like us on Facebook

Subscribe to our newsletter