Posted by

February 7, 2019

GDPR and Recruiting: 5 reasons to leave antiquated tools behind

All articles Human Resources Recruiting

After the entry into force of the GDPR on May 25, 2018, Human Resources departments all across Europe have yet another reason to look into the latest technologies for the management of Human Resources.

The new regulations on data processing have made it inescapably clear that the use of outdated tools such as e-mails and Excel spreadsheets for HR processes is not only inefficient, but also fails to respect the privacy rights of employees and job applicants—problems which in many ways also affect on-premise software solutions.

With such outdated tools, it is difficult to implement a number of the new provisions—such as the limits on data retention and the requirement to obtain consent for data processing—as well as to respect even the minimum recommended security standards.

The picture is even starker when it comes to recruiting. Collecting, organizing and managing the CVs of hundreds—or thousands—of candidates without the support of a modern Application Tracking System (ATS) almost certainly means that you risk running afoul of the regulations.

We will outline the most critical points below.

Obtaining consent and communicating privacy policies

Let us start with the consent that the company must obtain from job candidates in order to be authorized to process their data. According to the GDPR, this consent should be freely given, specific, informed and unequivocal.

If you’re receiving CVs by e-mail, or—even worse—in hand, you have to hope that the candidate had the forethought to include an appropriate statement giving consent for data processing—which, even if they did, will still be a generic one. Even worse, you have no opportunity to inform them of the company’s data processing policies.

Companies using an ATS avoid these problems: they route the process of receiving CVs through an application form on their Career Site, which accomplishes both aims mentioned above. The system obtains the candidate’s consent for data processing and also provides them with the company’s data policy.

Even more: a good ATS stores a lot of other valuable information, such as the version of the privacy policy provided to each candidate and a record of all the versions that the company has used over time.

Data retention policy

Another hot topic nowadays is that of data retention. Once a company has settled on a data processing period that is in conformity with its processes, it must do everything to respect it, deleting the data for those candidates whose consent has expired from its archives, or asking them to provide a renewed consent.

For those who are using e-mails, Excel spreadsheets or in-house databases, this is a daunting task, if not an outright impossible one.

On the other hand, those who have entrusted their processes to a good cloud-based recruiting software have all the tools necessary to manage this process. They can set automatic notifications to inform applicants about the imminent expiration of the consent they gave. The candidates can then decide whether to renew their consent by reconfirming their application or allow the automatic deletion process to proceed.


Article 22 of the GDPR says that the personal data processor must adopt the appropriate technical and organizational measures in order to ensure—and be able to prove later on—that the processing of personal data is being performed in full conformity with the rules laid out by the Regulations.

A company that relies on tools such as Excel or Access will find it difficult to reach an adequate level in terms of security standards, not only from a technological point of view, but also from a procedural one. The company’s internal human resources will not have the training and experience needed on these issues.

For this purpose as well, cloud-based ATS software are the most reliable solutions on the market, as they incorporate full attention to privacy issues at every level. They offer first-class security technology, employ staff who follows well-established procedures and proven best practices, and, most importantly, allow companies full control over every detail when setting up data access permissions for each employee. Thanks to this last feature, each user of the recruiting software will only be able to see and process the personal data that they are entitled to access. Thus, for example, a recruiter or hiring manager will only see the data of the candidates for their area of competence.

Data breaches

The use of cloud-based ATS software also reduces the risk of a data breach, which is defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

The companies offering ATS software, as well as the IaaS platforms which often host their services, guarantee excellent standards of security and data encryption. Conversely, for those who are still using outdated tools, the chances that an unauthorized user might access an Excel file or inadvertently receive an e-mail containing personal data are much higher.

Rights of the candidate

The use of cloud-based recruiting software also allows you to better protect the rights of the job candidates, such as the right to erasure, the right to rectification and the right to the restriction of data processing.

For example: the candidates who send their CV through a Career Site belonging to one of our clients can log into their account at any time and delete their profile from the recruiting platform, or update the information it contains.

For more information about how cloud-based HR software can better manage your personal data processing for both job candidates and employees, visit our dedicated compliance page.

Copyright: ©KPixMining/Fotolia