Delete that photo. Check your privacy settings. Do you really want to share that?

Most job seekers have heard the above from friends, colleagues and family when applying for jobs. For HR professionals and recruiters, the questions they ask themselves during the hiring process are different.

Is the candidate a good fit? Do they have an online personal “brand”? What’s their professional background? Are they certified?

While most of these questions can be answered from a resume, application or interview, most HR departments have added social media to the mix of tactics used to hire the best new talent.

In a recent report by Jobvite, recruiters revealed just how often they’re using social media to review applicants and even find passive candidates:

  • 87% view LinkedIn
  • 43% view Facebook
  • 22% view Twitter
  • 8% view Instagram

LinkedIn profiles allow candidates to present their most professional self to recruiters, HR professionals and higher-level executives at a company, while Facebook, Twitter, Instagram and more are often used for both professional growth and personal expression. Over the last decade, gathering additional information on candidates from their social media channels has become common practice. However, with the General Data Protection Regulation (GDPR) deadline looming just six months in the future, and the latest recommendations from the Data Protection Working Party, HR departments will need to reconsider their recruitment processes when hiring employees in the EU.

How will the GDPR affect recruitment?

For many organizations, the hiring process is data-heavy. Recruiters collect as much data on applicants as they can, using social media profiles, online resume databases, applications, tests and previous employment records. The Data Protection Working Party has released an Opinion on exactly how social media can and should be used by employers throughout the hiring process when EU applicants are involved. It states the following:

  • Employers must notify job applicants before viewing their social media profiles, even if they’re already set to public.
  • Employers must have a “legal ground” to access this information.
  • Employers may only view social media profiles when the information found on them is “relevant to the performance of the job which is being applied for.”
  • Employers must comply with all the data protection principles in the GDPR.

It’s important to note that these guidelines are not official laws, but the party’s recommendations are considered highly influential and will likely have a significant impact on how the law is interpreted in court and by regulators. With this in mind, it’s critical that all businesses that currently process EU citizens’ data (or plan to process it in the future) must prepare themselves now to ensure their recruitment process is compliant.

Start with consent.

When it comes to the GDPR, consent is king. Before you can collect or process any applicant or potential candidate’s personal data, you must obtain consent from them in a way that is easy to find, access and understand. Unbearably long, unreadable Terms & Conditions forms will not work, and neither will pre-checked boxes. You’ll need to explicitly ask permission to collect each candidate’s data, offering clear and accurate clarification on how that data will be used, and ensure the security of that data. If you don’t already, you’ll need to make individuals aware of the data you will collect before or when they apply for a job. This can be done in a variety of ways, including a pop-up on your company’s career page, in the job advertisement or in an email that is sent to the applicant as soon as they apply for a role.

Consider the different types of social media accounts. 

Because organizations will only be allowed to access social media accounts that are relevant to a particular position, the types of profiles your company views must be evaluated. An individual’s Facebook profile that is used for private purposes is likely irrelevant to the job posting, but a professional or business-related profile like LinkedIn is likely a legitimate account you will want to review when making your hiring decision.

Enforce clear, consistent rules across the organization.

Whether you have an entire HR team supporting your hiring process or you enlist third-party recruiters or background checking agencies to help in the recruitment process, everyone must be on the same page. Make sure all parties are aware of which social media profiles they are allowed to view for a job role, as well as when they can and cannot view those profiles. If your organization has a data protection officer, work with them to establish the appropriate infrastructure to notify applicants of your data collection policies, as well as to oversee the training of your HR or recruitment team. 

US businesses are scrambling to familiarize themselves with the new requirements set forth by the GDPR and enact a strategic plan that ensures they comply before the May deadline.

Access is committed to helping our clients protect their business-critical information and employee data and comply with changing regulations like the GDPR. Learn more about how FileBRIDGE® for HR can help your HR team adhere to strict new regulations for protecting the privacy of EU citizens.