Simplify your talent journey and make confident people-focused decisions with Xref. Find out why the organisations you trust, choose Xref.
Reduce attrition, improve retention, build corporate memory to improve organisational metrics with an Xref Exit Survey.
Get started with referencing in Xref today for free. No credit card required.
According to research by Lever, 61% of compliance professionals are “concerned with how GDPR would impact their recruiting and hiring processes, including their methods for sourcing potential candidates.”
Now that GDPR is in place, here’s what you need to be doing to ensure your method of reference checking is compliant.
As soon as a candidate applies for a role, you must make them aware of every background check you plan to take and gain consent from them to do so.
Of course, if they don’t give consent, you can terminate their application on the grounds that it is a requirement of your recruitment process.
In GDPR terms, consent is:
“Freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing”
GDPR guidelines outline a number of factors that deem a data gathering process of “legitimate interest”.
You must ensure the information you plan to collect;
You should also be confident the process itself doesn’t go beyond reasonable privacy expectations. A breach could occur if a reference check includes questions that are personal, discriminatory or have little relation to an individual’s performance.
Data destruction is a major focus of GDPR and something that sets it apart from previous data privacy directives.
It requires organisations to keep data only as long as they need to and to delete it securely, completely and with evidence of having done so when necessary.
Candidates’ “right to be forgotten” means they can, at certain times, request that their data be deleted. This includes:
This means you may reasonably be asked to delete the reference checks of unsuccessful candidates. but you should also be considering the necessity of all candidate data you hold and destroying any that could be deemed unnecessary.
GDPR does not restrict the transfer of data outside of the EU, but it does set boundaries on where and how data can be shared internationally.
Under the regulation, countries are divided into two groups:
The European Commission has so far recognised the follow countries as providing adequate protection:
Overseas transfers to “Non-adequate” countries can still be made in some circumstances. In the case of reference checking, this can be done if a candidate has been informed of the potential risks of the transfer and explicitly consents to you progressing with it.
We’re proud to offer the assurance of a fully GDPR compliant online checking platform. If you’d like to understand how Xref’s works, you can learn more here.