7 reasons why GDPR will affect your employee referral programme

By Gary Berney


May 25th is fast approaching and there’s no doubt every HR department, along with their colleagues in IT are in the throws of ensuring the company meets the GDPR standards. We’ve looked at one specific area, your employee referral programme, to help you ensure you remain compliant with the latest regulations. We’ve identified 7 tasks to look at:


  • People handing in CV’s will no longer be appropriate. When collecting data you will be required to ask for permission to use it. An employee handing in a friend’s CV for consideration is not direct consent from the person applying for the role. You’ll need to do a couple of things to stay compliant. One, email the candidate looking for consent to use their information and how you intend to hold their information. Secondly, Digitalised the CV and shred the original, so that personal data isn’t left sitting on a desk.


  • You must have the appropriate levels of security for any data you store. This includes security encryption and access controls. Again a CV left on your desk is not secure. As the company representative, which makes you a data controller under the legislation, you are fully responsible for protecting candidate data and using it lawfully.


  • Emailed CV’s: If an employee emails on a CV or if they pass on your email address and the candidate applies directly to you, you should always go back with an email acknowledging their CV and how you intend to use the information. GDPR requires you to tell someone that you are collecting their data and how you are going to use it.


  • Data breaches must be reported to the affected people. They must be informed of how the data breach may affect their personal information within 72 hours.


  • You have to provide a candidate with the opportunity for them to request that you stop processing their personal data. In that instance, you must locate every place you are holding their info (e.g in the HireUp referral app, an ATS or a spreadsheet) and delete it within one month of their request.


  • Building a talent database. Keeping historical records of candidate information, for cases such as future job vacancies, is not legal under GDPR unless you have specifically made it clear to the candidate that you will hold their information for a further set period of time and allow them to request that it is not kept.


  • GDPR will apply to any data already held, so quickly review your current databases, spreadsheets, physical documentation etc to ensure it’s deleted if not compliant or that you go back to the individuals whose data you hold and request to keep it for a specific time. It’s a great time to do a full cleanse on your database so you only have relevant candidate information.


There’s certainly plenty to consider to become GDPR compliant so it’s worth automating what is invariably a manual programme to avoid any future difficulties.