Employers should consider their approach to advertising vacancies and seeking talent. Particular risks include targeted marketing or approaches, and the retention of unsuccessful candidates' details for future recruitment activities.

Where employers use recruiters, headhunters or other similar agencies, employers should be aware that this may carry additional risks. Employers should ensure that any third party involved in recruitment processes is complying with applicable data protection legislation as employers otherwise may find themselves subject to complaints and/or regulatory action in relation to personal information provided to or by such third parties.

Where employers, and in particular HR teams, are either based in multiple jurisdictions or are coordinating international recruitment programs, careful thought must be given to the data protection applicable in each relevant jurisdiction.

CVs, résumés and other application documentation commonly contain personal information, and often particularly sensitive or valuable information relating to the individual in question. Employers must ensure that this information is handled and stored appropriately. For example, CVs should circulated only to those who need access to such information, and managers should be encouraged to safely dispose or delete such information once the relevant recruitment process has concluded. 

Employers should take care with the information sought by application forms. The information sought should be related to the role in question. In particular, care should be taken to avoid collecting more information that the employer needs and potentially risky information (such as information pertaining to an applicant's religious beliefs).

Interview notes are often requested by unsuccessful candidates. Employers should take care to ensure that the content of interview notes is appropriate and that such notes have been collated and retained in an appropriate manner.

Pre-employment vetting / background checks, especially criminal record checks, are a particular area of risk for employers. In short, employers should only seek information that is relevant to the particular role and only from appropriate sources, that access to such information is strictly limited and that it is stored and subsequently deleted / destroyed in a safe and secure manner.

Checks regarding an individual's nationality and right to work in a particular jurisdiction are an area of risk for employers. As a general rule, these checks should be carried out as late in the recruitment process as possible. It is important for employers to recognise that (i) such checks inevitably generate sensitive personal information and (ii) there may well be legal obligations requiring that such checks be carried out and/or that the resulting information be shared with government or other regulatory bodies.

Retention of unsuccessful candidate information is another common area of risk. If employers wish to retain such information, this should only be done with the express consent of the individual, access to such data should be strictly limited and in any event such data should be deleted within a specific period following the unsuccessful application.

For further details, see our Country comparison tool.


< Back to Lifecycle page