Learn more about one of the biggest issues in HR technology today and how Hollaroo can help you meet the challenge

The business world is talking about the importance of the General Data Protection Regulation (or the GDPR), but few companies really understand the implications of non-compliance. We believe it's our role to help educate organisations about the actions they need to take to ensure they are GDPR compliant.

Here we cover how the GDPR will impact the handling of "passive talent" - those candidates not actively involved in a selection process.

Key Elements of GDPR

The GDPR is wide-ranging and there is a lot of confusion about what is required. In our introduction to GDPR we introduced the three themes of privacy by design, legal basis for processing and user rights. For processing the personal information of passive candidates these themes can be split into six key elements:


Whereas other legal bases could (and should) be used for processing active candidates it is clear that "informed consent" will be the best basis for processing passive candidates. The rules around consent with GDPR are much more onerous than before, consent must be specific for a purpose, explicit and a record must be kept of when consent is given.


You must have a justifiable policy and process in place for managing a period of data retention of the user's data - and this needs to be made clear to the candidate at the point when they are giving consent.


The person whose data you are storing must be able to see what data you have and be able to notify you of any updates or errors. These rights come with tighter time-limits for responding to requests and you can no longer charge for this service.


The person has the right to withdraw consent and receive assurance that all information is deleted. Again there are strict time-limits so part of GDPR is being able to demonstrate that you know all the places where a candidate's data is stored.


Where you store data must be secure by design and ideally the data should be encrypted. It will no longer be acceptable to keep people's data in spreadsheets or other ad-hoc places.

Access Control

You should be able to control who has access to the data and have an audit trail in case of a data breach. This is another reason why spreadsheets of data or email inboxes will no longer be acceptable places to keep candidate data.

How this applies to Talent Pools

Talent pooling covers all methods of recording and engaging with people not actively involved in the application process. The three key areas you need to consider are how you acquire a person's data, how you store it and how you give them access to it.

Acquiring Data

You may get a person's data without their knowledge (for example from a public candidate database), with their knowledge but for a different purpose (for example someone applying for a job) or via someone registering specifically to be part of a talent pool.

If you acquired their data without their knowledge you have a very limited window in which you need to inform them that you are processing their data and get their permission to continue to do so. In that period you cannot use their data for any other purpose than to get their consent.

The legal basis for processing active applicants will typically not include consent, in fact it is positively discouraged to ask for consent at the point of application. Therefore, if you want to retain someone's data for marketing purposes after the application process is over you need to obtain consent at that point.

When you are obtaining consent the key principle is that you offer the candidate "real choice and control".

Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.

Secure Storage

The GDPR covers all forms of data storage, not just electronic, and the security, audit and access control requirements mean that printouts, spreadsheets and email inboxes will no longer be acceptable places to store data.

As outlined in our article on privacy by design, you have an obligation to implement technical and organisational measures that show you have considered and integrated data protection into your processing activities.

User Access

A core principle behind GDPR is giving users visibility and control of their data. You need to be prepared for users asking for copies of their data and for it to be removed at any time. You also need to be prepared to allow amendments on demand.

Because talent pools tend to be maintained over long periods of timeit is very likely that candidates will want to keep track of what data you have and make changes as these reflect their development. You need to be prepared to comply with a large volume of requests for access - especially if your talent pools are very large.

Concerned about GDPR? We can help!

Get in touch to learn more about our easy to implement solutions or talk to our network of GDPR experts

Complete and submit this form and we'll get back to you as quickly as we can.