Back to Cookbook

Candidate Data Privacy Playbook

Candidate privacy compliance without guesswork

Builds a recruitment data handling playbook: lawful bases, retention periods, privacy notices, access requests, deletion workflows, and vendor controls.

CommunityWork10 min

INGREDIENTS

📄Google Docs

PROMPT

Create a skill called "Candidate Data Privacy Playbook". Inputs: - Countries/jurisdictions where we recruit - Data collected (CVs, notes, assessments, background checks) - Where data is stored (ATS, spreadsheets, email, vendors) - Whether we keep talent pools for future roles Output: 1) Data inventory and purpose mapping 2) Lawful basis guidance (high-level) per data type 3) Retention schedule: - hired vs non-hired candidates - talent pool retention with refresh/consent logic where appropriate 4) Candidate rights workflow: - access request - correction - deletion/retention explanation 5) Privacy notice checklist (what must be stated) 6) Vendor/security checklist for recruiting tools Do not give jurisdiction-specific legal advice. Provide a defensible operational checklist and recommend counsel review.

How It Works

Tell the skill where you recruit, what data you collect, and where it's stored.

It builds a data inventory, retention schedule, and candidate rights workflow.

What You Get

  • Data inventory and purpose mapping
  • Lawful basis guidance (high-level) per data type
  • Retention schedule (hired vs non-hired, talent pool logic)
  • Candidate rights workflow (access, correction, deletion)
  • Privacy notice checklist
  • Vendor/security checklist for recruiting tools

Setup Steps

  1. List jurisdictions where you recruit
  2. Inventory data collected (CVs, notes, assessments, background checks)
  3. Map where data is stored (ATS, spreadsheets, email, vendors)
  4. Note whether you keep talent pools for future roles
  5. Have counsel review the final playbook

Tips

  • Data you forgot about is still data — include email threads and spreadsheets
  • Talent pool retention needs a refresh/consent cadence
  • The deletion workflow saves you when access requests come in
  • This is an operational checklist, not jurisdiction-specific legal advice — involve counsel
Tags:#recruiting#privacy#data-protection#compliance