There can’t be anyone unaware of the of the General Data Protection Regulation (GDPR) changes which came into effect in May 2018.
Some businesses were proactive and prepared for the changes months ago and we’re still offering guidance and support to firms to help get their house in order.
Among those, we’ve seen recruitment agencies seek out our expertise to assist and shore up their policies and procedures around GDPR compliance.
It’s a growing sector – the number of newly-registered recruitment agencies in the UK rose at its fastest rate ever in 2017, with 9,001 starting up that year. An average of 818 new agencies registered each month during the past year. The number currently trading stands at a record 35,275.
Recruitment agencies are effectively data businesses as they handle personal details day in and day out.
Personal data, including name, phone number, email address, a photo and salary information may typically be stored centrally on a database system. It may also be kept separately by individual recruiters on phones or tablets.
GDPR impacts how personal data can be acquired, stored and used. Even though a candidate may post their information on a job board or LinkedIn, that doesn’t give a recruiter a carte blanche to download and process that personal information.
To obtain permission, recruiters are required to confirm to the data subject exactly what their personal data will be used for, who specifically it will be shared with, where it will be stored and how long it will be stored.
Consent is required for each specific purpose and the option – and method – to withdraw consent clearly demonstrated. This is significant for recruiters working with vulnerable individuals where the rights of those individuals will need to be specifically stated in a way that is easily understood.
GDPR makes it harder for recruiters to have arm’s length relationships with candidates and a lot more effort will need to be put into developing robust recruitment processes that meet the guidelines.
When it comes to adopting GDPR best practices, one of the biggest hurdles is making sure everyone in your agency knows what’s required of them. If everyone is still working in silos, with different databases, out of Outlook folders or spreadsheets, then you’ll find meeting the GDPR requirements extremely difficult.
You may consider centralising and simplifying your data management, to make it easier to monitor and maintain GDPR guidelines.
Candidates have the right to know why you want their data, and what you’ll use that data for so a GDPR-friendly set of candidate facing terms and condition should cover:
- How you store candidate information
- How long you keep that candidate information
- What rights candidates have to access their data
- The right for candidate data to be deleted on request
- The reasons why you are storing their data
Your agency’s privacy policy is something else that may need updating. Under GDPR regulations, you’ll need to include your legal right to process information, what your data retention period is, and how candidates can complain to the Information Commissioner’s Office (ICO) if they’re unhappy with how you handle data.
GDPR requires you to write this updated privacy document clearly and concisely and make it readily available, too. By law, privacy policies, terms of use and candidate agreements will have to be written simply and without endless small print. Candidates also need to be informed on how exactly you plan to use their data - so no pre-ticked boxes.
A data breach means a candidate is likely to suffer damage in the form of identity theft or a confidentiality breach. If this happens, you’ll need to notify ICO. If a data breach does occur, you need to ensure that you have the right processes in place to detect, report and investigate it.
To recap, GDPR is designed to protect the rights of 750 million people across the EU.
Candidates must give explicit consent - or recruiters must demonstrate a legitimate interest - for personal data to be collected and used.
Candidates can object to the processing of their data for profiling purposes and they can request their personal data be deleted when it's no longer required at any point.
If your business is found not to be adhering to the ICO guidelines or working with GDPR best practices, there will be penalties: you could end up with a bill of €20 million or 4% of global turnover - whichever is higher.
So, it’s clear why recruitment agencies -and every business that handles personal data – must be clued up and switched on around the new regulations – and to follow the GDPR to the letter, and be able to demonstrate compliance.