We’ve all heard of GDPR (though if you haven’t, it is the General Data Protection Regulation) and read the dooming headlines spelling the end of recruitment as we know it. But how much of this is true? How much impact will the new data protection legislation have on the recruitment industry and how it operates? And how will the new regulation change the risk that recruitment agencies face?
Recruiters rely on data; heck, they love it! And there’s is an awful lot of personal data involved in recruitment so it’s important that everyone in recruitment agencies – from director to administrator – understands the importance of data protection and how the rules will change under GDPR.
Definition: “Personal data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
There are two key data types that you should be aware of; personal data and sensitive personal data. Names, addresses, email addresses – even IP addresses – could be classed as personal data. Sensitive personal data is any personal data that could reveal (either on its own or in combination with other ‘standard’ personal data) racial or ethnic origin, political, religious or philosophical beliefs, trade-union membership or sexual orientation.
The majority of the data that recruiters hold will be personal data. Whether your recruitment agency uses databases, CRMs, jobs boards, cold-calling agencies, cloud storage or simply has stacks-upon-stacks of CV’s laying around your offices, you’re going to have to review your approach to data protection in 4 areas.
- Consent and Processing
GDPR changes how, when and why you can collect, process and store data. Traditionally the recruitment industry has taken an email with an attached CV as consent to a) store the data relating to the CV; b) share the data relating to the CV with companies and c) email job opportunities to that individual. Now, clear and distinguishable consent (that can be withdrawn) must be provided; it can no longer be presumed, inferred or neutral (such as a pre-ticked box), it must be actively given.
- Data Sharing
As mentioned, sharing data with third parties will become even more heavily regulated. This doesn’t just mean sharing your candidate’s information with companies, but also receiving data from jobs boards and cv-sites or umbrella or payroll companies. All contractual relationships with third parties should be reviewed to ensure GDPR compliance.
- Individual’s Rights
The GDPR further extends individuals’ rights in relation to their data; it enforces the concept that individuals are the owners of their own data. As well as the right to withdraw consent at any time (see above), GDPR provides the ‘right to be forgotten’. This means that individuals can request that personal data is erased when it’s no longer required by your organisation (i.e. they find a job), or if they withdraw consent or you process it unlawfully.Another right that may be a concern to recruiters is data portability, which allows individuals the right to request that their data is moved to another controller (such as another recruitment agency) in a commonly-used or ‘usable’ format.
- Data Security
Though the ‘old’ DPA required data controllers to protect their data, GDPR emphasises the importance of the security of personal data. GDPR also defines a tool, ‘pseudonymisation’, that can be used alongside encryption to increase the security and robustness of the data that you control. Consider also that fines are increasing, so security – and the risks posed by a lack of security – are becoming more severe.
Approaching this can be daunting. There are plenty of seminars and training available, but ensure you’re being taught by a reputable and professional organisation. Normally this would be either a law firm or a compliance consultancy. Also, read up about data controller training and whether you need to send your staff on specialist training before GDPR kicks in. Bates Wells Braithwaite, a leading law firm, are holding several GDPR briefing seminars that may help.
BWB ’10 Months to Go’ Seminar: http://www.bwbllp.com/events/2017/07/04/gdpr-event-session
BWB ‘6 Months to Go’ Seminar: http://www.bwbllp.com/events/2017/11/23/gdpr-event-session
BWB ‘3 Months to Go’ Seminar: http://www.bwbllp.com/events/2018/02/27/gdpr-event-session