The deadline for compliance of the General Data Protection Regulation (GDPR) has now passed. Busy people in the recruitment industry who work long hours and rarely take a lunchbreak and haven’t yet got to this, are probably feeling concerned right now. For those in the recruitment industry who are not compliant will need to have made significant changes to how their business collects, holds, processes and shares candidate data.
For recruiters, as with all organisations, the GDPR involves an overhaul of data protection policies, privacy policies, contracts, technology and more. Moreover, the new rules are also likely to force a shake-up in the recruitment industry, as they’re forced to rethink recruitment strategies.
The premise of the GDPR is to increase data privacy rights of individuals in our increasingly digital world, where people feel they’ve lost control of their data. And so, the GDPR ups the responsibility of organisations that process client data, forcing them to increase their protection of individual’s privacy rights.
This is particularly heightened around the rules of consent as a means of lawful processing. And the recruitment industry relies heavily on consent to process and maintain candidate data.
Under the GDPR, candidates must consent to recruiters controlling and processing their data. It gives candidates full control over how, when and if you can contact them, whether by email, SMS or phone. Without clear and recent consent, recruiters cannot collect or retain personal data on their files.
Recruiters will need to make sure that initial data capture is kept to a minimum until potential candidates opt in to communications via a tick-box on their website, for example. This must also contain a clearly laid out privacy note, alerting candidates to how you’d like to use their data.
If recruiters fail to make a placement, they must be wary about retaining candidate data for too long – consent must be refreshed. The same applies to client data, for successful applicants. If consent is not refreshed and the account is inactive, it must be deleted.
Under the GDPR, it isn’t enough to be compliant, the recruitment industry, like all other industries, must be able to demonstrate compliance. This involves a data audit and data mapping, so you can track the entire lifecycle of the personal data that arrives into and exits the business.
Larger recruitment agencies, or businesses that process personal data on a large scale, will need to appoint a Data Protection Officer. This could be an external appointment, or someone internally could double up. However, the DPO must remain independent and impartial to any data processing that occurs within the business – for example they can’t be account handlers or work in HR or marketing, where a lot of personal data is processed.
The recruitment industry must also be prepared for an increase in Subject Access Requests, as under the GDPR they must respond more quickly – within a month – and they’re now free. General advice is to conduct a Data Protection Impact Assessment (DPIA) to make sure your business can cope with demand.
The reporting levels required by the GDPR is likely to require a review of CRM systems and general IT infrastructure within the recruitment industry. Similarly, the GDPR requires organisations to use the latest technology and employ encryption and anti-virus software, for example, for robust systems. This is to help prevent data breaches and cyber-attack.
In the event of a data breach, recruiters must know what to do. For example, if personal data is likely to be at risk, the business must report a data breach to the ICO within 72 hours. For serious data breaches, they must also inform the individuals at risk.
Failure to report a serious data breach can result in a Euros 10 million fine. And for serious breaches, the ICO has the power to fine organisations up to GBP 17 million or 4% of global turnover, whichever is greater. However, to help with GDPR compliance, the ICO provides plenty of helpful information and templates.
For recruiters still preparing for the GDPR or looking to expand their knowledge of the legislation, Me Learning has developed a portfolio of flexible, online courses, endorsed by Clayden Law. To find out more click here.
Do you have a question?
Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.