The new General Data Protection Regulations (GDPR) come into force on the 25th May 2018. For most recruitment agencies, many of the main concepts remain as included in the current Data Protection Act. Those already DPA-compliant have a solid foundation for coming into line with the GDPR which represents an extension of existing legislation and incorporates new elements.
That said, the complexity and the reach of those extensions and additions, not to mention the punitive repercussions for those found in breach of them, demand an immediate response. Ensuring compliance may take considerably more time, and potentially, more money, than might be suggested at first glance. Beginning the planning stage now means agencies build-in enough time to put procedures and processes into place to meet the new requirements and also allows for more controlled budgeting of the costs.
The very nature of recruiting requires the collection, storage, retention and dissemination of data. Therefore, both the DPA and GDPR go to the very heart of the industry. Whilst a large portion of the regulations aims at keeping Joe Public shielded from the unwanted attention of aggressive marketing campaigns, the impact on recruiting has the potential to be challenging. Recruiters collect and store data in an effort to help candidates find roles and so clients may source required talent. However, such data in the wrong hands leaves candidates, and in some cases, clients, vulnerable. The GDPR aims to limit those vulnerabilities by giving the subjects increased rights and controls over their personal data including amendments and withdrawal. Here, we take a look at the key points of the GDPR which recruiters need concern themselves with.
- Processing and consent – GDPR requires additional transparency in informing individuals when, why and how their data is being collected, processed, stored and shared. Consent must be proven to have been given freely. The process for gaining consent must be made in clear, plain language and be separate from other terms. Importantly, separate consent must be sought (and gained) for separate activities.
- It must be as easy for candidates to withdraw consent as it is to give consent and the process for this must be clearly stated.
- Candidates have the right to amend their data, gain access to their data to know how their data is being used. The process for this must be clearly stated.
- Candidates have the ‘Right of erasure’ also known as the ‘right to be forgotten’. The process for this must be clearly stated.
- Candidates have the right to request their personal data in a structure and commonly used format so it can easily be transferred to another data controller (data portability). The process for this must be clearly stated.
- Data controllers must now respond to requests for information within 1 month (reduced from 40 days as stipulated by the DPA).
- Security must be ensured and ‘appropriate to the risk’. Processes and functions such as data encryption must be proven to be in place to protect against the threat of cyber theft. Recruiters must have the ability to restore data in the event of a cyberattack. As of May 2018, all breaches must be reported within 72 hours of discovery and ‘serious’ breaches reported to the Information Commissioner’s Office.
So, what does this mean, day-to-day, for recruiters?
- Recruiters will need to consider database cleansing, to remove historic candidates. Current candidates who have not given consent as dictated under the GDPR will also have to be removed. To avoid this, recruiters are advised to as soon as possible, put in place those processes required for gaining consent to the new standards required.
- Data sharing restrictions will mean individual consent will have to be obtained from each candidate for separate activities.
- Data sharing extends beyond the remit of sharing candidate information with clients. For agencies using the services of an RPO, umbrella or payroll company, it is essential to have a GDPR-compliant agreement in place.
- Job board usage – how data is collected and used will come under scrutiny. Policy will need to be carefully reviewed.
- Any agency considering new database software or applicant tracking systems should ensure that software will be GDPR compliant.
- Social media policies will need to be reviewed to eliminate inadvertent breaches of client or candidate information. Ensure your recruiters know what they can and what they can’t do, share and say.
- Data portability rights leave agencies open from the client-side. It may be advisable to begin including additional clauses in contracts to limit free migration of data as this has the potential to reduce the value of key client contracts. Candidates too can request any additional information gathered as to their skills, etc. This may be less easy to prevent.
In the event GDPR aren’t followed, candidate or client claims for compensation will become significantly easier. The financial penalties for those agencies found to be non-GDPR compliant could face fines of up to 4% of annual worldwide turnover and €20M (eg for breach of requirements relating to international transfers, or basic principles for processing, such as conditions for consent) or 2% of annual turnover and €10M.
It may feel as though recruitment agencies are being heavily burdened with increased legislation and the penalties for non-compliance are considerable. However, there are some positive take-aways from the changes. Upgraded security measures are highly advisable: breaches in cyber security drastically reduce the value of a business, even assuming data can be retrieved. The requirement for general notification to the DPA of a controller’s data processing activities has been removed. Now, controllers are simply required to be accountable for their data processing (although there must still evidence of effective procedures in place). Perhaps the biggest benefit for recruiters is that of getting ahead of the curve. Clients and candidates want to know their data is safe, being handled and stored responsibly. Change is coming, embrace it now and use it to gain the edge over your competitors.
Further information on preparing for GDPR can be found at here: ICO’s 12 Steps