As a recruiter, personal data is essentially your stock-in-trade. From the point when candidates submit their CVs, right through the hiring procedure and beyond, the processing of this data is all part of your service. Talent management and good data management go hand-in-hand, and data protection compliance is a vital element of this.
The General Data Protection Regulation (GDPR) replaces the old Data Protection Act. It brings forth a new data law framework; one that all organisations, including recruitment firms, need to get to grips with. Here, we’ll explain how GDPR impacts the recruitment industry and outline some of the key areas recruiters should focus on to stay on the right side of the new law.
GDPR: what is it – and what does it mean for recruiters?
The old Data Protection Act was drawn up in a pre-LinkedIn and pre-Indeed world when even the concept of ‘the Web’ itself was still a novelty. Simply put; the law needed to catch up. Hence the arrival of the GDPR: the all-new “rulebook” on how to process the personal data of EU citizens lawfully and securely.
The GDPR aims to make it easier for individuals to access services with confidence that their data will be safeguarded and won’t be misused by the organisations who hold it. The new law also seeks to give individuals better control over what happens to that data and who has access to it.
From contact details through to salary expectations and even health information, in-house and external recruiters typically find themselves in control of some of the most sensitive information individuals have to offer. The data regulator (i.e. the ICO in the UK), is well aware of this. Recruiters who fail to take compliance seriously could find themselves sleepwalking towards fines, interventions and other penalties. Find out more about GDPR fines and penalties from our experts right here.
Beyond this, and once GDPR is implemented, it’s a fair assumption that individuals will become better aware of their privacy rights and generally more “security savvy”. Meanwhile, employers will be more aware than ever of the need to choose external partners who take data safeguarding seriously.
The result? Recruiters with a reputation for playing fast and loose with personal data may find that their supply of candidates and clients alike could soon dry up.
Key aspects of GDPR for recruiters
For employment consultants, in-house HR managers and external partners working with clients, here are some of the ways in which the new rules are likely to impact your core activities.
Candidate consent and lawful processing
A passive candidate sees an ad for a great job. She clicks through to the recruitment agency’s site, completes the form and attaches her CV. Weeks later, to her surprise, the candidate gets an email from another organisation, inviting her to apply for a completely different role.
Recruiters need the consent of individuals to process their data and under the new law, the type of scenario above shouldn’t be allowed to happen. GDPR strengthens the conditions for obtaining that consent. Vague, “catch-all” consents are now effectively prohibited. You need specific permissions for specific purposes and these should be easy to understand and expressed in plain language.
For recruitment specialists, this demands a focus on the following:
- Identify your required purposes for personal data processing. Forwarding on a CV to a particular employer, posting it on a publicly accessible database, storing it, using the contact details to promote your premium employee consultancy services: these are all distinct purposes.
- Unbundle your existing permissions. For each and all of your personal data processing operations, you should have distinct consents from individuals.
- Can those consents be withdrawn? Take the applicant who still wants to receive job alerts from you, but no longer wants her details to be available in your searchable database. You should make it easy for individuals to withdraw permissions for data processing linked to distinct processing purposes.
Enabling individuals to exercise their rights
An applicant applies for a job at your company. He isn’t hired this time, but you offer (and he agrees) to keep his CV on file for the future. Much later, he asks you to confirm whether you still have his details on file – and to delete them.
First off, it’s worth noting that even something as simple as keeping a CV on file is “data processing”. And the example above touches upon two important data rights for individuals: the right to confirmation of whether data is being processed – and the new “right to be forgotten” (see more here).
In other areas, candidates have the right to rectification – e.g. to fix out-of-date info on your talent database, as well as the right to know if their personal data is being used in profiling.
Recruiters need to get to grips with these rights, looking carefully at what changes are needed to platforms and databases to enable individuals to exercise them.
Processor or controller?
Beyond sourcing and broad talent management, some operators in the recruitment field have a narrow, specialist role: conducting or arranging assessments for instance, or carrying out an initial paper sift of applicants.
Many such companies are classed as “data processors” under GDPR; i.e. they carry out specific tasks on behalf of the “data controller”. For the first time, GDPR places new, direct statutory obligations on data processors. And controllers (e.g. employers and agencies), as well as processors, need to get to grips with new record keeping and reporting requirements, which you can read about here.