Dealing with data – a guide for recruiters under the GDPR

By Nigel Jones

Co Founder of The Privacy Compliance Hub

April 2018

As a recruiter, personal data is essentially your stock-in-trade. From the point when candidates submit their CVs, right through the hiring procedure and beyond, the processing of this data is all part of your service. Talent management and good data management go hand-in-hand, and data protection compliance is a vital element of this.

The General Data Protection Regulation (GDPR) replaced the old Data Protection Act. It brought forth a new data law framework; one that all organisations, including recruitment firms, needed to get to grips with. After Brexit, the UK is now covered by the UK GDPR which is essentially the same as the GDPR itself. Here, we’ll explain how GDPR (and UK GDPR) impacts the recruitment industry and outline some of the key areas recruiters should focus on to stay on the right side of the new law.

GDPR: what is it – and what does it mean for recruiters?

The Data Protection Act was drawn up in a pre-LinkedIn and pre-Indeed world when even the concept of ‘the Web’ itself was still a novelty. Simply put; the law needed to catch up. Hence the arrival of the GDPR, which details how to process the personal data of EU citizens lawfully and securely.

The GDPR aims to make it easier for individuals to access services with confidence that their data will be safeguarded and won’t be misused by the organisations who hold it. The law also seeks to give individuals better control over what happens to that data and who has access to it.

From contact details through to salary expectations and even health information, in-house and external recruiters typically find themselves in control of some of the most sensitive information individuals have to offer. The data regulator (i.e. the ICO in the UK), is well aware of this. Recruiters who fail to take compliance seriously could find themselves sleepwalking towards fines, interventions and other penalties. Find out more about GDPR fines and penalties from our experts right here.

In light of the GDPR, individuals have become better aware of their privacy rights and generally more “security savvy”. Meanwhile, employers are more aware than ever of the need to choose external partners who take data safeguarding seriously.

The result? Recruiters with a reputation for playing fast and loose with personal data may find that their supply of candidates and clients alike could soon dry up.

Key aspects of GDPR for recruiters

For employment consultants, in-house HR managers and external partners working with clients, here are some of the ways in which the GDPR impacts your core activities.

Candidate consent and lawful processing

A passive candidate sees an ad for a great job. She clicks through to the recruitment agency’s site, completes the form and attaches her CV. Weeks later, to her surprise, the candidate gets an email from another organisation, inviting her to apply for a completely different role.

In most circumstances, recruiters need the consent of individuals to process their data under the GDPR, and the type of scenario above shouldn’t be allowed to happen. GDPR has strengthened the conditions for obtaining that consent. Vague, “catch-all” consents are now effectively prohibited. You need specific permissions for specific purposes and these should be easy to understand and expressed in plain language.

For recruitment specialists, this demands a focus on the following:

  • Acknowledge that CVs fall under the protection of the GDPR . Information in them must be processed securely, accurately and only in accordance with the purpose for which it was collected.
  • Identify your required purposes for personal data processing. Forwarding on a CV to a particular employer, posting it on a publicly accessible database, storing it, using the contact details to promote your premium employee consultancy services: these are all distinct purposes.
  • Unbundle your existing permissions. For each and all of your personal data processing operations, you should have what is known as a legal basis eg. consent (and implied consent isn’t sufficient).
  • Can those consents be withdrawn? Take the applicant who still wants to receive job alerts from you, but no longer wants her details to be available in your searchable database. You should make it easy for individuals to withdraw permissions for data processing linked to distinct processing purposes.

Enabling individuals to exercise their rights

An applicant applies for a job at your company. He isn’t hired this time, but you offer (and he agrees) to keep his CV on file for the future. Much later, he asks you to confirm whether you still have his details on file – and to delete them.

First off, it’s worth noting that even something as simple as keeping a CV on file is “data processing”. And the example above touches upon two important data rights for individuals: the ‘right of access’ and the ‘right to erasure’, otherwise known as the ‘right to be forgotten; (see more here).

In other areas, candidates have the right to rectification – e.g. to fix out-of-date info on your talent database, as well as the right to know if their personal data is being used in profiling.

Recruiters need to get to grips with these rights, looking carefully at what changes are needed to platforms and databases to enable individuals to exercise them.

Processor or controller?

Beyond sourcing and broad talent management, some operators in the recruitment field have a narrow, specialist role: conducting or arranging assessments for instance, or carrying out an initial paper sift of applicants.

Many such companies are classed as “data processors” under GDPR; i.e. they carry out specific tasks on behalf of the “data controller”. The GDPR places direct statutory obligations on data processors. And controllers (e.g. employers and agencies), as well as processors, need to get to grips with new record keeping and reporting requirements, which you can read about here.

Remaining compliant when sending emails to candidates

Candidates usually provide consent for data processing when applying for jobs, but often recruiters will store candidate data in case their profile fits a future job ad too. It’s best practice to ask for consent for storing this data when sending a rejection email to a candidate, clearing stating you’d like to keep them informed of any future vacancies that may be suitable, the option to opt out, and a timeframe that you plan to store their details for.

Your route to compliance

Here’s how your HR department or agency can get equipped to become GDPR-compliant:

  • Get familiar with the GDPR. What are the data rights that most likely apply to your organisation? How can you begin to tackle the data security essentials for now and the future? Our GDPR resources section is packed with valuable pointers.
  • Understand your personal data estate. Only with a clear view of the data under your control and how that data flows through your organisation will you be able to understand your specific compliance risks. Our guide to data mapping is designed to help you tackle this.
  • Bring it all together with the Privacy Compliance Hub. Packed with essential templates, documents and a complete methodology for compliance, agencies, HR heads and support service providers alike should check out the Hub for keeping on top of GDPR.

For a closer look at what the Privacy Compliance Hub can offer your organisation check out our demo. For further info on how we can help, don’t hesitate to get in touch!

More to watch and read