By now most recruitment agency owners have heard of the General Data Protection Regulation (GDPR) changes which will come into effect in May 2018. However, we’re not all clued up about what it means in practice and what we need to do to prepare for these new regulations.
As I keep saying, recruitment agencies are data businesses and as we deal with data every single day, any changes to data regulations are going to hit us hard. Of course, there’s a lot for recruitment agency owners to work with here, but to focus this blog, we’ve chosen to discuss the candidate side of GDPR requirements. Let’s dive in…
What is GDPR?
General Data Protection Regulation is designed to protect the rights of around 750 million people across the EU. It’s focused on their rights to their personal information bringing the UK in line with regulations that already exist in countries like Germany, Canada, and Australia.
To put it simply, from May 2018 candidates must now give explicit consent for their personal data to be collected and used. And they must know exactly how their information will be used. Candidates can object to the processing of their data for profiling purposes and they can request their personal data be deleted when it is no longer required. They can also withdraw consent at any point and there will be penalties if you’re not working with GDPR best practices. You could end up with a bill of €20 million or 4% of global turnover - whichever is higher.
There’s a lot here to think about, so here’s how to prepare your recruitment agency for GDPR in six steps…
Step One: Get Clued Up
You need to make sure that you, and everyone in your agency, knows what they need to do to prepare for GDPR. To do so, my advice would be to appoint one person to become your ‘Data Protection Officer’. This will help your agency centralise all the areas you’re exposed in, and create a consolidated plan of action to become compliant with the new regulations. By appointing one person, you begin the process of determining exactly what is needed to prepare effectively for GDPR.
Step Two: Map Out Your Exposure
Then, you need to map out every way a candidate provides their information to your agency and list the existing systems or touch points you have. What’s important here is to identify how you are currently storing and collating information, alongside any places where you need candidate consent or where you’re responsible for holding candidate data. This includes shared folders, Excel lists, databases, website registrations, event lists, timesheets, and pay and bill information.
Pay attention to the personal data you hold, where it came from, and whom you share it with. New GDPR legislation means you’ll be required to maintain records of how you process all information within your agency. If you’ve shared inaccurate candidate data with another agency, client, or payroll company then you’re obligated to let them know. One of the key principles of GDPR is accountability, meaning you must show how your agency complies with the updated data protection principles. So, you’ll be assessed on how effective your policies and procedures are in upholding GDPR requirements.
It’s important to note that there isn’t a badge or a certificate you can get here to say that you are GDPR compliant. Instead, GDPR is all about showing intent and doing everything you can to provide transparency around how you handle and process candidate data.
Step Three: Simplify Your Data Management
When it comes to adopting GDPR best practices, one of the biggest hurdles is making sure everyone in your agency knows what’s required of them. If everyone is still working in silos, with different databases, out of Outlook folders or spreadsheets, then you’ll find meeting the GDPR requirements extremely difficult.
So, just like appointing one person as your ‘Data Protection Officer’ you also need to focus on centralising and simplifying your data management. This makes it easier for you to monitor and maintain GDPR guidelines, and it makes it easier for your recruiters to do so, too.
This should cover:
- How you store candidate information
- How long you keep that candidate information
- What rights candidates have to access their data
- The right for candidate data to be deleted on request
- The reasons why you are storing their data
The important thing here is transparency. Candidates need to know why you want their data, and what you’ll use that data for. To achieve this transparency, you need complete clarity on your data policy.
Step Five: Review Your Data Policies and Privacy Information
Effectively, GDPR updates current candidate rights under the Data Protection Act (DPA). If you’re currently compliant with the DPA, then you shouldn’t have much to worry about here. But, even so, it’s worth reviewing your data policies with the new GDPR requirements in mind.
Step Six: Procedures for a Data Breach
A data breach means a candidate is likely to suffer damage in the form of identity theft or a confidentiality breach. If this happens, you’ll need to notify ICO. Currently, some businesses aren’t required to notify ICO if a breach takes place but GDPR changes this. Therefore, it is likely that you will need to add to and update your internal procedures to safeguard against a data breach. If a data breach does occur, you need to ensure that you have the right processes in place to detect, report and investigate it.
The upcoming GDPR requirements present some significant challenges for recruitment agencies. And there is a lot to cover. To round off this blog, here are some specifics to focus on:
- You need consent before you can use candidate data for anything ie pass this information to a 3rd party (your clients). So allowing candidates to access their own profiles and job-related activities can demonstrate this.
- You need to keep documented proof of this consent and any subsequest consent provided to share candidates' details with a 3rd party. Automating this is a big-time saver and it becomes completely auditable for future reporting.
- Any candidate can request to be forgotten, removed, or even deleted so working out a workflow to enable them to do so is going to be key.
- Email and SMS marketing must be opted in to by the candidate and you must be transparent about how and when they did this.
So, there you go; a crash course in what GDPR means for recruitment agencies. You need to be prepared for a dramatic shift in the way you engage with candidates, and you need to prepare for a considerable amount of reshuffling in the way you process data. However, in many ways this should help to enable the good guys to come forward and gain increased respect for how they operate and value their data.
To help you stay up to date with GDPR best practices, consult data specialists BTO’s GDPR updates page. They've put together a great microsite and update email mailing list which you can opt into.
About the Author: Wendy McDougall is the CEO of Firefish Software. With just under 20 years experience in the recruitment industry, Wendy is on a mission to inspire the next generation of recruiters and help challenge the traditional recruitment agency model of doing things. In her spare time, you’ll find her enjoying some down time with the family, playing squash and feeding her inner geek with all the latest technology!