Recruitment Blog 2024 | Firefish Blog

GDPR: Preparing Your Recruitment Agency

Written by Wendy McDougall | Thu, Jun 22, 2017

By now most recruitment agency owners have heard of the General Data Protection Regulation (GDPR) changes which will come into effect in May 2018. However, we’re not all clued up about what it means in practice and what we need to do to prepare for these new regulations.

As I keep saying, recruitment agencies are data businesses and as we deal with data every single day, any changes to data regulations are going to hit us hard. Of course, there’s a lot for recruitment agency owners to work with here, but to focus this blog, we’ve chosen to discuss the candidate side of GDPR requirements. Let’s dive in…

What is GDPR?

General Data Protection Regulation is designed to protect the rights of around 750 million people across the EU.

It’s focused on their rights to their personal information bringing the UK in line with regulations that already exist in countries like Germany, Canada, and Australia.

From May 2018, candidates will have to give explicit consent - or recruiters will have to demonstrate a legitimate interest - for personal data to be collected and used. Candidates can object to the processing of their data for profiling purposes and they can request their personal data be deleted when it's no longer required at any point.

If your business is found not to be adhering to the ICO guidelines or working with GDPR best practices, there will be penalties: You could end up with a bill of €20 million or 4% of global turnover - whichever is higher.

There’s a lot here to think about, so here’s how to prepare your recruitment agency for GDPR in six steps…

Step One: Get Clued Up

You need to make sure that you, and everyone in your agency, knows what they need to do to prepare for GDPR. To do so, my advice would be to appoint one person to become your ‘Data Protection Officer’.

This will help your agency centralise all the areas you’re exposed in, and create a consolidated plan of action to become compliant with the new regulations. By appointing one person, you begin the process of determining exactly what is needed to prepare effectively for GDPR.

Step Two: Map Out Your Exposure

Then, you need to map out every way a candidate provides their information to your agency and list the existing systems or touch points you have.

What’s important here is to identify how you are currently storing and collating information, alongside any places where you need candidate consent or where you’re responsible for holding candidate data.

This includes shared folders, Excel lists, databases, website registrations, event lists, timesheets, and pay and bill information.

Pay attention to the personal data you hold, where it came from, and whom you share it with.

New GDPR legislation means you’ll be required to maintain records of how you process all information within your agency. If you’ve shared inaccurate candidate data with another agency, client, or payroll company then you’re obligated to let them know.

One of the key principles of GDPR is accountability, meaning you must show how your agency complies with the updated data protection principles.

So, you’ll be assessed on how effective your policies and procedures are in upholding GDPR requirements.

It’s important to note that there isn’t a badge or a certificate you can get here to say that you are GDPR compliant. Instead, GDPR is all about showing intent and doing everything you can to provide transparency around how you handle and process candidate d

Step Three: Simplify Your Data Management‎

When it comes to adopting GDPR best practices, one of the biggest hurdles is making sure everyone in your agency knows what’s required of them. If everyone is still working in silos, with different databases, out of Outlook folders or spreadsheets, then you’ll find meeting the GDPR requirements extremely difficult.

So, just like appointing one person as your ‘Data Protection Officer’ you also need to focus on centralising and simplifying your data management. This makes it easier for you to monitor and maintain GDPR guidelines, and it makes it easier for your recruiters to do so, too.

Read more: How Engaged is Your Candidate Database?

Step Four: Publish Your Candidate Terms of Use

Once you’ve audited your current data processes, and determined any areas you need to focus on improving, you’ll be well on the way to nailing down some basic candidate terms of use or engagement. But, it’s important to flesh this out and develop a coherent GDPR friendly set of candidate facing terms and conditions.

This should cover:

  • How you store candidate information
  • How long you keep that candidate information
  • What rights candidates have to access their data
  • The right for candidate data to be deleted on request
  • The reasons why you are storing their data

The important thing here is transparency. Candidates need to know why you want their data, and what you’ll use that data for. To achieve this transparency, you need complete clarity on your data policy.

Step Five: Review Your Data Policies and Privacy Information

Effectively, GDPR updates current candidate rights under the Data Protection Act (DPA). If you’re currently compliant with the DPA, then you shouldn’t have much to worry about here. But, even so, it’s worth reviewing your data policies with the new GDPR requirements in mind.

Your agency’s privacy policy is likely something else that needs an update. Under GDPR regulations, you’ll need to include your legal right to process information, what your data retention period is, and how candidates can complain to the Information Commissioner’s Office (ICO) if they’re unhappy with how you handle data. GDPR requires you to write this updated privacy document clearly and concisely and make it readily available, too. By law, privacy policies, terms of use and candidate agreements will have to be written simply and without endless small print. Candidates also need to be informed on how exactly you plan to use their data - so no more pre-ticked boxes!

Step Six: Procedures for a Data Breach

A data breach means a candidate is likely to suffer damage in the form of identity theft or a confidentiality breach. If this happens, you’ll need to notify ICO. Currently, some businesses aren’t required to notify ICO if a breach takes place but GDPR changes this. Therefore, it is likely that you will need to add to and update your internal procedures to safeguard against a data breach. If a data breach does occur, you need to ensure that you have the right processes in place to detect, report and investigate it.

Some Highlights

The upcoming GDPR requirements present some significant challenges for recruitment agencies. And there is a lot to cover. To round off this blog, here are some specifics to focus on:

  • To keep you right, every new candidate should be made aware of your agency's intentions and purpose for storing their data. Allowing a candidate to understand and agree to your agency's data guidelines at the point of candidate registration - or at the point of application from your website into your database - is a big tick (but no auto opt in!).
  • You either need candidate consent or to be able to demonstrate a legitimate interest before you can store candidate data or pass this information to a third party (your clients). Therefore, allowing candidates to access their own profiles and job-related activities through a candidate portal can demonstrate this.  
  • You should always keep auditable proof of your candidates' agreement to share their details with a third party. Automating this process is a big time saver and will make it easy for future reporting.
  • Any candidate can request to be forgotten or removed, so working out a workflow to enable them to do so is going to be key.
  • Email and SMS marketing must be opted in to by the candidate and you must be transparent about how and when they did this.

So, there's your crash course in what GDPR means for recruitment agencies.

You need to be prepared for a dramatic shift in the way you engage with candidates, and prepare for a considerable amount of reshuffling in the way you process data.

However, in many ways this should help to enable the good guys to come forward and gain increased respect for how they operate and value their data.

In fact, we've even created an eBook on how GDPR can benefit your recruitment agency, which you can download below!

To help you stay up to date with GDPR best practices, consult data specialists BTO’s GDPR updates page.

Please note: This article has been edited to reflect updates on GDPR released by the ICO. The content of this blog should not be taken as legal advice and does not offer full comprehensive guidance.