By now most recruitment agency owners have heard of the General Data Protection Regulation (GDPR) changes which will come into effect in May 2018. However, we’re not all clued up about what it means in practice and what we need to do to prepare for these new regulations.
As I keep saying, recruitment agencies are data businesses and as we deal with data every single day, any changes to data regulations are going to hit us hard. Of course, there’s a lot for recruitment agency owners to work with here, but to focus this blog, we’ve chosen to discuss the candidate side of GDPR requirements. Let’s dive in…
It’s focused on their rights to their personal information bringing the UK in line with regulations that already exist in countries like Germany, Canada, and Australia.
From May 2018, candidates will have to give explicit consent - or recruiters will have to demonstrate a legitimate interest - for personal data to be collected and used. Candidates can object to the processing of their data for profiling purposes and they can request their personal data be deleted when it's no longer required at any point.
If your business is found not to be adhering to the ICO guidelines or working with GDPR best practices, there will be penalties: You could end up with a bill of €20 million or 4% of global turnover - whichever is higher.
There’s a lot here to think about, so here’s how to prepare your recruitment agency for GDPR in six steps…
You need to make sure that you, and everyone in your agency, knows what they need to do to prepare for GDPR. To do so, my advice would be to appoint one person to become your ‘Data Protection Officer’.
This will help your agency centralise all the areas you’re exposed in, and create a consolidated plan of action to become compliant with the new regulations. By appointing one person, you begin the process of determining exactly what is needed to prepare effectively for GDPR.
What’s important here is to identify how you are currently storing and collating information, alongside any places where you need candidate consent or where you’re responsible for holding candidate data.
This includes shared folders, Excel lists, databases, website registrations, event lists, timesheets, and pay and bill information.
Pay attention to the personal data you hold, where it came from, and whom you share it with.
New GDPR legislation means you’ll be required to maintain records of how you process all information within your agency. If you’ve shared inaccurate candidate data with another agency, client, or payroll company then you’re obligated to let them know.
One of the key principles of GDPR is accountability, meaning you must show how your agency complies with the updated data protection principles.
So, you’ll be assessed on how effective your policies and procedures are in upholding GDPR requirements.
It’s important to note that there isn’t a badge or a certificate you can get here to say that you are GDPR compliant. Instead, GDPR is all about showing intent and doing everything you can to provide transparency around how you handle and process candidate d
So, just like appointing one person as your ‘Data Protection Officer’ you also need to focus on centralising and simplifying your data management. This makes it easier for you to monitor and maintain GDPR guidelines, and it makes it easier for your recruiters to do so, too.
Read more: How Engaged is Your Candidate Database?
Once you’ve audited your current data processes, and determined any areas you need to focus on improving, you’ll be well on the way to nailing down some basic candidate terms of use or engagement. But, it’s important to flesh this out and develop a coherent GDPR friendly set of candidate facing terms and conditions.
This should cover:
The important thing here is transparency. Candidates need to know why you want their data, and what you’ll use that data for. To achieve this transparency, you need complete clarity on your data policy.
Effectively, GDPR updates current candidate rights under the Data Protection Act (DPA). If you’re currently compliant with the DPA, then you shouldn’t have much to worry about here. But, even so, it’s worth reviewing your data policies with the new GDPR requirements in mind.
Your agency’s privacy policy is likely something else that needs an update. Under GDPR regulations, you’ll need to include your legal right to process information, what your data retention period is, and how candidates can complain to the Information Commissioner’s Office (ICO) if they’re unhappy with how you handle data. GDPR requires you to write this updated privacy document clearly and concisely and make it readily available, too. By law, privacy policies, terms of use and candidate agreements will have to be written simply and without endless small print. Candidates also need to be informed on how exactly you plan to use their data - so no more pre-ticked boxes!
A data breach means a candidate is likely to suffer damage in the form of identity theft or a confidentiality breach. If this happens, you’ll need to notify ICO. Currently, some businesses aren’t required to notify ICO if a breach takes place but GDPR changes this. Therefore, it is likely that you will need to add to and update your internal procedures to safeguard against a data breach. If a data breach does occur, you need to ensure that you have the right processes in place to detect, report and investigate it.
The upcoming GDPR requirements present some significant challenges for recruitment agencies. And there is a lot to cover. To round off this blog, here are some specifics to focus on:
So, there's your crash course in what GDPR means for recruitment agencies.
You need to be prepared for a dramatic shift in the way you engage with candidates, and prepare for a considerable amount of reshuffling in the way you process data.
However, in many ways this should help to enable the good guys to come forward and gain increased respect for how they operate and value their data.
In fact, we've even created an eBook on how GDPR can benefit your recruitment agency, which you can download below!
To help you stay up to date with GDPR best practices, consult data specialists BTO’s GDPR updates page.
Please note: This article has been edited to reflect updates on GDPR released by the ICO. The content of this blog should not be taken as legal advice and does not offer full comprehensive guidance.