“How will GDPR affect recruitment agencies? What must recruitment companies do to prepare for GDPR? Will GDPR end executive search as we know it? What does GDPR mean for the future of recruitment agencies?” With only 9 months to go before the GDPR legislation comes into force, recruitment industry leaders are scrambling to prepare their agencies for GDPR, and these are just some of the questions they are considering.
The answers to these questions lead only to more questions and you begin to understand just how complex GDPR actually is. Lawyers and security experts are upgrading their knowledge on GDPR and have a fair understanding of the law, but there’s a still huge grey area when it comes to how exactly the law will be implemented in specific circumstances. In this series, we will explore the most important questions that agencies are asking. Subsequent articles will delve into the details of various aspects of the regulation and their interplay with the recruitment sector.
Please note that these answers are for general information purposes and do not function as legal advice.
1. What is GDPR?
GDPR (General Data Protection Regulation) is a new EU legislation that will replace the DPA (Data Protection Act). The primary purpose of the new legislation is to replace separate data protection acts in the EU with a unified law, with emphasis on giving EU citizens greater control and visibility over their personal data.
2. Will Brexit have any impact on GDPR?
Any company that processes “data about individuals in the context of selling goods or services to citizens in other EU countries” will have to comply with GDPR, whether or not the UK government chooses to enforce GDPR post Brexit. The UK is already in the process to place laws or mechanisms modelled on the GDPR even if the same regulation is not adopted. As most recruitment agencies in the UK either provide services to the EU nations or handle data of EU subjects, GDPR will certainly come into play irrespective of the Brexit terms.
3. What changes with GDPR?
GDPR gives ‘individuals’ or ‘data subjects’ greater control over their data and it puts into place new rules for organizations. The legal basis for storing, collecting, sharing, securing, maintaining/updating and processing data will undergo a major overhaul. Agencies will have to make major changes to a number of data processes in order to comply with the regulation.
4. How exactly will GDPR affect the recruitment industry in the UK and the EU?
After GDPR comes into force, individuals will have a say in how their data is treated; as noted above, the entire data cycle will be impacted. In a nutshell:
Companies will require an explicit consent for processing personal data and will need to take separate consent for different processing activities. Individuals can also withdraw consent for their personal data, making it impossible to use their data for a specific set of processes, or for all processes.
- Individuals can object to recruitment agencies making decisions by running their data through an automated system.
- Individuals will have the right to transfer it to other companies / platforms, or ensure their data is up to date (they may ask you to correct it).
- Organizations will need to explicitly state how the date will be used and will be responsible for securing the data and notifying in case of data breaches.
- Please note that GDPR is a highly complex piece of legislation and there are several additions and exceptions to the general rule of thumb. We will explore the nitty gritty in the upcoming articles in this series.
5. What are the consequences of GDPR non-compliance?
GDPR penalties will adhere to a two-tiered approach. For the provisions that are considered of utmost importance to privacy and data protection, businesses that are found to be non-compliant could face potentially steep fines: upper limit of €20 million or 4% or annual global turnover (based on the turnover for the preceding year) – whichever is higher. For breaches that are considered to be of lesser relative importance, the penalty is halved to 2% of the annual turnover or €10 million.
It is to be noted that these are the highest possible penalties. For comparison, a fine of £500,000 is possible under the UK DPA. The highest fine till date – for a very serious breach of the act – was £400,000.
Stay tuned for more on GDPR and recruitment
In the coming weeks, we will delve deeper into the specific ways GDPR can affect recruitment agencies and the steps your business can change to overcome these challenges.
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.