In less than 10 months, GDPR will become a binding law. Recruitment agencies in the UK collect, store and process large amounts of data related to candidates, clients and vendors. While most agencies adhere to the data protection regulations of the countries they operate in (UK Data Protection Act 1998, for instance), GDPR demands much stricter controls. Most businesses are likely to already have processes in place to meet the requirements for consent under the UK DPA, which is guided by the Data Protection Directive 95/46/EC. This directive defines consent as:
‘any freely-given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
However, with GDPR, the ‘data subject’ gets a lot more control over the data. Online consent remains a legitimate method of transferring personal data under GDPR, but the rules are a lot more stringent. Read ahead to find out how the definition of ‘consent’ is restricted in GDPR and what impact it will have on the way recruitment companies conduct their business.
This is the second article in the series. Part 1 explores the basics of GDPR and its potential impact on recruitment agencies. Please note that these answers are for general information purposes only and do not function as legal advice.
1. Which types of data collected by recruitment agencies will be affected by GDPR?
Anonymous data – data that cannot be used to identify individuals – is outside the scope of GDPR. Personal data (name, identification number, location data, genetic data, etc.) that identifies an individual falls under the remit of GDPR. Sensitive personal data, i.e. any data that can reveal the race, ethnicity, political opinions, religious beliefs, sexual orientation, etc falls under the remit of GDPR and businesses that process such data will face additional restrictions – more than they would when dealing with general personal data.
When it comes to candidate information, most recruitment agencies process large amounts of personal data and sensitive personal data. As a consequence, GDPR will require a major shift in the way your agency collects, stores, shares, secures, maintains and processes data on a day-to-day basis.
2. My recruitment agency already obtains consent for the data we process, what changes with GDPR?
With GDPR, the legal justification for collecting and processing personal data changes. Until now, businesses could rely on non-action ‘opt-in’ consent in many cases; for instance, a pre-ticked box on an online form would be a form of ‘opt-in’ consent. Such methods of consent assume a lack of action (such as unticking the box) as a form of consent.
GDPR places the burden of proof on the controller and demands methods of consent that ensure “unambiguous indication of the data subject wishes” that would demonstrate consent by “a statement or clear affirmative action.” This can be in the form of the subject clicking a box or submitting a written statement consenting to the terms of data use. So no more pre-ticked boxes.
If your agency already uses methods of obtaining consent that provides clear, understandable notice for users on why the data is being collected and the different ways in which it will be processed, there is a possibility that you may already be compliant with some parts of GDPR. However, the new regulation places more stringent conditions on the collection of sensitive personal data. As a result, recruitment agencies will, in the future, have to demonstrate the need for collecting such data and unambiguously state how and for what purposes such data shall be processed.
3. Do the GDPR rules around consent also apply to the data that recruitment agencies already hold?
Yes, and it is imperative that by May 25, 2018, all the personal and sensitive personal data you hold is in compliance with the GDPR. This means that recruitment agencies will not only have to update the existing processes pertaining to data collection and management but also revisit existing data and get the necessary permissions from individual candidates and others.
Many agencies are likely to lose at least a portion of their data as it may be difficult to obtain consent for data stored in the past. Some of the key impacts of GDPR on the data you already hold will relate to:
- Taking permission for using personal data for purposes other than specified earlier
- Providing individuals with the ability to view their existing data on your system
- Honoring requests from data subjects who revoke consent and want you to erase the data
As a consequence of the above, it may not be legal for recruiters to use ‘speccing’ techniques anymore; as consent will need to be taken from candidates to use their data for specific purposes and they will need to be informed when their CVs are shared for different job profiles.
4. How can I ensure that the data my agency holds complies with GDPR?
GDPR is a complicated regulation with wide-ranging effects. Recruitment agencies must recruit or hire an external DPO (Data Protection Officer) to ensure compliance with GDPR. Some of the key steps you will need to take include:
- Raising awareness about GDPR in your organization and emphasizing the importance of safeguarding personal data amongst your team.
- Conduct an information audit to document what data you hold, how it was collected, how it is shared and what level of consent you have.
- Identify the legal basis on which you can seek consent for collecting personal and sensitive data.
- Modify your privacy information and consent forms to ensure that the new data you collect adheres to the regulation.
- Set up and implement procedures that make it possible to honour access requests and to edit or delete personal data.
- Shore up your data security and put procedures in place for reporting, investigating and detecting the breach of personal data.
Stay tuned for more on GDPR and recruitment
In the coming weeks, we will take a close look at various aspects of GDPR that directly impact recruitment agencies. If you are interested in the basics, please read Part 1.
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.