The clock continues to tick on GDPR. In less than 8 months, GDPR will be a law and recruitment agencies that are not in compliance could face steep fines. As a regulation that focuses on strengthening the protection of data for all the individuals within the EU, GDPR fundamentally changes how your agency deals with data.
Not only will your business need a specific reason to collect and retain data, but you will also need to create mechanisms that enable you to respond to requests from individuals that want to view the data you have on them in your system and who may want to revoke consent and erase the data.
GDPR will also have a major impact on how you manage the data and how you share it within your business, with your business partners and other stakeholders. Let’s take a closer look at how this aspect of the regulation will affect requirement agencies.
Please note: This is the third article in the series.
Part 1 explores the basics of GDPR and its potential impact on recruitment agencies.
Part 2 looks at how recruitment agencies can deal with the GDPR’s laws around data collection and consent.
1) We do not have a central database – different departments and even individuals hold data on their systems? How do we manage all this data?
A mistake or oversight by a department or an individual can cost your agency a lot of money in the form of GDPR fines. You need to recruit a qualified DPO (Data Protection Officer) to ensure that your agency does not hold any data that it is not supposed to. You may be able to share this role with other organisations or appoint someone internally to cover this area of responsibility, but they will need to be trained.
The DPO will begin by mapping out every method (trade shows, previous customers, referrals, website registrants, seminars, etc.) your agency uses to collect candidate (and other type of personal) information. The next step will be to identify where all this information is stored – digital databases, folders, folders on individual PCS and laptops, Excel sheets, accounting software and more. Subsequent to this, the DPO will map out the flow of data – who shares the data, with whom.
After this exercise, the DPO may suggest a better way of collecting and storing the data. As GDPR requires businesses to maintain records of data processing and expects that that data is kept up to date, an overhauling of your existing data management processes may be required.
2) My agency already has a candidate database that contains the details of tens of thousands of individuals? How can I continue to use this data?
Depending on their size, recruitment agencies are holding the personal information of tens of thousands of candidates. A large portion of this is information that has been accumulated over the years. Quite possibly, much of it is neither updated nor is it accurate, with only 10-20% in daily use. If this describes your database, then you may simply need to let a large part of it go.
This is because opt-in consent is the central tenet of GDPR. This means that your agency should be able to legally demonstrate that you have the permission of candidates for holding their personal data. Also, this ‘permission’ will have to be refreshed periodically – you can hold the data only for a specific duration. In addition, the data can only be used for the specific purposes that the candidates have given their consent for.
If you wish to continue using the data you already hold, you need to get it opted-in. The simplest method of achieving this is through a ‘Permission Passing’ email campaign. Essentially, you send an email to your entire database and ask them give your agency the exact type of permission you need to process their data in compliance with GDPR.
3) How can I make sure that the fresh candidate data that we add to our database is already compliant with GDPR?
Whether you are running a ‘Permission Passing’ campaign or making your current data gathering processes GDPR compliant, you will need to take into consideration the below aspects:
- Specific purpose(s) for requesting the data
- Duration for which you need to retain the data
- Process for storing and managing the data
- Processes that allow candidates access to their data
- Processes that enable you to delete or edit the data upon request
- Details of the third-party processors with whom you may share the data
In short, recruitment agencies need to make it abundantly clear, a) why they want the candidate data and b) how the data will be used. If you are sending out an email to get an ‘opt-in’, all these details and options need to be mentioned clearly. The same stands true in case you are preparing a Terms & Conditions document for new candidates – each specific aspect must be clearly mentioned and you need the candidates’ agreement on it. Your privacy policies also need to be updated to include your legal basis for processing the data.
4) My agency needs to share certain candidate information with third-parties like RPO, payroll and umbrella companies. How will GDPR affect this?
As a recruitment agency, you act as a data controller in most instances, while the third-party suppliers act as data processors. While data processors used to have limited obligations under the previous data regulation laws, with GDPR they are directly responsible for compliance.
The ICO has clear guidelines around how this data sharing can be carried out and it heavily regulates the relationship between the two parties that are sharing the data. In addition to this, GDPR will also impact the data you receive or automatically scrap from job sites. GDPR article 28 “Requirements of a Data Processor” mandates that a data controller shall use only those processors that provide sufficient guarantees to implement appropriate technical and organizational measures.
As a consequence, you will have to evalutate the preparedness of the third-party suppliers and revisit the data sharing agreements with them. As long as you have a legal basis for sharing the data and you comply with GDPR regulations, you can continue to share the data with the processors.
5) Does all this mean that we cannot use automation for the recruitment process?
Most recruiters use some or other form of automation to filter job applicants for a specific vacancy. Some agencies use more complex forms of automation to improve and speed up the recruitment process. As a part of the current data protection rules, candidates can request agencies to not make any automated decisions using their personal data.
With GDPR, this rule will get more stringent: agencies will need to take explicit permission from each candidate before using their data for any kind of automated processing. In addition to this, the agency will also need to explain to the candidate how exactly this information is processed and for what purpose. So, if your agency wants to continue using this type of automation, you will need to make your processes transparent and get consent from the candidates first.
Stay tuned for more on GDPR and recruitment
In the coming weeks, we will take a close look at various aspects of GDPR that directly impact recruitment agencies, including the impact on businesses that outsource their payroll, RPO or other functions.
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.
Legal disclaimer: Please note that the above is for general information purposes only and does not function as legal advice.