Most recruitment agencies in the UK outsource several non-core functions to offshore destinations. These can range from payroll & accounting to resourcing, screening, reference checks, hiring, out of hours and more. A large number of these activities require organisations and individuals based in offshore locations like India to process data that belongs to ‘data subjects’ from the UK and EU.
As a ‘Data Controller,’ recruitment agencies are bound by GDPR Article 28 to provide sufficient guarantees regarding the processor. Article 28 clearly states that: “[data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
Essentially, this means that recruitment agencies using offshore service providers (who are ‘Data Processors’ in this case) will have to conduct due diligence and ensure that their vendors comply with GDPR. Let’s take a closer look at the implications of GPDR on recruitment outsourcing.
Please note: This is the fourth article in the series.
- Part 1 explores the basics of GDPR and its potential impact on recruitment agencies.
- Part 2 looks at how recruitment agencies can deal with the GDPR’s laws around data collection and consent.
- Part 3 sheds light on how recruitment agencies can manage and share data in compliance with GDPR.
1) Can I continue to outsource back-office, recruitment and accounting functions after GDPR?
Yes, recruitment agencies and other businesses can continue to outsource recruitment, F&A, payroll and other back-office functions following May 25 2018 after GDPR comes into force. However, GPDR law expects that ‘Data Controller’ – recruitment agencies in this case – carefully evaluate the outsourcing services provider and make sure they comply with GDPR.
In addition, the recruitment agency needs to inform the candidates that they’ll be using sub-contractors in offshore locations for processing the data, and also take consent for the same. Many agencies may already have obtained such consent as part of compliance with the UK Data Protection Act. However, GDPR applies more stringent rules and puts greater responsibility on the agency as well as the outsourcing services supplier. In case the offshore company uses other sub-contractors for the same tasks, the same data protection laws apply to the sub-processor.
2) Is my organisation required to inform vendors, clients and candidates about the fact that their data is processed offshore?
Yes, under GDPR it will compulsory for recruitment agencies to take consent from the candidates for processing personal data for one or more specific purposes. This means that when recruitment agencies obtain consent, they must clearly mention the purpose for which the information will be used.
For instance, if you are transferring the data offshore to a third-party, this needs to be clarified. And even if the data is processed from offshore locations by a third-party on your system, you must make it clear to the data subjects that their data is being processed offshore.
3) How does GDPR impact the relationship / contract between a recruitment agency and offshore services provider?
In order to ensure the offshore service provider’s compliance with GDPR, recruitment agencies should ideally redraft existing contracts to include GDPR compliance as a part of the agreement. For any new offshore contracts, it is essential to choose a provider that can clearly demonstrate the ability to comply with GDPR and guarantee compliance. The contract must clearly state that the data processor:
- shall only act on the controller's instructions
- must ensure the security of the personal data that it processes
- must notify any data breach to the controller without undue delay
In addition, the offshore service provider will have to ensure confidentiality on part of all the personnel who process relevant data, follow rules regarding appointment of sub-processors, help the agency in complying with the rights of the data subject, have systems in place to return or destroy data on instructions from the controller (agency), protect personal data, regularly test security, and provide any information that the controller may require to demonstrate compliance with GDPR.
So, it is imperative that recruitment agencies make sure that their offshore services provider has the capacity, ability and willingness to comply with GDPR. In certain cases, liability and indemnity clauses may be necessary to define the responsibility in case of violation of GDPR. At the same time, both the agency as well as the contractor must consider having contingency plans in place, for e.g. insurance agreements.
4) How can recruitment agencies make sure that their outsourcing partners comply with GPDR?
Outsourcing firms processing the data that belongs to EU data subjects have clear obligations under the GDPR law as ‘Data Processors’. In case of existing partners, agencies must assess the existing data processing controls and check whether any amendments are required to embed compliance with GDPR. Ideally, the outsourcing partner will have appointed a DPO and made preparations to be GDPR compliant by 25 May 2018.
Outsourcing vendors that already comply with UK Data Protection Act and hold certifications like Cyber Essentials Plus and ISO:27001 will already have a certain level of readiness for the new law. As GDPR comes with more stringent clauses for data storage, recording, security and confidentiality, the data processors will need to ensure that they are able to fulfil the new obligations set by GDPR.
This includes the appointment of an internal DPO (Data Protection Officer), setting up an official breach response plan, setting up the controls necessary for international data transfers, adherence to DPIA (Data Protection Impact Assessment), and agreement to following the ICO (Information Commissioner's Office) guidelines around GDPR best practices.
Get in touch for more on GDPR for recruitment agencies
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way. We are also on the path to get ourselves certified for BS 10012:2017 by British Standards Institute, which is an industry standard Personal Information Management System and is the closest auditable compliance standard to GDPR.
We serve several leading recruitment agencies in the UK and have the solutions in place to help them manage outsourcing after GDPR. Our team is also consulting with non-clients in the UK and EU, consulting with agencies to help them identify and formulate a response to the issues that GDPR can create. Don’t hesitate to get in touch with us for any queries you may have around this.
Legal disclaimer: Please note that the above is for general information purposes only and does not function as legal advice.