By now, it probably hasn’t escaped the attention of most recruiters, or candidates for that matter, that a significant change is just a little more than a month away. The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and affect the way businesses of all kinds collect, store and use personal data.
There are severe penalties for businesses that do not enforce the strict new rules and they apply to any company that holds information about EU consumers. If you were hoping Brexit might give your recruitment agency a reprieve, the UK government has already confirmed that the new rules will be implemented regardless of the form our withdrawal from Europe takes.
What are the GDPR implications for recruiters?
There are a number of key directives of GDPR that will impact the daily work of recruiters and their hiring teams. That includes:
- You must have a legitimate interest to process data – The GDPR states that data can only be collected for ‘specified, explicit and legitimate purposes’. That means only candidate data that is job-specific can be sourced, and only if you intend to contact candidates within 30 days.
- You must have consent to process sensitive data – If you want to process data such as cultural, biometric or disability information, or process information for a background check, you must ask for the clear consent of the candidate first. You should also provide clear instructions about how that consent can be withdrawn.
- You must be transparent when processing candidate data – Recruiters must also put clear privacy policies in place and make those available to candidates. It should also be explained where the data is stored and how it will be used.
- You must take responsibility for compliance – If your business is found to be in breach of GDPR then the buck stops with you. You are responsible for who you do business with so if contractors fail to comply with the law, you will be accountable.
What does GDPR mean for candidates?
GDPR also gives candidates a number of rights they can exercise in regard to the use of their personal information:
- They have ‘the right to be forgotten’ – GDPR will give candidates the right to ask for their personal data to be deleted. Recruiters then have one month from the request to locate all the places that information has been stored and delete it.
- Candidates have the right to access their data – From 25 May, candidates will have the right to ask to see what information recruiters hold about them and request that any inaccuracies are changed. You must provide candidates with an electronic copy of their data and make any corrections within one month.
What should you do now?
With a little more than a month to go until the GDPR comes in, it’s essential you start putting the practical steps in place to ensure your compliance now. Here are some specifics you should focus on…
- Remove any auto opt-ins – Remove any automatic opt-ins and make it clear what data you will hold about candidates and what you will do with it at the point of registration.
- Create a candidate portal – Allowing candidates to manage and edit their own data helps to show a legitimate interest before any information is passed on.
- Keep auditable proof of approval – You should always keep proof of your candidates’ agreement to share their details with a third party. Automating this process can save you a lot of time.
- Create a workflow to delete data – Any candidate can ask to be forgotten or removed so put a workflow in place to do so.
At DB Charles Recruitment, we will adhere to all the requirements of GDPR when it’s introduced in May and ensure all candidate and client information is stored, collected and used safely. That’s all part of our commitment to becoming the trusted recruitment partner of our clients and candidates.