By now, the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018, is a distant memory and something that most are used to. However, it is worth keeping in mind the significance of the rules and effects to any businesses that collects, stores and uses personal data.
There are severe penalties for businesses that do not enforce these rules and they apply to any company that holds information about EU consumers. Many were hoping Brexit might have given your recruitment agency / business a reprieve but the UK government confirmed that the rules would be implemented regardless of Brexit and it’s timescales.
What were the GDPR implications for recruiters?
There were a number of key directives of GDPR that impacted the daily work of recruiters and their hiring teams. They included:
- You must have a legitimate interest to process data – The GDPR states that data can only be collected for ‘specified, explicit and legitimate purposes’. That means only candidate data that is job-specific can be sourced, and only if you intend to contact candidates within 30 days.
- You must have consent to process sensitive data – If you want to process data such as cultural, biometric or disability information, or process information for a background check, you must ask for the clear consent of the candidate first. You should also provide clear instructions about how that consent can be withdrawn.
- You must be transparent when processing candidate data – Recruiters must have clear privacy policies in place and make those available to candidates. It should also be explained where the data is stored and how it will be used.
- You must take responsibility for compliance – If your business is found to be in breach of GDPR then the buck stops with you. You are responsible for who you do business with so if contractors fail to comply with the law, you will be accountable.
What did GDPR mean for candidates?
GDPR gave candidates a number of rights they could exercise in regard to the use of their personal information:
- They have ‘the right to be forgotten’ – GDPR gave candidates the right to ask for their personal data to be deleted. Recruiters then have one month from the request to locate all the places that information has been stored and delete it.
- Candidates have the right to access their data – From 25th May 2018, candidates had the right to ask to see what information recruiters hold about them and request that any inaccuracies are changed. You must provide candidates with an electronic copy of their data and make any corrections within one month.
What should you continue to do now?
Here are some best practices you should continue to focus on…
- Remove auto opt-ins – Remove any automatic opt-ins and make it clear what data you will hold about candidates and what you will do with it at the point of registration.
- Create a candidate portal – Allowing candidates to manage and edit their own data helps to show a legitimate interest before any information is passed on.
- Keep auditable proof of approval – You should always keep proof of your candidates’ agreement to share their details with a third party. Automating this process can save you a lot of time.
- Create a workflow to delete data – Any candidate can ask to be forgotten or removed so put a workflow in place to do so.
At DB Charles Recruitment, we adhere to all the requirements of GDPR and ensure all candidate and client information is stored, collected and used safely. That’s all part of our commitment to becoming the trusted recruitment partner of our clients and candidates.