There’s been a great deal of media coverage regarding GDPR and specifically the implications for Recruitment, HR firms and brands directly. As the bill comes into law on the 25th May this year, we examine what those companies need to address before then.
With less than four months from implementation date, it’s safe to say there is still plenty of debate about what the implications will be and even more discussion about what recruiters need to do to avoid suffering the consequences of non compliance as well as exploiting any possible opportunities.
Individuals will have wider rights of access and information and any inaccuracies must be rectified without undue delay, so naturally HR files and CV’s are directly affected. Recruiters deal with a great deal of personal and sometimes sensitive and health related data on a daily basis and need to grasp and comply with the new articles and recitals, especially as there will be increased penalties for non-compliance. With numerous high-profile campaigns by the ICO every business needs to be aware that GDPR represents the biggest change in privacy legislation for over 20 years and repeals the Data Protection Directive 95/46/EC and overrides the outdated Data Protection Act 1998.
Your obligation to candidates
The law applies to almost every organisation, large or small and especially those handling high risk or sensitive data, but excludes Government agencies dealing with crime and security. Recruitment firms manage a lot of personal information, including both client and candidate data and GDPR demands that such information is gathered, used, stored and disposed of according to its rulings. If any individual information is compromised, the supervisory authority needs to be notified within 72 hours. Businesses that fail to comply could face fines of up to 4% of their annual global turnover. The more serious the infraction, the higher the fine. For an average SME, that’s a £120,000 mistake, not counting brand damage or adverse PR, which could easily double that figure. In reality, if your agency is complying with the current Data Protection Act (DPA), the majority of your approach will assist you well under the new laws.
Impact Assessments for Recruiters
Impact Assessments are a great way to identify your current situation and should easily highlight weak areas in your data handling strategy and provide the foundation for building trust and demonstrating compliance. They also identify all places in and outside of your organisation where personal data is gathered, processed and stored. It’s often surprising where data gets processed with digital collection channels that HR companies employ and it involves processes, data management and documentation – so if you think this doesn’t apply to you, you’re wrong!
Included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and can include things like race, religion, political opinions, health data, etc. All of which Recruiters may often have access to from CV’s or Social media linked accounts.
The actual GDPR definition of personal data is broader and more detailed than it was previously. It now includes online identifiers (such as IP addresses and other unique online or device IDs), identification numbers and location data, as well as pseudonymised (e.g. encrypted or hashed) personal data. Paragraphs (a) and (b) make it clear that information that is held on computer, or is intended to be held on computer, is data. So data is also information recorded on paper if you intend to put it on computer!
The act of “speccing” candidates will also come under further scrutiny within the new regulations. GDPR mandates that the sharing of personal data cannot be on a basis of implied consent; such as job boards, and must come directly from the candidate themselves. This will inevitably impact some recruitment processes but best practice dictates that you should always wait for a candidate’s permission before “speccing” their CV.
GDPR – best practice
It’s also good practice to audit each dataset you hold to ensure you understand; who is responsible for it – to understand if you are the controller, a joint controller or processor. The Impact Assessment process also should identify those specific categories of data (personal, sensitive, special category etc) where it came from and who it is shared with. The lawful basis upon which you are processing it, what data is stored and where, is it correct and complete and where is it backed up? The audit should also identify who has access to it, why and how is that access logged and indeed retracted? Really these are questions that brands or data owners should have been asking themselves all along, but the first step is always the hardest on a long journey. The phrase from recruiters often wheeled out, that “we’ll keep your CV on file” – has never been more pertinent, or more risky.
GDPR – summary & opportunity
As a footnote, it’s imperative that senior recruiters educate all their employees about GDPR and its impact on the collection and handling of customers’ personal data, the likelihood of breach is almost universally caused by a lack of knowledge than by intention. GDPR provides recruitment agencies the opportunity to clarify their internal processes and become more transparent to candidates.