GDPR - Time to Act?
Guy Deterding, managing director of Nasstar For Recruitment, talks to Recruitment International about what the new General Data Protection Regulations mean for recruiters, and why they should start preparing now.
The new General Data Protection Regulations (GDPR) will come into force, across the EU, in May 2018. The UK Government have now confirmed that GDPR will apply across the UK, whether we are in the EU or not. This means that all personal data, of any UK of EU-based individual (e.g. candidate, employee or client contact), must be managed in accordance with the new regulations, or face a fine of €20M (or 4% of global turnover).
All recruitment agencies doing business in the EU, or the UK, will need to adhere to these regulations for all candidates by May 2018. This deadline may seem like a long time off, but how many candidates do you have on your database? 50k, 70k, 100k, more? When did you last contact them? Are you prepared to take the risk of an eye-watering fine, or is it more sensible to remove older candidates that you are unable to contact? If so, then it makes sense to start the process now.
What does GDPR require recruiters to do? In summary:
- Any personal data you hold requires explicit (not implied) consent from the candidate (or client contact).
- Data must be requested in clear and plain language and asked for in a distinctive "standalone" fashion
- The data must be freely given, rather than under the duress of not being able to access your services
- You must allow candidates to see their own data and to release a copy of any data you hold about them in a commonly readable format (the right to data portability).
- You must delete data when a candidate ask you to (the "right to be forgotten").
- You must notify the Information Commissioner's Office (in the UK) within 72 hours of data breaches and affected individuals.
If you do decide to act, what should you do next?
Given that the clock is ticking somewhat, the first thing to get on with is to gather consent from all new candidates. This initial step will ensure that all candidates, from this point on, have given appropriate consent. The obvious way to achieve this is to ensure your candidate portal (on your website or app) gathers the appropriate consent (no pre-ticked boxes please), and to drive all new candidate traffic through your portal.
Once in this place, then you should aim to get consent from existing candidates. Work out how you will approach current candidates to gather consent (and updated details) from them. This could be as simple as asking all existing candidates to re-register or update details via your portal, gathering consent at the same time. Any candidate who has not done so by May 2018 should be removed from the database.
Managing your records
You will need to be able to respond to requests to delete (or view/transfer) records. This will need to include working out what you can continue to hold in your records (e.g. if you have placed a candidate). Candidates should be able to request this through your portal, and the process should be automated, to ensure no manual overhead for staff.
If you are planning any changes to your processes or systems, then you will need to ensure you have "best practice" security measures in place to protect data. If you suffer a personal data breach it will be essential to show you have taken appropriate steps to secure it (nothing is 100% secure). This will require a detailed conversation with your IT provider - whether third party or internal.
Last, but not least, you may need to appoint a data protection officer. This is a requirement if you sell goods or services to EU (or UK) citizens. Which businesses will need to make an appointment has yet to be clarified but this is certainly something to keep an eye on.
In essence, the requirement for candidate data is a fully functional portal, where candidates can register and update (or delete) their data. Requiring the candidate to do the work ensures accuracy and consent. It also delivers a level of service that many candidates expect now.
Don't forget that GDPR will also cover employees and client contacts. I don't think this will require major changes but simply a few tweaks to associated processes to make sure you are covered.
To read more from this month's Recruitment International magazine click here.