The EU’s new General Data Protection Regulation (GDPR) – which comes into force on 25thMay 2018 – has far reaching implications for many companies. Its focus on protecting personal data (whether our customers’, our employees’ or any other individual’s resident in the EU) is impacting on everything from marketing and sales, to HR and recruitment.
For in house recruitment teams and those working with recruitment agencies, data provided by candidates falls under GDPR. So we all need to understand our responsibilities and how to handle and process that data in a compliant fashion.
Naturally, as a specialist recruitment agency, we process our candidates’ personal data on a daily basis and therefore have invested a considerable amount of time and resources in becoming GDPR compliant. A key aspect of this is ensuring that our team, the recruiters who use this data when working with candidates and clients, know what processes they must adhere to.
To this end we thought it would be useful to share what we’ve learned so you can apply this knowledge to your recruitment processes to.
Your candidates’ rights
With GDPR, candidates have more rights than previously covered by the Data Protection Act. However, if your company has aligned your processes and systems with the Data Protection Act, you’re already in a strong position to comply with GDPR. Essentially it all comes down to knowing exactly what personal data you process, where it is, and why you need it. Candidates have the following key rights:
The right to be informed: Under GDPR you must ‘provide fair processing information’. Informing candidates that you are processing their data, and how you do it. Most companies will already have a Privacy Notice that sets this out, providing candidates with a link to this from an online application form is the best way to ensure they are informed. Of course, you may have sourced a candidate in a different way; perhaps at a networking event, on LinkedIn or via a recruitment agency. In this case you must provide fair processing information within one month, for example by emailing them and providing a link to your company Privacy Notice. Check that your Privacy Notice includes all the information required by GDPR. Further information about GDPR and Privacy Notices can be found on the ICO website here.
The right of access: The right to access their personal data; have confirmation that your company is processing it; and also access any further data that pertains to theirs, is already set out in the Data Protection Act. However, with GDPR there are a couple of differences. The first is that you cannot charge for this information, previously candidates might pay a £10 access fee. The second is that you must respond much faster to their request than before – within a month. This highlights the importance of having a clear picture of where all the data your company processes is stored, so you can access it quickly.
The right to rectification: Having requested information if a candidate spots an error they have a right to have this error rectified within one month. For example if your data contains an incorrect job title, current salary, or wrong contact details, you will need to amend this quickly. Companies that have large recruitment volumes may find that it is easier to allow candidates to access and rectify their data themselves. Providing candidates with a log in to their personal profile (a candidate portal) is a good way of managing this, and they can also update CVs and other information at their own convenience.
The right to be forgotten (or erasure): Your candidate database is an important asset but a key requirement of GDPR is that candidates can have their personal data removed if they wish. Again, the time limit for this is one month, although there are some reasons where you can refuse. For example, you may need to retain personal data to comply with a legal obligation, or if you’re processing their data ‘for the performance of a task carried out in the public interest or in the exercise of official authority.’ While it most likely that candidate data will not be exempt from a request for erasure, you can find more information about this here.
GDPR and consent
A key aspect of GDPR that you have probably come across is ‘consent’. You may have interpreted this as that candidates need to give you consent to process their data. This is true for certain types of activities. For example if you planned to add a candidate to your marketing list in the hope that they might buy your products or services, as well as apply for a job!
However in terms of recruitment, consent to process their data is given implicitly when they apply for a role or upload their details to your candidate portal. Naturally, you must only process this data for this purpose. In GDPR this comes under being ‘able to demonstrate a legitimate interest’, i.e. that you need to process their data in order to shortlist them for interview, or identify the right opportunity for them.
Best practice for recruitment agencies is to get consent from candidates to process their data, and especially to pass it on to third parties, i.e. our clients / potential employers. It is worth checking with any recruitment agencies that you work with, that they have got consent from candidates before handling this data. This will provide your business with additional protection against non-compliance.
Of course, another really important aspect of GDPR is that you have the right systems and process in place to protect your candidates’ personal data. Often this data contains quite sensitive information that could be used in identify theft, or for malicious reasons. A high profile candidate, whose job search is private, will not want this information getting out into the public domain. As well as risking possible fines for non-compliance in the event of a breach, your company can also suffer considerable reputational damage; as well as the damage it might do to relationships with candidates and employees. Make sure your data is secure.
By Greg Thorpe, managing director at Howett Thorpe