The GDPR and the recruitment industry – now is the time to comply.
The GDPR will significantly change and update the data protection regime in the UK. The GDPR changes the current legal bases which are used to justify collecting and processing personal data, and requires additional transparency in informing individuals about when (and why) their data is collected, processed and transferred.
Up until this point, data protection in the recruitment industry has been manageable. From May 2018 however, industry participants will have to ensure that the databases and processes they use to store and process personal data are compliant with the General Data Protection Regulation (and reconsider how they intend to use personal data going forward.)
Recruitment agencies who maintain a database of personal data are “data controllers” under the scope of the Regulation. “Personal data” under the GDPR is defined by the European Commission as “is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The only feasible way to ensure compliance for traditional recruiters is to re-solicit candidates to join their GDPR compliant database, and such consent being obtained in a GDPR compliant form.
“The first thing businesses should be doing is reviewing how they collect and use information, and really questioning the relevance of the data they are collecting,” said Brad Taylor, head of people at the CIPD.
“They will have to be sure they have consent to collect information, and that the people who own that information are absolutely clear about what they are supplying, and how it will be used. Employers have a responsibility to make sure their staff across the entire organisation are aware of the regulatory changes coming in, and have a heightened sense of their own internal radar and anything that might be out of the usual.”
There is a new right to have personal data erased where the data is no longer required, where consent is withdrawn or if the processing is unlawful. The proposed Data Protection Bill will give candidates the right to request that social media companies delete personal information held about them, potentially improving their chances of landing a dream job. As a recent Yougov study found that one in five employers had rejected a candidate because of their online posts, some candidates will be grateful for the chance to delete evidence of their past.
Potential changes to the law will force internet companies – social media sites amongst them – to be more responsible about how they collect and utilise data, including photos and status posts. If they don’t, they risk a £17million fine.
With so much detail to go into GDPR, we recommend you get ahead of the game and find out where you stand today. May will be here before we know it.