As part of our on-going series of breakfast forum events that we host for in house recruiters in the North East (UK), Muckle LLP led us through the upcoming GDPR regulations, and specifically how this affects recruiters.
However, we feel that if you are currently following best practice, with a few tweaks and a bit of due diligence, May 2018 shouldn’t fill you with dread.
- Understand and map each piece of data
- Think – why are you using the data, how long do you need it for?
- Have you got explicit consent?
- Do your third-party suppliers have consent?
- Refresh your data
The ICO provides more detail on helping you prepare.
Fair, lawful and transparent processing
Personal data must be processed lawfully, fairly and in a transparent manner.
Personal data may only be collected for a specific, explicit and legitimate purpose. If you pool candidates for example, you’ll need to check with the individual.
Limit the data stored to only what is necessary.
You must ensure data is accurate, and an individual has the right to challenge or update their data.
Data retention periods
You must not keep data for longer than necessary – in recruitment that may be a year, but you need to be able to justify this and refresh consent where appropriate.
You must protect against unauthorised or unlawful access to your data, using technical measures and appropriate processes.
The controller (probably you!) is responsible for and must be able to demonstrate compliance.
As a recruiter, you need to be aware of how GDPR will affect your processes. It is an area your wider organisation should be looking at, so find out who is responsible and ensure that there is a strategy in place to make sure you are compliant.
There are plenty of specialist legal resources available that can help, and organisations such as the Recruitment & Employment Confederation (REC) are running workshops and providing legal advice.