Have you heard about GDPR? Did you know it comes into effect on 25th May 2018 and it will impact everybody working in recruitment?
GDPR, or General Data Protection Regulation will replace the current Data Protection Act and is a new piece of EU legislation which seeks to strengthen and unify data protection for individuals in the EU, giving them greater control over personal information.
The outcome of Brexit will NOT affect its introduction in the UK.
These changes will impact how recruiters, recruitment business and recruitment technology companies process candidate and client data. A breach of the new regulations could result in fines of up to 4% of global annual turnover or €20 million (whichever is greater) – I bet that caught your attention!
In truth, it’s not about fines, it’s about putting the consumer and citizen first, and we have seen recently that reputational damage of a data breach can have a massive impact.
It’s also worth remembering that GDPR shouldn’t be perceived as a burden, but more about bringing accountability around best practice and ethical behaviour when handling personal data.
So firstly, what do we mean by personal data?
Personally Identifiable Information (PII) is any data that relates to or identifies a living person. This includes obvious things like name, email address and video interviews, but did you know it also includes biometric data, social network posts and location data such as IP address.
There are a few key principles you need to bear in mind:
Data must be collected for specified, explicit and legitimate purposes
You can only use data for a clearly defined purpose. If a candidate puts their details forward for a job, you can’t then use those details for an unrelated purpose.
The data collected must be adequate, relevant and only what is necessary for purpose. You must be able to prove a valid reason, and not keep the data longer than necessary.
Explicit consent must be given by an individual
Consent must be freely given and for a specific reason. You must be able to prove consent, and you are not allowed to have a box that is ‘pre-ticked’.
Rights of individuals
Individuals have the right to view any personal data that is held on them and they can ensure it is accurate and up to date. You can no longer charge an admin fee for this. Individuals have a right to be forgotten and the onus is on you to prove that retaining the data is a necessity (eg for legal reasons), or to delete the data.
There is also a new right to data portability, which means individuals can ask to have all their data moved to a different controller (recruiter) in a structured, timely and machine-readable format.
You must ensure that you have implemented a level of security which is appropriate to risk. This could include encryption, testing and evaluation of security measures, and ensuring that any software being implemented is future proof and compliant with GDPR.
How will GDPR affect your recruitment process?
- Make sure you know where candidate data is coming from and that they have opted in. You may need to prove this.
- Ensure your data is up to date and accurate.
- Make sure you understand how third parties use your data.
- You will need to maintain an audit trail to show how CVs have been sourced.
- If you employ more than 250 employees you may need to appoint a Data Protection Officer
- Delete old CVs and other data that is no longer needed.
- Be aware that if you are using automation to process candidates, they have the right for human input / oversight and can appeal decisions. This could include sifting CVs through to behavioural and predictive analytics and you must be explicit and transparent about the criteria being applied.
Working with external suppliers
If you currently collect and process personal data on behalf of another company, for example an RPO arrangement, or a recruitment technology platform, you will now have direct responsibility for your own compliance with GDPR. For us at Shine, that means working with our clients to ensure that data sharing is GDPR compliant.
As an in-house recruiter, in addition to reviewing internal policies, you may need to review your contracts and working practices with third parties. Using data from job boards will need particular attention.
What if there is a breach?
In the UK, the Information Commissioners Office (ICO) is responsible for enforcement.
Under GDPR, there is a requirement for organisations to report a personal data breach, that affects people’s rights and freedoms, without undue delay and, where feasible no later than 72 hours after becoming aware of it.
The ICO will not need to receive comprehensive reports straight away, but they will expect to understand the potential scope and cause of the breach, plus mitigation plans.
As a recruiter, you need to be aware of how GDPR will affect your processes. It is an area your wider organisation should be looking at, so find out who is responsible and ensure that there is a strategy in place to make sure you are compliant.
There are plenty of specialist legal resources available that can help, and organisations such as the Recruitment & Employment Confederation (REC) are running workshops and providing legal advice.