Topics: Recruitment Industry News
Posted on August 29, 2017
Written By QX Global Group
In less than 10 months, GDPR will become a binding law. Recruitment agencies in the UK collect, store and process large amounts of data related to candidates, clients and vendors. While most agencies adhere to the data protection regulations of the countries they operate in (UK Data Protection Act 1998, for instance), GDPR demands much stricter controls. Most businesses are likely to already have processes in place to meet the requirements for consent under the UK DPA, which is guided by the Data Protection Directive 95/46/EC. This directive defines consent as:
‘any freely-given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
However, with GDPR, the ‘data subject’ gets a lot more control over the data. Online consent remains a legitimate method of transferring personal data under GDPR, but the rules are a lot more stringent. Read ahead to find out how the definition of ‘consent’ is restricted in GDPR and what impact it will have on the way recruitment companies conduct their business.
This is the second article in the series.
Disclaimer: Please note that these answers are for general information purposes only and do not function as legal advice.
Anonymous data – data that cannot be used to identify individuals – is outside the scope of GDPR. Personal data (name, identification number, location data, genetic data, etc.) that identifies an individual falls under the remit of GDPR. Sensitive personal data, i.e. any data that can reveal the race, ethnicity, political opinions, religious beliefs, sexual orientation, etc falls under the remit of GDPR and businesses that process such data will face additional restrictions – more than they would when dealing with general personal data.
When it comes to candidate information, most recruitment agencies process large amounts of personal data and sensitive personal data. As a consequence, GDPR will require a major shift in the way your agency collects, stores, shares, secures, maintains and processes data on a day-to-day basis.
With GDPR, the legal justification for collecting and processing personal data changes. Until now, businesses could rely on non-action ‘opt-in’ consent in many cases; for instance, a pre-ticked box on an online form would be a form of ‘opt-in’ consent. Such methods of consent assume a lack of action (such as unticking the box) as a form of consent.
GDPR places the burden of proof on the controller and demands methods of consent that ensure “unambiguous indication of the data subject wishes” that would demonstrate consent by “a statement or clear affirmative action.” This can be in the form of the subject clicking a box or submitting a written statement consenting to the terms of data use. So no more pre-ticked boxes.
If your agency already uses methods of obtaining consent that provides clear, understandable notice for users on why the data is being collected and the different ways in which it will be processed, there is a possibility that you may already be compliant with some parts of GDPR. However, the new regulation places more stringent conditions on the collection of sensitive personal data. As a result, recruitment agencies will, in the future, have to demonstrate the need for collecting such data and unambiguously state how and for what purposes such data shall be processed.
Yes, and it is imperative that by May 25, 2018, all the personal and sensitive personal data you hold is in compliance with the GDPR. This means that recruitment agencies will not only have to update the existing processes pertaining to data collection and management but also revisit existing data and get the necessary permissions from individual candidates and others.
Many agencies are likely to lose at least a portion of their data as it may be difficult to obtain consent for data stored in the past. Some of the key impacts of GDPR on the data you already hold will relate to:
As a consequence of the above, it may not be legal for recruiters to use ‘speccing’ techniques anymore; as consent will need to be taken from candidates to use their data for specific purposes and they will need to be informed when their CVs are shared for different job profiles.
GDPR is a complicated regulation with wide-ranging effects. Recruitment agencies must recruit or hire an external DPO (Data Protection Officer) to ensure compliance with GDPR. Some of the key steps you will need to take include:
In the coming weeks, we will take a close look at various aspects of GDPR that directly impact recruitment agencies. If you are interested in the basics, please read Part 1.
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.
Originally published Aug 29, 2017 09:08:42, updated Jul 23 2024
Topics: Recruitment Industry News