Impact of GDPR on recruitment agencies
There is certainly no escaping that around the corner is one of the biggest changes and challenges facing recruitment agencies today – the European Union’s General Data Protection Regulation (GDPR). Let’s face it, for recruitment agencies data is king and the GDPR will influence how every agency collects, handles and keeps candidate data in the biggest shake-up of online privacy regulations ever.
Let’s start at the beginning
GDPR is intended as a replacement for the current Data Protection Directive 95/46/EC and will become effective on 25th May 2018. Devised to protect European citizens’ personal data, it is compulsory for all organisations, even non EU based, that process the personal data of EU residents across the globe. So essentially using an EU citizen’s personal data without their explicit consent will be against the law. Breaking the law can result in fines of up to €20 million or 4% of the companies global turnover (whichever is greater). Interestingly, although the UK is heading towards Brexit and GDPR is a European piece of legislation it looks like it will be unaffected by the UK leaving the EU.
It’s not just about storing a candidate’s email address or CV either
The European Commission has said:
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
So basically it includes everything and under the new legislation a candidate will have to give consent for their personal data to be collected. Secondly, you have to be totally transparent on how the data will be used and thirdly, candidates can ask for their data to be removed at any time. Furthermore, recruitment agencies will be fully accountable for the protection, security and access by any third parties, of the data.
Whilst it all seems totally daunting, the good news is that if the new legislation is executed accurately you can still use personal data to discover all you need about your candidates. However, one of the central compulsory obligations for a recruitment agency will be obtaining explicit consent for every single usage of personal data.
The days of getting candidates to tick a box which gives consent to everything will be long gone and you won’t be able to hide behind lots of small print or terms and conditions either. Every candidate will have to actively give explicit consent through easily accessible and comprehensive forms. The forms will need to openly declare the purpose of and how you will use and store the candidate’s data safely. Allowing candidates access to review their data at any time, with the option to ask for updates will also be key.
The ‘right to be forgotten or right to erasure’ is another principal change of the legislation, so offering candidate the option to request that their data be erased will be essential. One of the most significant criteria of GDPR will be the need for a ‘paper trail’ regarding your data management. Recruitment agencies will find it paramount to have a centralised system that handles all candidate data and allows the monitoring of how data is being collected, stored and used.
What is clear is that the candidate experience will become even more paramount, however by complying with the new regulations and communicating the processes undertaken in a clear and transparent manner, recruitment agencies can show trustworthiness and reliability which in turn will build loyalty from their candidates.