As the clock continues to tick on GDPR, it will not be long before laws ruling data protection in every European Union country will be impacted by the most significant changes in more than two decades.
On May 25th 2018, the EU General Data Protection Regulation (GDPR) will replace all current data protection laws in every European Union country and recruitment agencies that are not in compliance could face steep fines.
One of the most significant impacts of GDPR will be on how we all manage the data we hold and how we share it with our business partners, especially any offshore recruitment services (ORS) partner.
It is vital that we and any recruitment outsourcing partner fully comprehend that the EU recognises a person’s right to the protection of their personal data as a fundamental human right and therefore GDPR will forever change how any recruitment agency and their partners deal with data.
So, what are the impacts of GDPR on your relationship with overseas partners?
In order to fully understand the impact of GDPR on any working relationship with an overseas partner, it is essential to fully understand who is responsible for each part of the process:
- Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data – the recruitment agency.
- Data Processor – the entity that processes data on behalf of the data controller– the overseas recruitment services partner.
- Data Subject – a natural person whose personal data is processed by a controller or processor –the candidates.
When working with an overseas recruitment partner (Data Processor) a large number of the activities they conduct on behalf of a recruitment agency (Data Controller) will require organisations and individuals based in offshore locations, such as India, to process data that belongs to data subjects (the Candidates) from the UK and EU.
As a data controller, the recruitment agencies are bound by GDPR Article 28 to provide sufficient guarantees regarding the data processor (overseas recruitment services partner) and the recruitment agency has ultimate responsibility to ensure that the relationship does not breach any rules.
Article 28 clearly states that:
“[data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
Therefore, it is essential that recruitment agencies using offshore recruitment service providers have effected due diligence and evaluated any partner to ensure that they comply fully with GDPR. This is especially true if their partner sub-contract any of the work as well, as the data protection laws apply to sub-processors as well.
In order to ensure the offshore service provider’s compliance with GDPR, recruitment agencies need to review all existing contracts and make provision for GDPR compliance as part of the agreement.
For new offshore contracts, it is imperative that recruitment agencies make sure their offshore services provider has the capacity, demonstratable ability and willingness to guarantee full compliance with GDPR.
You will want to work with a partner who employs a Data Protection Officer who is an expert in GDPR, has established official infringement response plans and the controls in place necessary for international data transfers.
In addition, the offshore recruitment service provider will need to demonstrate how they will ensure confidentiality, maintain high levels of security, follow rules regarding appointment of sub-processors, help the agency to comply with regulations and have systems in place to protect personal data and return or destroy data if requested.
There is certainly no doubt that the need to pick the right overseas outsourcing partner is even more crucial as GDPR applies more stringent rules and puts greater responsibility on the recruitment agency, as well as the outsourcing services supplier. However, with the right approach you will be able to select a partner who’s already shown their commitment to meeting high standards for data storage, recording, security and confidentiality.