GDPR, the new data protection regulations, come into play on the 25th May 2018.
Recruitment businesses who don’t prepare before the deadline will find it comes back to haunt them.
GDPR is going to have a huge effect on the way you run your recruitment business. On a day-to-day basis, your team deal with a lot of personal data. Therefore it is vital that they know, understand and comply with the new regulations.
To help you out, we’ve pulled together the five steps you need to take to become GDPR-ready.
1. Processing Personal Data and Obtaining Consent
Come May 2018, the type of consent you need from an individual to process their data will change.
Many recruiters will be used to receiving implied consent to justify processing someone’s information – this might be a verbal agreement over the phone, or the assumption that it’s ok because they’ve been in contact.
When GDPR comes into play, you will be required to have explicit consent from an individual to process their data. This applies to both future contacts and existing ones.
So how can you prepare for this?
- Take a look at your current opt in statement (if you have one). Does it request that the individual ticks a box to confirm they are happy for you to use their data and to contact them in the future? If it doesn’t, you need to update this. The consent form must be laid out clearly, and they must have the option to withdraw their data.
- Contact your current database, explaining that you need them to give explicit consent to continue receiving information from you. You can send them a form to fill out, or direct them to a webpage where they click to confirm.
- Ask your existing candidates to re-register with you, so that you can obtain explicit consent from them to continue working together moving forward.
- Start this now. Regardless of whether your database has 50 or 5,000 entries, this process can take a long time and, come May 2018, you will no longer be able to use the data of anyone you don’t receive explicit consent from.
NB. You must also make it clear in this process how you will collect and use personal data.
2. Data Sharing Under GDPR
If you share any data with a third party company, you’ll be expected to have a more regulated data sharing policy in place.
Many recruitment agencies share their contractor data with RPO companies, umbrella companies or payroll companies. If your agency falls into this category, you’ll need to review and potentially update your relationships with all your third party suppliers to ensure they also meet GDPR’s requirements.
It must be clear to your third party providers that you own the data, and that they are not eligible to use it outside of the agreed terms.
You must also make your intention to share data clear with anyone you will be affected, e.g. your candidates.
3. GDPR Data Processing
The people who will be most affected by GDPR at your recruitment business will be those who act as a data processor. This might be the person who shares your candidate data with your payroll company, your admin assistant or any/all of your recruitment consultants.
Currently, there are only a few obligations your data processor is required to meet. However, GDPR will bring with it a lot more in the way of responsibility and requirements.
From May you will be directly responsible for your agency’s compliance with GDPR, the potential sanction and, most importantly, the consequences of your non-compliance.
To ensure you are compliant, you will need to review all of your client contracts and make sure they fall inline with the GDPR requirements.
4. GDPR Individual Rights
Under the current data protection act, individuals have certain rights with regards to how and when their data is used. GDPR continues to include the existing rights, but also includes a range of new ones.
An individual will have the right to access more information and the power to have inaccuracies rectified immediately. They also have the right to have their information removed when it is no longer used, if they no longer want to give consent and if the way their information is being processed is unlawful.
There is a new right about data portability. It allows individuals to move information held about them to another controller, e.g. a different recruiter. This must be presented in a structured, digital format for smooth transfer.
You need to consider how you will amend your internal processes to accommodate these new rights, especially the data portability one. Do this now so that you’ll meet the rights of individuals when GDPR comes into full force. It would be smart to also start to include additional protections in client contract to limit free migration.
5. GDPR Security Measures
Your recruitment business will have a duty to implement new measures that ensure a level of security that is “appropriate to the risk”. The new measures you will most likely have to implement are:
- In the event of an incident, you must have the tools in place to quickly restore any missing data.
- You must be able to ensure the ongoing confidentiality, availability, integrity and resilience of all the data processing systems you use.
- You must be able to encrypt all personal data you store, and have the ability to give any data element a pseudonym if required.
- You need to have a process in place to regularly test, assess and evaluate how effective the security measures you have in place are.
To implement the new measures you may need to amend your internal processes to comply. If you currently use, or are considering using, any CRM/ATS software, you must ensure that they are also compliant with the new regulations. If they are not, this will have a negative effect on your business.
You must also make sure your social media policies are clear with regards to what you will and won’t do with client and candidate data. Failure to do so may land your business is a lot of trouble.
For more information about GDPR, what it means for you and how to prepare, take a look at our useful GDPR infographic and download our cheat sheet below.
Prepare now, and you’ll have an easy ride in May 2018.
The information shared in this blog and accompanying eBook is true and complete to the best of our knowledge. All recommendations are made without guarantee on the part of the author and Sonovate LTD. The author and publisher disclaim any liability in connection with the use of this information.
Download Your GDPR Checklist Below Today.