A Guide to GDPR for Recruiters - Article 1

Whilst the 'launch' date has past, not everyone's going to have this topic front of mind.  Here's a simple/logical guide to brush up your knowledge!

The business world is talking about the importance of the General Data Protection Regulation (or the GDPR), but few companies really understand the implications of non-compliance. We believe it's our role to help educate organisations about the actions they need to take to ensure they are GDPR compliant.

To help recruiters understand the challenges of GDPR compliance, we are releasing a series of short articles to simplify the requirements, address some of the myths and offer potential solutions.

This first article offers a brief introduction GDPR and how it impacts recruitment.

GDPR and the law

The GDPR comes into force on 25 May 2018 and will impose a strict set of new rules concerning data privacy and security. Organisations that disregard these rules will be penalised – up to 4% of their annual worldwide turnover or €20 million, whichever is greater.

Because of the increased financial and reputational risks, many organisations are taking the GDPR seriously and will already have compliance teams working through the legal requirements. However, this is not just a regulatory issue and the impact on data protection in recruitment practices will be significant.

Principles of the GDPR

The GDPR focuses on giving users much more control over the way their data is stored and processed. The requirements can be divided into three categories:

Privacy by design

Any personal data must be 'processed in a manner that ensures appropriate security of the personal data' including storing it safely, controlling its use and tracking who has access.

What this means for recruiters

Most systems used for recruitment purposes (e.g. ATS) should already be secure and your compliance teams should be working with your suppliers to document this and ensure they are contractually enforced. What will be more problematic are the myriad ways in which data is sent and used outside the main systems - think of spreadsheets kept by recruiters and emails/folders used by hiring managers. All of these will need to be stopped or replaced.

What you need to do

Your compliance team may struggle to understand all the ways in which data is processed for recruitment, but they will understand what is non-compliant so their starting point will be to stop anything happening outside a secure system. You need to consider all the things you and your team do outside systems, how important they are and what you can put in their place if they need to continue.

Lawful processing of data

Personal data must be 'collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes'.

What this means for recruiters

Compared to previous data protection legislation the GDPR is much more focused on making sure that data is collected for a precise purpose, that the purpose is made clear to the individual and that the data is erased once that purpose is finished. In the recruitment context the main impact of this is that data on someone being processed for a job application needs to be separated from data on people being processed for recruitment marketing.

What you need to do

Separate out your selection and marketing processes and then make sure you have the right basis for processing data in each case. This is not simply a matter of consent. Processing data for selection will also be covered by other legislation (e.g. employment law) which may mean that consent is not necessary. Processing for marketing will definitely require consent and needs to be obtained separately, not as part of the application process.

Individual rights

The GDPR has a big focus on an individual's data rights.

Organisations have to be prepared to support these rights with much tighter rules on how quickly they respond.

What this means for recruiters

The key rights will be the right of access, the right of rectification, the right to data portability and the right to erasure. What this means is that you have to be prepared for significantly increased levels of requests by people wanting to see what data you have, change it if they want to and be able to export or delete it. You must be able to respond to all requests within a month.

What you need to do

Again, the requirements will change depending on whether you are processing an application or engaging in recruitment marketing. For application processing work with your compliance team and suppliers on how you would handle someone demanding access and/or changes in the middle of the process. For recruitment marketing think about the resources or tools you require to keep people's information up to date and to allow them to export or delete it.

Further reading

For those interested in learning more the Information Commissioner's Office has produced some excellent guides. Start with their Guide to the GDPR

Hollaroo maintain a dedicated, and constantly updated, set of resources on the GDPR at http://www.hollaroo.com/gdpr.html

Read our second article in the series, a GDPR checklist for recruiters