There were a few shock-waves when the French data protection regulator, the CNIL,  fined Google €50M for GDPR breaches. This has been referred to as the end of the honeymoon for any organisation using consent as the legal basis for processing someone's personal data.

The GDPR is rather vaguely worded so it was always going to be the case that actual rulings would start to put meat on the bones and bring clarity to what the requirements actually are. In this instance the focus is on transparency and consent - two of the core changes from previous data protection legislation.

Transparency

The GDPR requires that it is made clear to an end-user how their data will be used, for what purpose and for how long. What the ruling clarifies is how this needs to be implemented. In the Google case the information was usually available but in several places and required "5 or 6 taps" to understand how your data is being used. This information needs to be "easily accessible for users", not hidden away.

Consent

The requirement for specific consent is one of the core changes with GDPR and again this ruling makes the implications clearer. In the Google case there was no clear separation between consent for setting up a device and that for other services like personalised ads.

In addition the Google process has one check-box saying “I agree to the processing of my information as described above and further explained in the Privacy Policy” and this is explicitly ruled as too broad to comply with GDPR.

What are the implications?

"The industry now can’t say it hasn’t been warned." - Jon Slade, chief commercial officer of the Financial Times

Anybody processing personal data now has clear guidance on how the regulators expect GDPR to be implemented. This is especially true for recruiters where the implementation of GDPR has too-often been considered a tick-box exercise.

1. Is it easy for candidates to understand how their data will be processed, for what purpose and for how long?
2. Do you clearly separate consent for processing a job application and for recruitment marketing?
3. Is consent even the correct legal basis for processing an application?
4. Can candidates opt-out of marketing at any point without it affecting any applications they have made?

Be positive

We have always maintained that GDPR is a hugely positive piece of legislation and should be used by recruiters as a chance to refresh their relationships with candidates.

The spirit of GDPR is for users to have transparency and control over their relationship with an organisation - and anybody that cares about candidate experience should be looking to deliver that in any case.

It is not too late. The regulators are working their way through 95,000 GDPR complaints submitted since last May and are obviously focusing on the "big fish" first. Use the opportunity to raise awareness of the implications and justify investment in improvements that will benefit everybody involved.