Will GDPR affect your recruitment company?
You might be wary of GDPR coming in if you work in recruitment. But don’t worry, we’re going to explain how you can prepare your business for this new legislation.
The General Data Protection Regulation (GDPR) is going to have a big impact on the recruitment industry when it comes in on 25 May 2018.
The way you manage data from clients (companies looking to hire) and candidates (people looking for a job) is going to need looking at to make sure you’re ready for GDPR.
If you’re not, you could face a maximum penalty of either €20 million or 4% of your annual turnover, whichever is greater.
To help you avoid a hefty fine, we explain what’s changing under GDPR and which processes you’ll need to update.
Processing and managing consent
You should be used to asking for consent to process someone’s data, for example to send a candidate’s CV for a job role. But the law around consent is getting stricter under GDPR.
From 25 May 2018, you’ll need to get separate consent each time you want to process an individual’s data. For example, when a candidate gives you their details to apply for a job, you won’t be able to use their information for something unrelated.
Candidates must give you explicit consent through a positive ‘opt in’. You can no longer presume a candidate is giving you consent from a pre-ticked box.
Set aside some time to go through the clients and candidates you have on file, and ask them if they want to stay on your database. You could use this opportunity to remove anyone who didn’t give you explicit consent.
Data sharing rules
If you share personal data with third parties—such as recruitment agencies, umbrella companies or payroll companies—you’ll need to update your data sharing policy.
This policy must make it clear to your third party providers that you own the data and they can’t use it outside of the terms you agreed with them. You might need to look into the third parties that you share data with to make sure they meet GDPR requirements.
You must make it clear to candidates that you intend to share their data with other companies. And they must—you’ve guessed it—explicitly consent to this.
GDPR will maintain the current rights individuals have under the Data Protection Act and introduce a range of new ones.
An individual has a ‘right to be forgotten’ under GDPR. That means a candidate or client can ask you to delete their information if you no longer need their data, you are processing it in an unlawful way, or they want to withdraw their consent.
Another new right is ‘data portability’. This allows individuals to move their information from one data controller to another. In other words, someone can ask you to give their data to a different recruiter.
If they do, you must hand over this information in a structured and digital format so other organisations can use it. You must do this free of charge.
Now that you know how GDPR will affect your recruitment company, find out how GDPR will change the way you process staff data, or visit our GDPR info centre for more resources to help you get prepared.