How recruitment companies can prepare for GDPR
GDPR is fast approaching; with all the new legislations, protocols and rules coming about, it’s important to brush up on some facts to avoid lengthy proceedings and expensive fines.
The General Data Protection Regulation (GDPR) act will be introduced on May 25th 2018; replacing the Data Protection Act (DPA) that has been in place in the UK since 1998. It will be implemented across Europe, and despite Brexit, the UK will be undertaking the legislation automatically.
The days of buying and selling hundreds and thousands of contacts are over, with the rapid growth of technology and the internet over the past 15 years and the ease of access to personal data, it was only expected that outdated regulations from the 90s had to be updated. With social media, online phone books and a growing digitised sales industry; monitoring and protection of customer data will be kept a close eye on, with hefty penalties if such protocols are not followed. Newly built networks will need to be, consensual, organic and documented.
So what changes will be introduced and how will they affect businesses, especially those in recruitment?
- New customer rights will be introduced in order restore control over personal data; they will have the right to request access to, deletion of, and information about why, where and how their information is being used.
- Recruitment agencies will need to document their data handling process in order to create a paper-trail available if requested by governing bodies, this also serves as protection for companies, should data processes be questioned.
- Implied data-collection consent will not be enough anymore, taking information from job boards for e.g. will not be permitted; recruiters will need to wait for candidate consent before ‘speccing’ out CVs, sharing, storing or using information in anyway.
- ATS or recruitment software will need to create and store a record of data processing activity.
- Email and SMS marketing must be opted in by the candidate/client, and proof of authorisation should be evident.
- A security breach must be reported within 72 hours, after this, fees will apply; record keeping violations will incur a €10million or 2% of the company’s global gross revenue penalty and violating legal justification of data processing, consent or transfer can result in penalties of €20million or 4% global gross revenue.
- Destruction, loss, modification, unauthorised disclosure of, or access to people's data has to be reported to ‘The Information Commissioner's Office’ in the UK.
What you can do to make the transition a little smoother:
- Create a centralised system to store all your data; keeping all your contacts in one place will facilitate paper-trail creation, help monitor data handling processes and avoid security breaches.
- Dedicate some time to reviewing and updating documents in order to comply with the new standards of transparency; avoiding problems that can arise from ambiguity further down the line.
- Drafting data handling terms and conditions for candidates and clients is advisable, as well as examining existing contracts and renewing them appropriately.
- Exercise caution, clarity and strategy when seeking and obtaining new data, or re-organising existing data.
- For recruitment, a paper trail of on-boarding and data processes is imperative.
Businesses will be accountable for implementing data protection policies, data protection impact assessments and producing relevant documents on how data is processed, it could be useful to outsource an external team to ensure everything is correctly in place for the arrival of GDPR, the most important thing, however, is to store your contact’s information in one location and keep a record on-hand of all the ins and outs of your data management!
If you would like to find out more about GDPR and recruitment, download our free eBook guide below: