Regardless of the industry you work in, or your job role, you’re likely to have heard about the impending changes to the General Data Protection Regulation (GDPR). And, whether you’ve chosen to invest the time to read around the topic or not, it’s hard to escape the headlines warning of crippling fines for those not deemed to be compliant.
So, what’s it all about?
To date, the data protection laws have been somewhat ambiguous. The Data Protection Act – the current regulations that businesses have been held accountable to – was formed back in 1998, before the internet had made its mark on the world, and well before the rise of ‘big data’. With the increase of data-rich businesses, the explosion of online usage and the volume of personal and business critical data being shared, it was soon realised that those regulations crafted in ‘98 weren’t fit for purpose.
And so the General Data Protection Regulation was born. Championed by the European Parliament, the Council of the European Union and the European Commission, the GDPR rules are designed to protect the rights of around 750 million people across the EU. At its most basic, power is being handed back to the individual to own and protect their personal data. From May 2018, businesses need to be prepared for this, or they could end up cannibalising their communication strategy or worse, landing a hefty fine.
What does GDPR mean for my recruitment agency?
The recruitment industry revolves around data – not that you’d know it from the resentment that most recruitment consultants have for their CRM system. From a candidate applying for a job, to a consultant conducting a headhunt or sending out a CV spec, every recruitment business handles thousands of personal records each month.
With the changes in the law coming into place in May 2018, it’s important that everyone in your agency – from CEO to exec – understands the importance of data protection and the new rules that they’ll need to abide by.
Types of data
There are two types of data that you need to be aware of;
Personal data : Names, addresses, email addresses etc.
Sensitive personal data : any data that could reveal (either on its own or with other ‘standard’ personal data) racial, ethnic origin, political, religious or philosophical beliefs, trade-union memberships or sexual orientation.
Most recruitment agencies will find themselves handing personal data, making them, in the eyes of the law, a “data controller” and with this comes a few key changes in your agencies approach and handling of data.
One of the biggest changes is around consent. Recruitment agencies need to make it explicitly clear when candidate data is being collected and how it will be used. It’s not enough to assume that because a candidate has signed up to your website or applied for your job via a job board that they want to hear from you again or want to be specced out to businesses for other jobs. You’ll hear this being referred to as implied consent or informed consent.
It’s the agency’s responsibility to prove that a candidate has agreed to have their data collected, stored on your database, and used for marketing or other purposes. This can be handled in a number of ways:
- Check box on sign up: When a candidate leaves their details on your website, they must tick a box to give their consent to being stored on your database, contacted by your company or their details being shared with clients. The big change here is that you can’t have a pre-ticked box anymore, the candidate has to tick the box to give informed consent.
- Call script: If you’re cold-calling a candidate you can create a script for your consultants to follow to get verbal consent outlining the above uses of their data.
- 3rd Party contracts: You’ll need to review your contracts with third parties (we’re talking job boards here). It’s no longer good enough to be mentioned as a 3rd party in the terms and conditions on a job board, candidates need to consent to being contacted by your agency before being approached for anything other than the job they’ve applied for.
Added complexity is brought in with separate consent. This is where a candidate must be made aware of exactly what they’re signing up to receive. If you’re planning to spec them out, put them on your newsletter email list and send them jobs you deem relevant to them, that all needs to be clearly explained at the point they choose to ‘opt-in’.
For many recruitment companies, re-signing up their database to ensure that candidates have given full consent will be a challenging prospect but GDPR leaves no other option. It’s therefore extremely important to get these processes in place sooner rather than later so your database is as healthy as possible ahead of the May 2018 deadline.
Access requests & the right to be forgotten
As mentioned before, GDPR puts the power back in the hands of the individual – enforcing the idea that each person is the owner of their personal data. Companies now need to make sure that everyone is given the ability to withdraw their consent to being contacted at any time and are being given the right to be forgotten. This means that individuals can ask for their personal data to be deleted from your system at any time, and you have to comply.
Similarly, with subject access requests (when an individual writes to a company to find out what personal data they have about them on file), in most cases you’ll no longer be allowed to charge for complying with a request and you’ll have to make sure your business responds within a month, rather than the current 40 days.
How do I become GDPR compliant?
The first thing you need to do is to map out all your current processes, looking at how you collect, store and use candidate and client data, and review all the systems or touch points you have. In doing this, you’ll be able to spot at what point you currently ask for or need to introduce a request for consent and what detail it needs to include (remember to check your contract with job boards here too).
For this process to work, you need to have a hard look at your agency and really work through how each consultant is handling data. Perhaps in theory your team should be using the CRM system, but you need to question to see if they are still using spreadsheets, shared folders, desktop documents or printing CVs out.
You need to document the type of personal data you get, where it came from and who you share it with. The new GDPR legislation dictates that you need to maintain records of how you process all the information within your agency.
One key thing to remember here is that there isn’t a test or certificate to say that your company is GDPR compliant, instead it’s all about showing intent to comply and doing everything you can to adhere to the new rules.
One of the biggest challenges recruitment agencies are facing with GDPR is making sure that all data is being handled in the same way. Having a central system and standard process for this will help you to keep on top of your data, and it’s much easier than trying to keep tabs on multiple spreadsheets, word documents, server folders etc. By storing everything in one place, it allows you and your consultants to monitor how your data is being collected, stored and used.
Remember as part of GDPR you need to be able to show when a candidate was put on the system, what information they were given, what consent was acquired and how their data has been/is being used.
Once you know how you’re collecting, storing and using personal data, you’ll be in a great position to pull together your terms and conditions that you can use to outline your basic level of engagement with candidates and clients. This should include:
- How you store information
- How long you keep that information for
- What rights the individuals have to access their data
- An explanation of how to request deletion of data
- The reasons why you’re storing data
Transparency and honesty is at the heart of the new regulations. At its most basic complying with GDPR is showing that you’re doing everything you possibly can to ensure candidates and clients are kept in the loop about their personal data, how it will be used and to give them control over where and when you use it.