The General Data Protection Regulation (GDPR) is a regulation for the protection of the data of all EU member citizens that will be immediately enforceable as law from May 25, 2018.
Even if the date still seems distant in time, organisations must start acting now and getting ready before it’s too late; with only 29% of UK organisations reported to have started on their GDPR preparations, there is a lot still to be done!
Anybody involved in the recruitment process should now be assessing what personal data is captured, how is it collected, where is it stored and how is it used throughout the recruitment process. Existing workflows were never designed to be compliant with GDPR and now the simple act of sending a CV to a third party without the candidate’s consent could be deemed a data breach.
Whenever candidates need to send in CVs, they are sending personal information: whether this is via a job board, an employment website, or directly via an email, they must be provided with information on how their data will be processed (or used), how long it will be retained for, and if the data they shared with you will be transferred overseas (if, for example, you send it to a recruitment agency with multiple offices).
They will also be able to determine if you hold data on them, how they can check what this, how they can rectify the data it if is incomplete or wrong, and how they can enact their ‘right to be forgotten’. Try and picture the scenario where a recruitment agency has sent a candidate’s CV to 5 different companies, within that company the CV has then being sent to the relevant heads of business which has now resulted in multiple copies of the CV. How can the recruitment agency be certain that ALL copies of that CV are now deleted within the organisations that received the CV? This will be a key challenge and will need a shift change in how content is shared both from a technology and a human behaviour perspective.
The common practice of maintaining unsuccessful CVs saved for future roles will need to be reconsidered under GDPR. Recruiters and HR departments will now need to prove the specific consents the candidate has given. It will no longer be sufficient just sending them an email saying you planned to keep a copy of their CV on file or asking them to sign up to terms and conditions before you would engage. Every recruiter, online job board etc. will need to re-visit their consent process to ensure it is compliant with GDPR. Recruiters won’t be able to use personal data of anyone who hasn’t given consent. They will only be able to contact candidates who have opted-in.
Once you have received the CV, there are some important considerations from both a technology and people perspective.
- Your IT department will need to ensure you have a secure process that covers the storage of electronic documents with personal information, be it in your recruitment or HR software, or in password-protected files.
- You will also want to review who is able to access these, and for how long they are kept.
- The individual who sent in the CV may also make requests to find out what data you hold on them and amend or remove their data from your system: to prevent future issues, you should focus on the process now.
Here’s a quick GDPR Checklist for recruitment agencies:
- Identify your Data Protection Officer
- Ensure your website terms and conditions are compliant
- Revisit your People policies. Retrain if required.
- Review document management processes and software
And some best practices guided by concepts like Privacy By Design like:
- Minimizing the amount of unnecessary data kept and not retaining identifying user data infinitely just for the sake of having it.
- Creating an internal culture built on understanding and appreciating data privacy.
- Monitoring processes and being aware of how user data is treated in the day-to-day.
Here are some questions that your recruitment agency must find the answers to before May 2018 to:
- What data does the business hold?
- Do people know that the data is being collected? Do they know why?
- Is all the data the business holds relevant?
- How much of it needs consent?
- How much of it can be deleted before the deadline?
- Where is it stored and what processes are in place to safeguard it?
- Can the data be copied and stored elsewhere? How does this impact the ‘right to be forgotten’?
- Who has access to it?
- Where did the business get the information?
- How many years of CVs does your recruitment agency have on file?
- Is this data being used for anything?
- How is the business managing the risk of sharing personal data, such as CVs, with multiple 3rd parties?
- What kind of checks does the business have in place?
- Have candidates who don’t want their data passed on to third-parties had instructions followed?
We hope these questions help you determine some company guidelines in foresight of GDPR: we will ensure that any parts of our site and business will be compliant and inform you timely of all the necessary changes to our procedures.
