It’s being billed as the EU's huge data privacy shake-up and the deadline day is looming round the corner but how much responsibility do resourcing teams and recruitment in general need to be concerned about?
Compliance as a whole is nothing new. Recruiters have always sought out security and data protection as core assets to their roles in businesses. More good news is that if you have been a responsible data controller or data processor - following best practice in line with the Data Protection Act 1998 (DPA) - then you should already be ready for most of GDPR’s compliance requirements.
What one must remember however is that with the introduction of GDPR, the power is put back into the hands of candidates/applicants. In the new era, anyone who processes and holds data has a mandatory obligation to be both more transparent about their processing activities and responsive to demands for privacy-invasive processing to be curtailed. Where consent is required it must be freely given, specific, informed and unambiguous. There must be a positive opt-in requiring an action by the candidate. Implied consent cannot be assumed.
Failing to respect the rules is simply not an option – the fines alone are eye-watering sums that can cost a business significantly - up from a maximum £500,000 to about £17.5m or 4% of global turnover, whichever is the greater.
Over the last two years - in the process of ensuring compliance with GDPR - recruiters have become increasingly aware that the quality of their data – and sometimes the source of that data – may not be as reliable as they would wish. Not much can be done when a candidate applies direct, but recruitment agencies must be better at ensuring that the data they present to employers is compliant with GDPR and is being shared with consent and kept up to date.
To make sure you understand the data you hold and how you process it, you should document the following in an Information Asset Register (IAR) with risks being determined via a Privacy Impact Assessment (PIA):
- What data do you hold?
- Why do you need it? Is there a legal basis for requiring the information?
- Where does it comes from?
- How do you use it?
- Where does it go?
- How do you get rid of it?
- What are the risks?
With all data processing, the rules regarding this should be clearly stated in a Privacy statement. The GDPR introduces additional requirements for your privacy statement – which can be reinforced by your ATS:
Right to be informed: As well as the Privacy Statement, the ATS can inform the individual at different stages through the recruitment process e.g. consider adding additional guidance text to online forms and status updates.
Right of access: Candidates must be able to review their personal information and be kept informed of the processing of their application.
Right to rectification: Individuals should be able to rectify personal data if inaccurate or incomplete. Check that your use of your ATS allows candidates to update their personal data on-line. If the ATS cannot support this then you will have to implement a manual process and inform the candidate how to use the process. The Privacy Statement should include directions for the candidate on how to update their information.
Right to erasure: You may still be able to retain data if you are not relying on candidate consent to do so e.g. if you have a legal basis for keeping the data and you have explained that legal basis clearly to the candidate via the Privacy Statement. If you are relying on candidate consent for retaining some data, then you will have to provide the candidate with a mechanism to have the data deleted.
Right to restrict processing: If there is a challenge (or objection) to the data held (e.g. the candidate challenges that the use of the data is unlawful; or the recruiter is unsure if they should comply with a deletion request) then the data should be restricted from further processing until the challenge is resolved.
Right to data portability: Candidates should be able to obtain and reuse their personal data that they have provided - it would be appropriate to make the candidate request a data download and then for you to check the request, perform the download, and then provide that to the candidate.
Right to object: It must be made clear to candidates how they can object to the processing of their data. This should be in the Privacy Statement and must be made clear to the candidate at the start of processing.
Rights related to automated decision making: For decisions that are made about a candidate and which are based on their personal data, the candidate must be informed beforehand and be able to ask for and obtain human intervention (e.g. to review an automated decision), express their point of view, and obtain an explanation for any decision made using their personal data.