Stuart Gentle Publisher at Onrec

How recruitment companies can prepare for the EU GDPR

By Peter Linas, international managing director, Bullhorn

The General Data Protection Regulation (GDPR) is a comprehensive series of data privacy legislation that will bolster information security across Europe. It comes into force in May 2018, and will apply to all businesses and individuals that reside in the European Union. The personal data of all EU citizens – and how it is processed – is subject to the GDPR’s regulations.

Recruiters manage a lot of personal information, including both client and candidate data. The GDPR demands that such information is gathered, used, stored and disposed of according to its requirements. If any individual information is compromised, the supervisory authority needs to be notified within 72 hours. Businesses that fail to comply could face fines of up to £7.9m or 2% of their annual global turnover. The more serious the infraction, the higher the fine.

There is no doubt that the GDPR is going to shake up the recruitment industry – after all, it’s the biggest change in data protection laws in over 20 years. Practitioners and agencies need to get to grips with the new legislation quickly, and understand how it affects them. However, there is no need to panic. To ensure compliance, recruitment organisations need to plan carefully and prepare their systems and processes now, especially if they have not started to do so already.  

Get the whole team up to speed

It’s worth recruiters bearing in mind that the GDPR won’t drastically impact how their businesses operate – nor does it spell doom and gloom for the industry as a whole. There is a lot of unhelpful scaremongering at the moment, specifically around the consequences of non-compliance. Rather than burying their heads in the sand, agencies would benefit hugely from educating their employees about the implications and impact of the GDPR.

The first step is to conduct a full database audit. Although the GDPR applies to the entire EU, it leaves the definition of personal data up to the individual countries. Once their data has been cleaned and qualified, companies need to draft and enact policies that will control how data is handled going forward. 

But it’s no good to simply have the policies in place; all employees must be brought up to speed on exactly what is required of them. Companies must prioritise training and education sessions for everyone in the business. They don’t have to become data protection experts, but they do need to understand the regulations and adhere to them. That said, some companies may decide to hire a Data Protection Officer to help maintain compliance at all times.

Talk to key stakeholders

In addition to ensuring that all employees and internal personnel are ready for the GDPR, companies need to check in with their external stakeholders. It’s important to seek assurances from clients, partners and technology suppliers, and understand how they plan to approach the new regulations. 

Where suppliers are concerned, companies must confirm that all agreements cover the necessary provisions regarding both parties’ data. It’s crucial that the balance of risk and responsibility between the data controllers and data processors is clearly defined. Suppliers must undertake third-party audits and certifications, such as SOC 1, Type 2, to ensure that their internal governance, production operations, change management, data backup policy, and software development processes are in line with the GDPR’s requirements.

Suppliers should also be able to provide effective data portability, and demonstrate compliance with any international data transfer regulations such as the EU–U.S. Privacy Shield Framework.

Manage new data acquisition and retention

When it comes to acquiring and retaining data under the GDPR, there are several new requirements that will directly impact recruiters. For example, separate consent must now be sought for the use of personal data for the various activities involved in the recruitment and hiring processes - there’s no one agreement that will satisfactorily cover all uses.

In other words, every time a candidate’s data is used for a different activity, they need to give the company explicit consent for that use. Explicit consent means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of their personal information.   

If a company fails to get the client or candidate’s permission, and uses their data nonetheless, that company will be in breach of the GDPR. This means have recruiters will have to very careful when using automated processes in their activities, as not all recruitment software is built to check consent. Individuals also have the right to be forgotten and the right to have inaccuracies in their data corrected. A unified and centralised data management system or Customer Relationship Management (CRM) system will prove invaluable for companies when monitoring how data is collected and stored.

Look beyond the frustrations

While it does require the recruitment sector to overhaul their data processes, GDPR does offer some significant benefits. Weak data security policies create problems like financial penalties and reputational damage. Companies with clear, comprehensive policies in place that demonstrate compliance with the GDPR will inspire more trust from their customers.

Adhering to the GDPR also protects companies should they suffer a data breach. Hackers don’t distinguish between compliant and non-compliant companies, but the former are in a better legal position if their personal information is compromised.

Finally, GDPR supports individual data rights, which is a very important and necessary thing indeed – even if it does initially inconvenience businesses. While the next few months will be challenging, recruiters that adopt these best practices now will be a secure position before 25 May 2018.