The General Protection Regulation 2018 (GDPR) will apply in 12 months’ time, from 25 May 2018.
The GDPR will significantly change and update the data protection regime in the UK. Given that recruiters deal with a raft of personal data on a daily basis they will need to understand and comply with the new regime, not least because there will be increased penalties for non-compliance.
- the maximum level of fines will increase to up to €20 million or 4% of global turnover;
- claims for compensation will become significantly easier;
- regulators will be able to require companies to cease processing of personal data which is in breach of GDPR; and
- the Information Commissioner’s Office will need to be notified within 72 hours of data breaches.
In addition, as non-compliance can have both a financial and reputational impact, adherence with GDPR will play a key role in the success (and valuation) of businesses in this sector.
Companies should act now to ensure that they are not at risk of breaching their obligations next year.
Here are the top five areas of impact which GDPR is likely to have on recruitment sector businesses.
1. Legal basis for processing and consent
The GDPR changes the current legal bases which are used to justify collecting and processing personal data, and requires additional transparency in informing individuals about when (and why) their data is collected, processed and transferred.
Traditionally, recruitment sector businesses have relied on an individual’s consent to justify the processing of their data. However, under the GDPR, there are stricter requirements for consent – it must be clearly distinguishable from other matters, in an intelligible and easily accessible form and must be capable of being withdrawn. Separate consent must be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for an unrelated purpose).
Consequently, relying on consent alone is likely to become problematic and, in the future, you may need to rely on some of the other grounds for processing that exist. We can help you to examine the current basis for your data processing and assess whether this will still be valid under GDPR. We expect that most businesses will need to revisit and revise their current data collection and handling processes in order to comply with the new obligations. For example, some recruiters may need to ask existing candidates to re-register and remove any candidate who has not consented. Recruiters may also need to give candidates additional clarity about how they collect and use their personal data.
2. Data sharing
Under the GDPR, the relationship between parties who share data between themselves will become much more heavily regulated. If you share personal data with third parties (such as RPO companies, umbrella companies or payroll companies) then you must have a GDPR-compliant data sharing agreement in place. Policy on using data from job boards will, in particular, need to be reviewed carefully.
Consequently, you should review, and possibly amend, your contractual relationships with all those with whom you share data to ensure that they meet these new requirements. This will no doubt become part of a debate generally about “candidate ownership” and will take time to resolve, so you will need to start the discussions well before May 2018, which we can help you with.
3. Data processing
If you currently act as a data processor (e.g. if you collect and process an individual’s personal data on behalf of another company, such as part of a RPO or payroll arrangement), the GDPR will implement more significant change. Under current data protection legislation, you have few direct obligations. However, under the GDPR, you will have direct responsibility for your own compliance with the GDPR, with the potential sanctions and other consequences of non-compliance set out above. Key client contracts will need to be reviewed in this respect.
4. Rights of individuals
The GDPR builds on existing rights of individuals (such as the right to object to the processing of data for profiling) and contains numerous new rights. Individuals will have wider rights of access and information and any inaccuracies must be rectified without undue delay.
There is a new right to have personal data erased where the data is no longer required, where consent is withdrawn or if the processing is unlawful. This accompanies a similar right to restrict processing where the accuracy of the data is contested (which might be the case where a contract worker disputes client feedback about attendance or quality issues) or the processing is unlawful. Lastly there is a new right of data portability which allows individuals to move their data to another controller (or recruiter) in a structured, commonly used and machine-readable format.
This “portability” right is likely to cause many headaches for unprepared recruiters. Will it be used to facilitate free migration of your contractors to a new supplier? Will you need to tighten up your other restrictions? Whatever the case, you will need to consider implementing internal processes now in order to ensure that you can comply with these new rights of individuals once the GDPR comes into force and you may need to start including relevant additional protections in client contracts to limit free migration. Free migration can significantly reduce the value of your key client contracts, and in turn, your business.
Under the GDPR you will have a duty to implement measures to ensure a level of security which is “appropriate to the risk“. Appropriate measures may include:
- pseudonymisation and encryption of personal data;
- the ability to ensure on-going confidentiality, integrity, availability and resilience of data processing systems;
- the ability to restore data in a timely manner in the event of an incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
This means that you may need to change your internal processes now in order to comply with the GDPR. If you are looking now at developing or buying in new CRM/ATS software to be in place after May 2018, then you will be wasting money if you do not future-proof for the GDPR.
You should also ensure that you have clear and robust social media policies in place to make it clear what your recruitment consultants can and cannot do with client and candidate data. Failure to do so could leave you vulnerable to breach “by the back door“.
How can we help?
GDPR compliance will take time to implement so we recommend that you act now to understand the impact of the GDPR on your business and identify what changes you need to make. As expert advisors to the recruitment sector, we are uniquely placed, with our data privacy experts, to help you navigate through the changes in a way that is relevant to your business.