The General Data Protection Regulation is coming.

The European General Data Protection Regulation ("GDPR") will come into force on May 25, 2018. Replacing the Data Protection Directive, the GDPR will introduce a privacy framework that will bring about significant changes to the ways that organizations collect and process personal data.

Recruitment and headhunting businesses collect and process personal data as one of their core activities. As a result, the GDPR will impact the way these organizations work and operate. Failure to prepare for the new requirements may lead to high fines and reputational damages.

This Legal Update focuses on three specific key actions that recruitment and headhunting companies should consider when implementing their GDPR compliance project: (i) reviewing the legal basis for processing, (ii) updating privacy notices and (iii) reviewing retention/destruction policies.

Recruitment and headhunting firms should prepare by taking three key actions.

1. Review the legal basis for processing

Controllers need to identify a legal ground for collecting and processing personal data.

Traditionally, recruitment businesses have relied on consent from applicants to support processing their personal data. Under the GDPR, higher standards will now apply for consent to be considered valid. Consent must be specific and based on a clear affirmative action from the data subjects. Data subjects also will be able to withdraw consent at any time.

When processing activities that have more than one purpose, and when relying on consent as the legal ground for such processing activities, separate specific consents must be obtained. This means, for example, that when a headhunting company is seeking to use a candidate’s data for a different vacancy than the one the candidate applied for initially, separate and detailed information needs to be provided to the candidate regarding the new vacancy and specific consent must be obtained (and recorded). Likewise, if recruitment companies use automated systems to filter candidates (for instance, based on qualifications or grades), specific consent must be obtained (and appropriate information made available).

Given the higher threshold for consent to be obtained, many recruitment firms are checking whether other legal grounds are available for their processing activities. A legitimate interest of the data controller and/or data necessity for the performance of a contract are likely the most relevant legal grounds to be considered.

2. Update privacy notices

The GDPR requires organizations to inform data subjects about how their personal data are being processed. Specific information must be provided (i.e., the purpose and the legal basis for processing, whether personal data are shared with third parties, if the company conducts profiling activities or automated decision-making, etc.). Recruiters should review existing privacy notices and update them to comply with the new requirements.

For example, it now will be necessary to consider the timing for the provision of privacy notices. The GDPR distinguishes between two different scenarios. In some cases, companies collect personal data directly from an individual (for instance, when job applicants register their CVs on the company's website or when job applicants directly apply for a vacancy published online). In this case, privacy notices must be provided at the time the company obtains the personal data. In practice, companies should display privacy notices for candidates on their websites and make them available to individuals each time they provide personal data. In other cases, companies do not obtain the personal data directly from the data subjects but from other sources. This happens when recruitment companies proactively search for candidates by, for instance, using social networks to obtain referrals from other candidates or receive paper resumes directly from candidates at job fairs. In such instances, the GDPR requires companies to inform the individuals about the data processing activities within a reasonable period of time (no longer than one month) or when the first communication takes place. Practically speaking, a link to the privacy notice should be provided the first time the recruitment company contacts an individual for a vacancy in that context.

3. Review retention periods

Under the GDPR, data should not be kept longer than necessary.

Retention periods can differ based on the type of data processed, the purpose of the processing and other factors. Traditionally, recruitment agencies have maintained a comprehensive candidate database of the information they have received from job applicants and from which they select qualified candidates when opportunities arise. However, keeping candidates’ personal data indefinitely will no longer be possible under the GDPR.

Personal data must be deleted when the purpose of the processing has been achieved (unless other grounds can justify retaining the data). Job applicants should be informed of the storage period of their personal data. If precise retention periods cannot be established, companies should identify criteria by which the period can be determined. Recruiters will likely have to remove candidates who have been placed successfully, no longer needing the recruiters’ services. If the recruiter wishes to keep the personal data on file, it should adequately inform the candidates. To ensure compliance with the GDPR, recruiters should draft and put in place destruction/retention policies and procedures and ensure that their employees are trained appropriately.

The time to act is now.

These are only some of the action items relevant to recruitment and headhunting companies focused on complying with the fast-approaching GDPR. While the GDPR impacts all organizations that collect and process EU personal data, recruitment and headhunting companies are more heavily impacted due to the nature of their businesses and need to make sure that they have addressed the new requirements by May 25, 2018.