GDPR for the recruitment sector
After the countdown to 25 May 2018, the general data protection regulation (“GDPR”) has finally arrived.
To welcome GDPR let’s have a quick recap, the core of GDPR (in a nutshell) allows individuals to regain control over their personal data (therefore protecting the individuals); meaning that companies now have to tread carefully when accessing, obtaining and storing personal data.
So what does GDPR mean for the recruitment sector?
The recruitment sector is heavily reliant on accessing and storing candidate’s personal data in order to fulfil their responsibilities of finding and referring candidates to prospective employers that they deal with on a daily basis. A lot of the time, personal data from a candidate can be sourced online. With the amount of personal data that recruitment firms use it is vital for the recruitment sector to have their house in order. Here are a few top tips to bear in mind, even if you think you are GDPR ready.
- Is pressing the ‘delete’ button enough?
On a daily basis, recruitment agents receive a lot of personal data (such as CVs). Not only do recruitment agents have to ensure that the data is stored correctly (to comply with GDPR) but they also need to carefully consider how they delete personal data too. Individuals have the ‘right to be forgotten,’ therefore if a candidate requests their personal data to be deleted, recruitment agents must ensure that this procedure is carried out correctly. Deleting the candidate’s personal data from the database may not be enough, as many companies now have cloud services that back up the data, consequently, it is vital that the personal data is deleted from the ‘hidden areas’ too. Failure to do so may result in a breach… So the answer to the above question is no, simply pressing the ‘delete’ button is not enough.
- Remember to be aware of ‘consent’
At a networking event, it is quite normal to pick up a number of business cards. Eventually, there becomes a build up of various business cards belonging to various people. A recruiter may well have received a business card where, at that time, the specific purpose was not to find that individual a new role. With GDPR in force, you must have that individual’s prior consent to do so and that consent must be specific and unambiguous. So before using any personal data ensure that the individual has given their explicit consent and that such consent was for a specific and unambiguous purpose.
- Train every single member of staff
Training every single staff member… is that not excessive? Well, in order to remain GDPR compliant, it is not excessive (especially for the recruitment sector) and here is why. If a CV was sent to a receptionist by a candidate (via email) this email will be sitting in the receptionist’s inbox. And even after this email is deleted, there may be a copy of this email elsewhere that nobody else knows about. Later down the line, if the candidate would like to implement their ‘right to be forgotten’ the receptionist may simply press delete and not delete the CV from all the ‘hidden areas’ as discussed above. This would mean that the company would be in breach without even knowing it. That is why it is important to train every single member of staff, as personal data can creep through from anywhere! It is essential that all the right steps are taken to ensure compliance with GDPR.
If you need any help ensuring that your house is in order and that you are GDPR compliant, or if you would like further information on this article, please contact Gurpreet Sanghera. Or you can give us a call on 0345 070 6000.