News & Views

GDPR and Recruiters


25 May 2018 – take note of the date as this is becoming affectionally known as “GDPR” day.  It is the day when the old Data Protection Act 1998 is superseded by GDPR.  The aim; to effectively standardise rules across the EU and create greater transparency, responsibilities and liability in relation to how data (held on individuals) is collected, used, shared, stored, transferred or deleted.  While not officially confirmed, it is expected that the UK will continue to commit to observing GDPR post Brexit to maintain the harmonisation with the EU rules and general data market.

But what does this mean?  GDPR, very briefly, places the burden of ensuring compliance on your entire organisation, especially functions like recruiting which rely heavily on collecting candidates’ personal data – their name, email addresses, possible medical requirements, telephone numbers or addresses. All information that would allow you to easily identify the individual.

The following are a few of the key areas of impact and how GDPR should be considered:

  1. Consent

GDPR requires additional transparency in informing individuals about when (and why) their data is collected, processed and transferred. Traditionally, recruitment sector businesses have relied on an individual’s consent to justify the processing of their data. However, under GDPR, there are stricter requirements for consent – it must be clearly distinguishable from other matters, in an informed way and easily accessible form and must be capable of being easily withdrawn.  Separate consent must be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for unrelated vacancies or other purposes). We expect that most businesses will need to revisit and revise their current data collection and handling processes in order to comply with the new obligations.  For example, some recruiters may need to ask existing candidates to re-register and remove any candidate who has not consented and to give candidates additional clarity about how they collect and use their personal data.

  1. Data “processing”

Under the existing regime, the “data controller” is the party who controls and decides the manner in which the data is used; a “data processer” is someone who collects or processes the data (and this can be as simple as receiving and holding the data) from or on behalf of another.  Currently, there is little direct obligation or liability on data processers.  However, under GDPR all data processers will now have direct responsibility to data subjects in relation to their compliance with GDPR.  There are also various duties now on data controllers to ensure that they have a clear contract with suitable GDPR compliant terms with data processers as to what they can and cannot do with data that may be shared.  All parties will need to ensure that the relevant recruiter has complied with the above mentioned “consent” requirement.  Well organised recruiters will include GDPR provisions within their terms of business and pursuant to their privacy policy.  If you haven’t been given either by the recruiter, you should request them and ensure that there are clear provisions stating that they ensure all relevant and informed consent is given by the candidates.  You will also need to be very careful on how you use, store and “process” the candidate data so as not to breach GDPR.

  1. Data Subject Rights

Under  GDPR, individuals will have far greater rights as to how their data is used and accessed.  These range from the “right to be forgotten” and have data erased, or where it is no longer needed or is factually incorrect (which could include cases where candidates or contract workers contest feedback about attendance or performance).  A new right of “portability” of data is created – the right for individuals to demand that all of their data is transferred, in easily readable formats, to another provider.  Both recruiters and employers will need to review their working policies and practices to ensure that they can comply with all of these individual rights.

  1. Security

Under GDPR there is a duty to implement measures to ensure a level of security which is “appropriate to the risk“.  Appropriate measures may include: pseudonymisation and encryption of personal data; the ability to restore data in a timely manner in the event of an incident; and a process for regularly testing the effectiveness of security measures. This means that you may need to change your internal processes now in order to comply with GDPR.

The implications of GDPR are far reaching and impact on all aspects of your business.  The above is a very brief snap shot into the implications of GDPR and if you wish to discuss any of the issues raised in this article, or for any advice or assistance, please do not hesitate to contact the recruitment team.

Related Content