There’s no doubt that you will have heard of the GDPR changes that come into effect as of 25th May 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
By now, you will be aware that you need to start preparing for the new regulations immediately in time to safeguard your business against the increased maximum fine. In May 2018, the fine increases to €20 million or 4% of global turnover (whichever is greater).
Unless you are adept at deciphering a 88 page legal document filled with countless “articles” and “clauses”, you may not feel completely confident in what the best plan of action is for your agency. So, let’s strip it back and clarify the key “highlights” of what GDPR means for recruitment agencies and how it may impact you on a day-to-day basis.
NB: This list is not exhaustive as GDPR will affect all agencies differently. Do your research to ensure your business processes comply with the new regulations. For 12 steps to take now, take a look at Information Commissioner’s Office (ICO)’s free guide.
What Does GDPR Mean For Recruitment Agencies?
Contrary to what some articles are insinuating – GDPR does not mean wholesale changes to your business model and certainly won’t be the end of recruitment! In reality, if your agency is complying with the current Data Protection Act (DPA), the majority of your approach will assist you well under the new laws.
However, there are some significant changes and they revolve around your recruitment agency being more transparent to your candidates about how you collect, store and use their data. The most important points include:
- Separate consent must now be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for an unrelated purpose).
- Implied consent (that may come from the terms and conditions laid out by a job board) is not enough as personal data cannot now be shared on that basis.
- All candidate submissions must be submitted to a valid role and they have to have been contacted by the recruiter and given the vacancy details before the CV is sent.
- You will have direct responsibility for your own compliance with the GDPR and must be able to demonstrate a paper trail of compliance in your records.
So how will these changes impact your agency and what changes do you need to put in place to become compliant?
How Will GDPR Impact Recruitment Agencies?
The first action to take is to document your current processes. This means identifying how you collect, store and use candidates’ data as part of the recruitment/hiring process. Mapping out your registration/application process will allow you to identify where consent needs to be attained, and what information you must provide to the candidate. For example, under the new laws, you must set out the purposes for which the data is going to be processed, how it will be retained, and must state the right to have personal data deleted or rectified.
In the past, many recruiters were able to be very independent in their methods of using personal data but the new regulations reduce this grey area. By documenting your processes, you will be able to see how your recruiters operate. giving you the opportunity to systemise your operations under a more diligent methodology.
The act of “speccing” candidates will also come under further scrutiny within the new regulations. GDPR mandates that the sharing of personal data cannot be on a basis of implied consent, such as from a job board, and must come directly from the candidate. This may impact some recruitment processes but best practice dictates that you should always wait for a candidate’s permission before “speccing” their CV.
Having a centralised system that handles all of your candidate and client data is imperative under GDPR. It will be more challenging to ensure compliance to the upcoming regulations if your data is being stored in multiple applications such as Excel, Word, Outlook and/or a recruitment CRM. By handling your data collection process in one place, you and your recruiters can monitor how data is being collected, stored and used without ambiguity. This will give you the clarity you need to make the appropriate changes.
This is vital for GDPR because agencies must be able to provide the “paper trail” that documents the onboarding and data processes. So, as well as changing how you onboard candidates, you will need to make sure your Applicant Tracking System (ATS) or recruitment software is used to record the required activity. For example, you will need to be able to show when candidates were onboarded, what information was given, what consent was acquired and how the data was used.
The most fundamental impact for all agencies will be in updating their documentation, both internally and externally. The internal documents by which you induct new staff members will need to be free of ambiguity and current staff must be aware of any changes to their daily activity. External documents such as onboarding contracts and policies will also need to reviewed and revised to meet the increased demand for stipulating consent and how the data will be used.
To manage the delivery of these requirements, it may be necessary to appoint a Data Protection Officer or consult legal professionals because, ultimately, getting your recruitment agency “over-prepared” is worth the investment.
GDPR gives recruitment agencies the impetus to clarify their internal processes, become more transparent to their clients and candidates and provide a more respectful service to the job market. By preparing your agency now and making the necessary changes, you can ensure your agency and recruitment consultants comply with the upcoming regulations.
Are you looking to centralise your data management all within one system? Download our free eBook and make the right recruitment software choice.