Posts

The GDPR Compliance Toolkit For Recruitment Agencies

As we are fast approaching the new GDPR regulations coming into effect on the 25th May 2018, all organisations that process individual/personal data as a ‘data controller’ or ‘data processor’ within the European Union (EU) are required to comply with the new regulation to avoid increased fines and penalties.

During our own extensive research on the new regulations, we have come across a multitude of online articles, blogs, guides and white papers providing advice on the new GDPR regulations, but not all of them deliver.

So to shortcut this exhaustive process for you, here’s our shortlist of the best online GDPR resources including some specifically for the recruitment industry to make up your GDPR compliance toolkit*.

NB: Be sure to bookmark this page for later so you can easily access the best resources on GDPR.

Quick Reads on GDPR

A Short Guide To The EU GDPR | IT Governance

IT Governance are a “leading global provider of IT governance, risk management and compliance solutions”. Their guide will give you the basic breakdown of what GDPR is, the primary impact it will have on organisations and what you will need to do to comply with the new regulation. It’s a 3 minute read so if you know nothing about the upcoming regulation changes, here’s a good place to start.

What is GDPR? The Need To Know Guide | Eclipse Software

Our recently published blog aims to provide a straightforward guide to the answers of the 8 most frequently searched questions in Google about GDPR. You will get concise information of the basics, as well as:

  • Who Enforces GDPR?
  • Are GDPR Fines Insurable?
  • What Does GDPR’s “right to be forgotten” Rule Mean?
  • Will GDPR Apply After Brexit?

Are You GDPR Ready? HubSpot’s Checklist | HubSpot

HubSpot’s GDPR section is very useful and practical for all organisations looking to prepare for GDPR. If you know the basics of GDPR for your recruitment agency but aren’t quite sure where to start, HubSpot’s checklist gives you the questions you will need to ask yourself in order to begin the process of compliance. It will only take 5 minutes to read but, after reading this resource you’ll feel a lot more confident of what you need to do before 25th May 2018.

Longer Reads on GDPR

Preparing For EU GDPR | Alan Calder

Founder of IT Governance, Alan Calder, is the author of EU GDPR: A Pocket’s Guide and in this resource, he provides a more detailed breakdown of the particular legislation changes that will occur after 25th May 2018 and what approach to take. The slideshare is accompanied by a 1 hour video presentation so, if you’re more engaged by video, then this is the resource for you.

Supporting GDPR Compliance in Recruitment | Volcanic

Volcanic, who specialise in making websites for recruitment agencies, have a wealth of knowledge about GDPR and how to make your website compliant for the new regulation. Their download, Supporting GDPR Compliance in Recruitment is a comprehensive guide specifically for agencies and covers:

  • Do I really need to comply with GDPR?
  • What does GDPR mean for me?
  • 12 steps to support GDPR compliance

What Does GDPR Mean For Recruitment Agencies? | Eclipse Software

Our downloadable eBook is a comprehensive guide specifically for recruitment agencies. We might be biased but we think it covers everything you need to consider when preparing for GDPR, plus a little bit more. Sections include:

  • An Individual (Candidate) Rights
  • The Definition of Personal Data
  • How Will GDPR Impact Recruitment Agencies?
  • What Does Your Recruitment Agency Need To Do?

GDPR In Full

If you still haven’t quite had your fill of GDPR compliance and would like to study the finer points of the legislation complete with legal terminology, you can use the two resources below:

Guide to the General Data Protection Regulation (GDPR) | ICO

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. Their complete guide is a bit more user friendly than the legislation itself and they also have a very useful 12 step guide as well as self assessment checklists for data controllers and data processors.

REGULATION (EU) 2016/679 | Official Journal Of The European Union

The regulation in full may not be the most engaging reading, but if you interested in reading the official language direct from the source, here is every clause of the GDPR legislation.

gdpr recruitment agency

*Disclaimer: Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

What is GDPR? The Need To Know Guide

Over the last 6-12 months, the vast majority of recruitment agencies have been beginning to focus more and more on reviewing their approach of data processing to address the upcoming GDPR legislation. To give you a simple need to know guide, we have compiled the answers to the 8 most frequently searched questions in Google about GDPR.

What Is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is the much anticipated legislation that aims to further safeguard and standardise individuals’ data across European (EU) member states for all citizens.

The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across all EU member states as well as give greater protection and rights to individuals. But why now?

You only have to think about how data collection and processing has changed in your industry since the 1990s to recognise the necessity to revise these regulations – it really was only a matter of time. What this means for organisations across EU member states is that they will have to audit and amend their data processes for individuals, accordingly, to comply with the new and updated laws.

When Does GDPR Come Into Force?

The new GDPR regulation comes into force for all EU member states from 25 May 2018. This means that you will have to have changed your processes before this data or risk incurring the increased fine. The new legislation was agreed to by all member states of the EU on 24th May 2016 giving businesses two years to comply.

Who Enforces GDPR?

Each member state of the EU will appoint Supervisory Authorities (SA) who will be in charge of enforcing GDPR. These SAs will be responsible for upholding GDPR regulation in their own individual states coordinated by the European Data Protection Board. They each have investigatory and corrective powers meaning that they can:

  • Conduct audits
  • Issue warnings and reprimands
  • Impose bans
  • Suspend data transferring
  • Issue administrative fines

The rigour with which the SAs enforce the legislation will depend entirely on the individual SAs and member states themselves. According to IT Governance, historically, this has differed quite significantly with Germany and Spain typically being toughest on data protection in comparison to the Republic of Ireland, which has a track record of being lenient.

Will GDPR Replace The Data Protection Act (DPA)?

Simply – yes.
The GDPR supersedes the 1995 Data Protection Directive (DPD) which was issued to all European states. The UK’s 1998 Data Protection Act will be superseded by a new DPA that will enact the GDPR requirements.

What Are The Maximum GDPR Fines?

The maximum fines under GDPR have increased to €20m (Approx £17.6m) or 4% of an organisations annual global turnover, whichever is larger.

This is a huge increase on the DPA’s current maximum fine of £500,000 but the Information Commissioner’s Office (ICO) has assured that fines will not become the norm. Writing in August 2017, the Information Commissioner, Elizabeth Denham stated that, “issuing fines has always been, and will continue to be, a last resort”. In fact of the 17,300 cases concluded in 2016/2017, only 16 of them resulted in fines.

Are GDPR Fines Insurable?

As GDPR has not come into effect yet, there is not a definitive answer to this question and it will depend on a case by case basis. In brief, if a business is deemed to be committing a criminal offence, it seems likely that they will NOT be insured against GDPR fines under the principle of the “illegality defence.” The “illegality defence” prevents a claimant from pursuing a civil claim against another party if the claim is based on the claimant’s own illegal acts.
If you would like a more comprehensive answer on this topic, read brownejacobson’s blog.

What Does GDPR’s “right to be forgotten” Rule Mean?

Article 17 of the GDPR, the right to erasure or “right to be forgotten” has become a focal point of the upcoming GDPR. Under the new regulation, it will become an individual right to request the deletion or removal of personal data when there is no compelling reason for its continued processing.

Some of the most common instances where an individual can request erasure are:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully received and processed (i.e. otherwise in breach of the GDPR)

Want to read Article 17 in full?

Will GDPR Apply After Brexit?

Due to the fact that GDPR will come into force some 10 months before the expected end of the United Kingdom’s EU membership, businesses and organisations will have to prepare regardless of changes Brexit may undertake.
It is still wholly unclear what effect Brexit will have on data protection laws but the best estimate is that the UK’s data protection laws will aim to uphold the key tenets of GDPR, namely the increased rights of individuals’ data privacy and the increased transparency by which businesses process data.

How Will GDPR Affect Recruitment Agencies?

In our July 2017 GDPR blog, we outlined the key impacts that GDPR will have on recruitment agencies in terms of changes to processes, data management and documentation.

We have also published a GDPR eBook covering the following topics:
1. What GDPR means for recruitment agencies.
2. What recruitment agencies need to consider.
3. The candidate data-related Eclipse Recruitment Manager 4 software configuration and functionality options available to you when reviewing your GDPR approach and processes.
4. The top 10 frequently asked questions from clients with the recommended approach with using their Eclipse Recruitment Manager 4 software.

Request your free GDPR eBook today.

gdpr recruitment agency

How Will GDPR Impact Recruitment Agencies?

There’s no doubt that you will have heard of the GDPR changes that come into effect as of 25th May 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

By now, you will be aware that you need to start preparing for the new regulations immediately in time to safeguard your business against the increased maximum fine. In May 2018, the fine increases to €20 million or 4% of global turnover (whichever is greater).

Unless you are adept at deciphering a 88 page legal document filled with countless “articles” and “clauses”, you may not feel completely confident in what the best plan of action is for your agency. So, let’s strip it back and clarify the key “highlights” of what GDPR means for recruitment agencies and how it may impact you on a day-to-day basis.

NB: This list is not exhaustive as GDPR will affect all agencies differently. Do your research to ensure your business processes comply with the new regulations. For 12 steps to take now, take a look at Information Commissioner’s Office (ICO)’s free guide.

What Does GDPR Mean For Recruitment Agencies?

Contrary to what some articles are insinuating – GDPR does not mean wholesale changes to your business model and certainly won’t be the end of recruitment! In reality, if your agency is complying with the current Data Protection Act (DPA), the majority of your approach will assist you well under the new laws.

However, there are some significant changes and they revolve around your recruitment agency being more transparent to your candidates about how you collect, store and use their data. The most important points include:

  1. Separate consent must now be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for an unrelated purpose).
  2. Implied consent (that may come from the terms and conditions laid out by a job board) is not enough as personal data cannot now be shared on that basis.
  3. All candidate submissions must be submitted to a valid role and they have to have been contacted by the recruiter and given the vacancy details before the CV is sent.
  4. You will have direct responsibility for your own compliance with the GDPR and must be able to demonstrate a paper trail of compliance in your records.

So how will these changes impact your agency and what changes do you need to put in place to become compliant?

How Will GDPR Impact Recruitment Agencies?

Processes
The first action to take is to document your current processes. This means identifying how you collect, store and use candidates’ data as part of the recruitment/hiring process. Mapping out your registration/application process will allow you to identify where consent needs to be attained, and what information you must provide to the candidate. For example, under the new laws, you must set out the purposes for which the data is going to be processed, how it will be retained, and must state the right to have personal data deleted or rectified.

In the past, many recruiters were able to be very independent in their methods of using personal data but the new regulations reduce this grey area. By documenting your processes, you will be able to see how your recruiters operate. giving you the opportunity to systemise your operations under a more diligent methodology.

The act of “speccing” candidates will also come under further scrutiny within the new regulations. GDPR mandates that the sharing of personal data cannot be on a basis of implied consent, such as from a job board, and must come directly from the candidate. This may impact some recruitment processes but best practice dictates that you should always wait for a candidate’s permission before “speccing” their CV.

Data Management
Having a centralised system that handles all of your candidate and client data is imperative under GDPR. It will be more challenging to ensure compliance to the upcoming regulations if your data is being stored in multiple applications such as Excel, Word, Outlook and/or a recruitment CRM. By handling your data collection process in one place, you and your recruiters can monitor how data is being collected, stored and used without ambiguity. This will give you the clarity you need to make the appropriate changes.

This is vital for GDPR because agencies must be able to provide the “paper trail” that documents the onboarding and data processes. So, as well as changing how you onboard candidates, you will need to make sure your Applicant Tracking System (ATS) or recruitment software is used to record the required activity. For example, you will need to be able to show when candidates were onboarded, what information was given, what consent was acquired and how the data was used.

Documentation
The most fundamental impact for all agencies will be in updating their documentation, both internally and externally. The internal documents by which you induct new staff members will need to be free of ambiguity and current staff must be aware of any changes to their daily activity. External documents such as onboarding contracts and policies will also need to reviewed and revised to meet the increased demand for stipulating consent and how the data will be used.

To manage the delivery of these requirements, it may be necessary to appoint a Data Protection Officer or consult legal professionals because, ultimately, getting your recruitment agency “over-prepared” is worth the investment.

 

In summary GDPR provides recruitment agencies the impetus to clarify their internal processes and become more transparent to their candidate with how there information will be processed and used. By preparing your agency now and making the necessary changes, you can ensure your agency and recruitment consultants comply with the upcoming regulations.

Need More Information On GDPR For Your Recruitment Agency?

Take a read of our other informative GDPR blogs:

  • A need to know guide which provides the answers to the 8 most frequently searched questions in Google about GDPR.
  • A GDPR compliance toolkit including the best online GDPR resources including some specifically for the recruitment industry.

Request our free GDPR eBook below for more detailed information on GDPR and how to centralise your data management all within one recruitment CRM system.

gdpr recruitment agency