GDPR In Recruitment, Should We Panic?

Whether you like it or not, The General Data Protection Regulation (GDPR) is coming. With less than 100 days until it is officially implemented, organisations across the EU are going all out to prepare for this new data protection law. While this 88 page legal document can seem rather daunting to even the most experienced businessmen, it is not as complicated as you might think.

The question on every recruiter’s mind is – How is this going to impact candidate sourcing, recruitment processes and data management? The truth is that even though some people might have you believe that the new law means ‘the end of recruitment’, this is an over exaggeration to say the least. While there are serious implications and non- compliance can lead to hefty fines of up to 4% of global annual turnover or €20 million (whichever is greater), if your company is already complying with the current Data Protection Act (DPA), you will be majorly compliant with the new law as well.

What is the GDPR?

The objective of the GDPR is to standardise the data protection law across all 28 EU countries and impose new rules on controlling and processing personally identifiable information (PII). The GDPR will replace the 1995 EU Data Protection Directive, and comes into effect on May 25, 2018. It also replaces the 1998 UK Data Protection Act.

One thing is for sure, the new law will hugely impact and change the way data is collected, stored and used. One of the features of the new law is that it applies to all organisations that are processing data belonging to EU residents. What this means is that if an organisation offers goods or services to EU residents, it must be compliant with the GDPR as well.

How does GDPR impact the Recruitment Industry?

It’s no secret that the recruitment industry heavily relies on data to evaluate candidates by assessing their various social media profiles, online resume databases, records of employment, applications, and tests. This filtering of data is an intrinsic part of the recruitment process and it allows recruiters to narrow down the talent pool.

Consent is paramount

Under this new data protection law, consent will be a key factor in determining your organisation’s compliance. While most of us have been compliant under the previous laws, the new law sets the bar much higher with regard to way the consent is obtained and the extent to which it protects the privacy rights of individuals.

Recruiters will have to be more diligent than ever before when obtaining consent from candidates and processing personal data. Additionally, recruiters will have to demonstrate that the candidate has consented to the data processing by keeping records of what the candidate has consented to, what they were told and how and when the candidate consented. In effect, an audit trail of the entire process will have to be diligently maintained.

Seeking consent clearly & explicitly

The GDPR requires that recruiters are absolutely transparent about how data will be used and stored. Recruiters have to ask for explicit consent, clarify how an individual’s data will be used and ensure the data remains secure. In addition to this, candidates have the right to review and access their data whenever they like, and also request for full erasure of all data. This is being called ‘the right to be forgotten’ and it implies that candidates can ask for their data to be erased when it is no longer valid for the original purpose.

This feature of the law will have important implications for companies relying on Applicant Tracking Systems, because even after a candidate has been rejected from a job, he or she can request to be deleted from the system, meaning the recruiter will no longer have access to that data for other purposes, such as advertising other jobs.

The best way to overcome any compliance issues is to explicitly state the intended use of data on your company website or social media, and more importantly, make sure the candidates agree to the data being used for any additional purposes. The last and most crucial step in this process is that you store this consent and create a concrete record of it. This may require changes to the current registration processes on your website.

Overhauling documentation, reviews and data management

One sentiment to live by as your recruitment agency navigates the finer details of this new law is ‘Over Preparation’. There has never been a better time to be extremely diligent and conscientious about paperwork. From updating recruitment processes, to revamping internal and external documentation, there is a lot that is going into the preparation for the GDPR.

To avoid non-compliance and the subsequent penalties, all internal documents that are used to induct new staff will have to be free from ambiguity. Other documents relating to onboarding and contracts should be reviewed and wherever necessary, revised to meet the new laws regarding consent and data usage.

Some organisations are opting to appoint a Data Protection Officer to ensure that their agency is ready in time and no minute detail has been overlooked.

Gone are the days when different staff members could use different methods of collating and storing data, using a combination of online tools, Microsoft Excel, The Cloud etc. A standardised data management system is the need of the hour with the GDPR kicking in next month.

If you and your team have been diligently preparing for the GDPR, you have no reason to panic, and post the 25th of May, while there will be a few hiccups along the way, it should be business as usual.