Whether its data you capture from prospective clients or relating to the hundreds of CV’s you receive daily, as a recruiter you probably work with a range of sensitive personal data on an on-going basis.
It’s likely, then, that you’ve heard of GDPR. But what exactly is GDPR? How will it affect you as a recruiter? We’re answering all this and more in our Guide to GDPR for Recruiters, below.
What is GDPR?
The General Data Protection Regulation (GDPR) came into play on the 25th May 2018 and was created by the EU to ensure that personal data protection legislation is unified and strengthened in relation to the newer ways that personal data is used. The UK will still be bound by the regulation despite Brexit.
GDPR superseded the Data Protection Act 1998, and any organisation which ignores the regulations could be fined up to 4% of their annual global turnover or €20m – whichever is higher. Certainly reason to take note of GDPR and ensure that your organisation is compliant.
Who does GDPR apply to?
GDPR applies to both the data controller (the organisation that collects personal data, the recruitment agency, in this instance) and the data processor (the company that processes personal data on behalf of the controller, eg. an IT cloud service provider).
What is the purpose of GDPR?
The main purpose of GDPR is to allow data subjects to regain control over their own personal data. It aims to ensure that personal data is lawfully processed and where consent is relied on that the data subjects give their explicit consent for their personal data to be collected and used, as well as giving data subjects the right to ask for their data to be deleted or amended at any point.
According to the European Commission, ‘personal data’ applies to any information relating to an individual, whether from their private, professional or public life and many that apply to the process of finding new employment. Personal data can include:
- Home Address
- Email Address
- Bank Details
- Posts on social media networks
- Location data
- Medical information
- Computer IP address
How to prepare for GDPR as a recruiter:
1. Ensure everyone in your company who needs to know about GDPR is aware:
- Provide training to senior management and staff that handle personal data.
- Consider if your company requires the appointment of a Data Protection Officer (DPO) to take ownership. A DPO is a role required by GDPR in organisations which handle a large amount of personal data whether of employees, external data subjects or both as a core activity. The role of a DPO is to oversee the data protection strategy of the organisation to ensure it is complying with GDPR legislation.
- Ensure all departments take responsibility for any relevant updates needed to data capture, legal compliance or data processes.
- Update current policies and procedures and privacy notices to ensure compliance with the GDPR.
2. Set up a robust preferred supplier list:
- Work with third parties such as umbrella companies to ensure everyone understands the rules and is compliant. It is worth finding out what steps they are taking and how much they know about GDPR. If their knowledge is limited either work with them to understand more about their future plans or look to a provider that is compliant.
- Understand current processes and how or what may need to be updated.
Read our guide to Preferred Supplier Lists for more information.
3. Clarify the risk involved if you were to be found not to be compliant:
- How much would it cost if you were caught not following the new regulations?
- Where are the vulnerabilities in your systems and processes?
4. Understand how you process candidate data:
- Take a look at how your candidate data is processed and stored. Is it kept in spread sheets, in CRM software or within emails?
- Can you easily track the processing of this data and remove candidates? Following GDPR coming into play, you will have to delete personal data should a candidate ask, so ensuring you have a data deletion strategy in place will help streamline this process.
- Do you need to update privacy and data policies? Be transparent with how you will be using candidate’s data and always ensure that you are processing it on a lawful basis.
5. Ensure you get opt in approval or have another lawful reason to use data from candidates up front:
- Ensure that any online data capture forms have an ‘opt in’ button.
- If you market to them in future you will need to make sure that they have provided their express consent.
- Clearly express which partners you may pass data to and what they will do with this data. For example, if you work with umbrella companies or other organisations, make sure that candidates are aware that you will be passing on their data and let them know which data you will be giving to the third party.
For more information on GDPR
Whatever position data plays within your business, GDPR is important to bear in mind. For further information on the regulations, the Information Commissioner’s Office (ICO) have created a useful guide to GDPR.
How can Parasol help?
At Parasol, we pride ourselves on being fully compliant and have already taken steps to ensure we stay that way. If you’re looking to update your preferred supplier list to ensure you’re working with GDPR compliant umbrella companies, consider working with us.
DISCLAIMER: The information provided in this guidance is for information purposes only and does not constitute advice nor purports to be comprehensive or independently verified. The information contained in this memorandum has been prepared in good faith and with due care by Parasol, however, Parasol makes no representation, warranty, assurance or undertaking (express or implied) and no responsibility or liability is or will be accepted by the Parasol, its respective officers, employees, agents and affiliates in relation to the adequacy, accuracy, completeness or reasonableness of this guidance. It is the responsibility of any recipient/s of this guidance to obtain independent advice in respect of the matters addressed herein. All and any such responsibility and liability is expressly disclaimed. Therefore, the recipient/s of this guidance to the extent that they rely on the information contained herein do so entirely at their own risk.