What effect is the introduction of the GDPR set to have on staffing?

Unless you’ve been living in a cave, you’ll know about the imminent arrival of the General Data Protection Regulation (GDPR). When it comes into force on 25 May this year, it will effectively press reset on the rights individuals hold over their data, and the obligations on companies who collect, use or store that information.

We’ll avoid recapping the entire history of the GDPR and its journey to becoming law – if you’d like to know more about the background and the specifics of GDPR from the horse’s mouth, you’ll find it here, at the Information Commissioner’s Office.

There’s virtually no industry that won’t be affected by GDPR, but some sectors will find its impact stretches further and deeper than others. Given that it deals very specifically with people and their personal information, the staffing and recruitment sector - and in-house recruitment departments - are about to find that the GDPR affects almost every aspect of their work. Here’s how:

Recruiter responsibilities

The GDPR sets out a number of responsibilities relating to the mechanics of holding, controlling and processing data, and the steps to take in the event of a data breach. It also confers rights on individuals whose data you hold or process. Not all appear immediately and widely applicable to recruitment (rights to data portability, objection and restriction are perhaps less likely to affect staffing companies than other sectors), but many of the provisions will have a direct and dramatic effect:

The right to be informed

Where you collect and process candidate data, you need to provide “fair” information about the way you handle it. This should be done via a privacy notice which needs to be more comprehensive, more accessible and easier to understand than its equivalent version in the Data Protection Act.

The privacy notice must be easily accessible, explain what data you keep, how long you’re keeping it for and what you’re doing with it. It must provide information about any third party usage and remind candidates of their rights. You can find a complete list requirements for your privacy notice here, and note there are slight variations depending on whether you are gaining information direct from a candidate (eg via your own online data capture form) or whether you use information sourced from third parties.

Right of access

Recruiters will need to make all the data they hold on a candidate (or anyone else) available on request, for free and within one month. Importantly, this doesn’t simply affect, for example, an applicant’s online CV or profile. Whilst the candidate must have the right to access and edit their personal information, they also have the right to know how you use other data you hold about them – which may include communications from them, log-in histories and the way you use their details for marketing purposes. 

Right to rectification

When a candidate asks you to update or amend the information you hold about them you must do so within one month. For recruiters, the simplest way to avoid creating a vast amount of admin work is to invite candidates to amend their own records, although if your system isn’t set up for individual and secure candidate access, you may have significant hurdles to overcome here.

Right to erasure

Popularly known as the right to be forgotten, this right enables a candidate to ask for deletion of all data you hold about them in certain circumstances. You can find the full list of criteria here but perhaps the most significant one is that the individual can simply withdraw consent to hold and use their data. In practice, that makes this right virtually limitless (the candidate doesn’t need to show that they have been damaged by the way you have handled their data in order to request its deletion), although there are circumstances – listed in the above link – where you may be able to legitimately refuse to comply.

 Automated decision making

If your recruitment system uses some form of automated decision making or profiling software then there’s an additional set of requirements which vary depending on whether your process is wholly or partly automated.

Amongst the steps staffing companies and departments will need to take are the requirement to collect only the information required, having a legal basis for carrying out the activity, and providing clear, direct links to privacy statements and methods of enacting rights to change and delete information. Again, you can find the full requirements here.

Opportunity or burden?

At time of writing we’re less than two months from GDPR go-live so most recruiters will already be well on their way to having their houses in order. It’s certainly something we’ve been prepping for the past year. How recruiters have responded has largely been dependent on their view of the GDPR. Either it’s a bureaucratic faff and a logistical nightmare, in which case they’ve perhaps been more likely to drag their feet on implementation, with the fear of (significant) penalties outweighing the benefits of compliance.

Or, like us, they’ve seen if for what it really is: an opportunity. The GDPR is a golden opportunity to build trust. To show how responsible your organisation is. To show its commitment to doing things the right way. And to show how it acts fairly and transparently.

When so much criticism is levelled at the cavalier way businesses from every sector sometimes deal with data, the GDPR represents a line in the sand. It’s a chance for the recruitment industry to show that we take responsibilities that stretch far beyond simply matching great candidates with great clients, seriously.