GDPR for Business: GDPR Compliance in the Recruitment Industry
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and affects how companies across the world process and store the data of EU residents.
The recruitment sector is reliant on data—both business and consumer—so it’s vital that all recruitment agencies are GDPR compliant. Companies who are non-compliant can be charged 4% of their global turnover or €20 million—whichever is higher.
But not to worry! We’ll help clear up all the confusion around GDPR so that you can understand how to become GDPR compliant and take the weight of those hefty fines off your shoulders.
Before we get into the main details of GDPR, have a watch of this useful video from the Wall Street Journal which sums GDPR's main points in 3 minutes:
What is GDPR?
GDPR is designed to modernise laws that protect the storing and processing of personal data for EU residents. It replaces the previous 1995 Data Protection Directive, which the UK Data Protection Act 1998 was based upon.
You can find a more in-depth breakdown of the GDPR rules in our GDPR Guide for Businesses.
Clearing Up Some Confusion About GDPR and Recruiting...
All personal data that you collect and process from your candidates and companies are covered by the GDPR.
- Personal data is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, public or professional information. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.
Individuals, companies and organisations who are ‘data controllers’ or ‘data processors’ for ‘data subjects’ are all bound by the GDPR. This covers most business but to put it in recruitment terms, this means:
- Candidates and businesses are ‘data subjects’—candidates are data subjects because they can be identified through the personal data they give to recruiters and companies. For example, their resumes may include their names, addresses and date of birth, which can all be used to identify them. Under GDPR, companies are also treated as individuals, so any personal data relating to them is also covered under the new data protection laws.
- Recruitment agencies are ‘data controllers’—this refers to a person who determines the purpose for which and the manner in which any personal data is processed. This applies to recruiters who serve as their company’s main representative to candidates. They are data controllers because they are fully responsible for collecting and protecting candidate data and using it lawfully.
- Recruitment software/services are ‘data processors’—this refers to a person who processes the data on behalf of the data controller. This could refer to recruitment software, such as applicant tracking systems (ATS), as they process candidate data on behalf of your business and follow your company’s instructions. Alternatively, your recruitment company could be both the data controller and data processor.
The GDPR is full of terminology similar to the phrases above. Confusing, we know! That’s why we’ve put GDPR in clear, concise terms in the GDPR Guide we’ve written as part of our GDPR Toolkit for Businesses.
Pick Your Lawful Basis
Under GDPR, you must pick a lawful basis for storing and processing data. There are six lawful bases under GDPR which include:
- Consent—the individual has given clear consent for you to process their personal data.
- Contract—the processing is necessary for a contract you have with the individual, or because they’ve asked you to take specific steps before entering into a contract.
- Legal Obligation—the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests—the processing is necessary to protect someone’s life.
- Public Task—the processing is necessary for you to perform a task in the public interest, and the task has a clear basis in law.
- Legitimate Interests—the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
You can choose a different lawful basis for different types of data, but you can't pick one then change your mind. If you pick consent as your lawful basis, you cannot then change to legitimate interest later on, even if that basis may suit your business better.
The two most relevant legal bases for recruitment companies are consent and legitimate interest.
You Choose: Consent
In recruitment, obtaining consent means allowing your data subjects to have complete control over whether they chose to share their personal data with you, what they share with you and what you’re allowed to do with the data they share.
- In the Consent Agreement Clause, include:
- Why you’ll be storing your data subjects’ information.
- What you plan to use it for.
- If you’ll be sharing their data with third parties (and who they are).
- That they have the right to be removed at any time.
- The answers you could provide:
- To help your candidates find a new job, and to help your companies find appropriate candidates.
- To match your candidates with a suitable role and employer, and to match your companies with great candidates.
- Guarantee that you’ll notify your data subjects before sharing their data with any third parties, and tell them which third parties you’ll be sharing their data with.
- State that your data subjects have the right to be forgotten and removed from your company database.
If you change your privacy terms to make them GDPR compliant, then you’ll need to ask your existing data subjects to pledge their consent under your new policy. Many subjects may choose not to pledge their consent, which means that using consent may lead to losing a lot of existing contacts in your database.
You Choose: Legitimate Interest
To use legitimate as a legal basis, you need to show that you’re using subject data in a way someone would reasonably expect and demonstrate a valid justification for their data being processed.
To establish whether you can use legitimate interest as a legal basis for processing data, it is recommended you carry out a ‘Legitimate Interest Assessment’ (LIA). This includes answering three main questions:
- What is the legitimate interest you have to process the data?
- Can you show that processing the data is necessary to achieve what you need to do?
- Could processing the data affect the rights or freedom of the person?
In recruitment, the reason for using legitimate interest could be quite simple: you’ll have a legitimate interest in processing a candidate’s data so that you can help them find a job, and an interest processing company data to help them find candidates!
Whilst it may sound obvious, you may need to later demonstrate to the ICO that you've gone through the necessary internal steps to identify your legitimate interest.
If you rely on legitimate interest as your legal basis, you’ll need a privacy statement on your website that includes the following:
- A statement saying that you’re relying on legitimate interest as your legal basis.
- What your legitimate interest is.
Some Extra Useful GDPR Tips
- When a subject’s data is no longer needed, the subject has the right to request that it be erased. Working out a structured workflow to enable them to do so is very useful, and will save you a lot of time.
- You should keep proof of your contacts’ agreement to share their details with a third party. These third parties must also be GDPR compliant. Automating this agreement process will save you time, and will make it easier for when you have to inevitably do so in the future.
- A simple way to ensure the consent or legitimate interest of your candidates is to enable them the ability to access their own profiles and job-related activities with a candidate portal.
- Security, and making sure your subjects’ data is safe against any data breaches, is a big part of GDPR. Some of the security measures you’ll want to oversee are as follows:
- The strong encryption of personal data records.
- Ensuring confidentiality is maintained, as well as the availability and reliability of data processing systems.
- If an incident occurs, being able to restore personal data in a swift manner.
- Having a procedure in place to regularly test the effectiveness of your security measures.
We hope this blog helped clear up some confusion about GDPR and how the recruitment industry is affected by the new data protection laws in place.
GDPR is an incredibly complex issue that affects industries across the board, but fortunately, we have a whole host of GDPR content to guide you through everything. Download our GDPR Toolkit for Businesses, and you’ll receive a:
- Infographic on Consent and GDPR
- eBook on GDPR Compliance
- Link to a free GDPR & Inbound Marketing Consultation