Unless you’ve been hiding under a rock for the last year or so, you will have heard of the changes soon to happen to how everyone manages data: the European Union’s General Data Protection Regulation (GDPR). GDPR will replace the current Data Protection Act (DPA) with the aim of giving people ultimate control of their personal information through the unification, within the EU, of data usage regulation.
Every industry will be impacted by the changes, however for the recruitment industry the effect will be huge as candidate data is at the heart of everything we do. The new legislation will give job seekers and candidates unparalleled rights on how their personal information is gathered, managed and stored.
The details
GDPR is being introduced in May 2018 to protect European Citizens’ personal data and will be compulsory for all organisations, even those outside the EU, who handle the personal data of any EU resident. It is a complicated piece of legislation with an 88 page legal document and numerous articles and clauses; though simply it is about consent. Any organisation who uses the personal data of an EU citizen will have to have gained their consent prior, or they will be breaking the law and could face fines of up to €20 million. For the UK the legislation will not be influenced by Brexit.
So what is personal data?
The European Commission has said:
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
So it’s not just about handling personal data such as names, addresses and CVs its goes that step further to cover any data held that covers race, ethnicity, religion or even a simple photograph. If you handle and store data about people, you are responsible for its safe keeping and security as well as ensuring the right people have access to it. You also need to apply the necessary control over how you share this information with others, as again you will be held responsible for how third parties use and protect the data.
Key elements that will affect recruitment
It’s all about consent - one of the fundamental changes is around explicit consent. It will need to be explicitly clear when data is being collected and how it will be used. You can’t have a tick box that covers everything with lots of terms and conditions in small print. You will need to be able to prove that the person whose data you hold has agreed to have their data collected, stored and used.
Access requests - GDPR puts the power back in the hands of the individual therefore if you receive an access request, where an individual requests to know what data you hold about them, you have to provide the information within one month and you cannot request payment for doing so. Allowing candidates access to review and update their data at any time, with the option to ask for updates, will also be key.
The right to be forgotten - Companies will need to make sure that everyone is given the ability to withdraw their consent to being contacted at any time and are given the right to be forgotten. This means that individuals can ask for their personal data to be deleted from your system at any time.
The paper trail - One of the most significant criteria of GDPR will be the need for a ‘paper trail’ regarding your data management. It is paramount that you have a centralised system that handles all candidate data and allows the monitoring of how data is being collected, stored and used.
There is no doubt that the new legislation will give candidates greater control and will hold those businesses that work in the recruitment sector more accountable: which doesn’t have to be a bad thing. Those businesses that organise themselves and implement the new processes in an efficient and effective way can only make the candidate experience a better one: which let’s face it is better for everyone within the recruitment sector.