• Careers
  • Contact Us

GDPR - 4 Things That Recruitment Businesses Should Prepare for Now

on Monday, 12 June 2017.

In just under 12 months' time, on 25 May 2018, the General Data Protection Regulation (GDPR) will come into force. The GDPR will make massive changes to UK data protection laws. How will your recruitment business be affected?

There will be a number of new obligations and fines of up to €20m or 4% of global turnover (whichever is greater) for organisations that do not comply.

The government has clearly stated that the GDPR will apply, and will continue to apply, regardless of Brexit. Put shortly, the GDPR is here to stay.

As recruitment businesses hold and use large amounts of personal data on their candidates, clients and staff, they will need to understand the GDPR and ensure their business is GDPR compliant prior to 25 May 2018.

Consent

Recruitment businesses normally rely on the individual's implied consent as the basis for processing their personal data.

For example, when a candidate submits their CV, this is generally treated as broad implied consent to use the candidate's personal data to put them forward for the specific roles they want to apply for and to carry out any processing which is ancillary to the recruitment business' services (for example adding them to the recruitment business' candidate database (which may be hosted by a third party cloud provider) and contacting them about future vacancies which the recruitment business believes may be of interest to them (perhaps may years later)).

Under the GDPR, consent must be freely given. It must also be specific, informed and unambiguous, and requires affirmative action from the individual. Therefore, it will be much more difficult for recruitment businesses to rely on consent. In particular, the fact that an individual has not objected to their personal data being used in a certain way or has posted their personal data on publicly accessible professional and social media sites such as LinkedIn will not be sufficient to amount to consent.

Transparency and Demonstrating Compliance

The GDPR contains extensive requirements around record keeping and being able to show a paper trail of compliance.

You will also be required to include additional information in your privacy notices. For example, the notice must set out the purposes for which the data is going to be processed, how long the data will be retained, and must state the right to have personal data deleted or rectified.

There will also be a requirement to inform individuals about their right to complain to the Information Commissioner's Office (ICO), the data protection regulator.

Information Security

The GDPR expands on the obligation to take appropriate technical and organisational measures to keep personal data safe. It introduces mandatory breach reporting within 72 hours and in certain circumstances, the individual may also need to be notified of the breach.

You will need to check that your contracts with your data processors (ie any third party who handles personal data on your behalf such as certain IT suppliers) contain clauses that provide the protection required by the GDPR.

Data Subject Rights

The GDPR makes significant changes to subject access requests, including shortening the time period to respond. It also clarifies existing rights such the 'right to be forgotten', which will require you to delete data in certain situations. It also introduces various new rights including the right to 'data portability', which allows individuals to obtain a copy of their personal data in a commonly used and machine-readable format, and the right to transmit their data to another data controller (eg a rival recruitment business.

How We Can Help

Our Recruitment Sector team is experienced in advising recruitment businesses on GDPR. If you would like assistance with GDPR compliance, we would be happy to help.


For more information or for advice, please contact Serena Tierney in our Commercial Contracts team on 020 7665 0817.

 

Leave a comment

You are commenting as guest.