In a recent survey conducted by Invenias it appears that 85% of recruitment agencies are not yet actively planning for the General Data Protection Regulation (GDPR). The survey also revealed:
- 30% of agencies have not yet taken steps to prepare for the GDPR
- 55% have started to think about how they might prepare for the GDPR
- Only 15% are actively planning for the GDPR
Like it or not, the GDPR is coming. If you operate in the EU, have clients that operate in the EU or process data of EU citizens you will need to comply with the new regulations by 25 May 2018.
These changes will have a significant impact on recruitment agencies. Therefore, if you are putting off thinking about the GDPR, we really recommend you start now. Agencies that show genuine intent of making changes and making their agency compliant will be a lot better off than those who do not do anything. Remember, a breach of the new regulations could result in fines of up to 4% of global annual turnover or €20million (whichever is greater).
How to comply with the GDPR?
1. Complete an audit of your data
What data do you currently hold, where do you hold it and why? You also need to assess how regularly you review the data for accuracy, how long you keep it and whether you can easily react to requests from your candidates. For example, individuals will have “the right to be forgotten” and the “right to object”, which will allow them to object from their details being used, shared or held. Will you be able to respond and provide proof to responses such as this? [NOTE: personal data isn’t just a person’s email address, it also includes things such as IP addresses and location information).
2. Only contact someone using the channel they provided
Ensure you are only using the medium to contact clients and candidates that you are authorised to use. You are obligated to only contact an individual using the channel they have opted in to.
3. Delete unsubscribers
Unsubscribes are not to be contacted under any circumstance. If a candidate has actively asked to unsubscribe, you cannot contact them again, even if it is just to ask if they wish to be subscribed back to your content.
4. Inform your organisation
Alert everyone. Make sure that everyone in your agency, especially those who have access to your data are aware of the GDPR. Otherwise you will be held directly responsible if your employees are still emailing or phoning candidates when they should not.
5. Review relationships
You also need to review your relationship with your clients and any suppliers or job boards you use as they will also be affected by the GDPR and it may affect your relationship with them.
6. Reconsent your active users
Reconsent your active users. Using the medium that the individual has consented to, ask candidates if they would like to remain on your database. You can, however, use this as an opportunity to ask if they would like to be kept up to date via other forms of communication. (Please note, if you do not have evidence that you can contact an individual, be careful about asking them to opt in as this is still seen as a method of processing data, which is illegal if the person has not authorised it).
7. Data Protection Officers (DPOs)
You must appoint a DPO if you:
Are a public authority
Carry out large scale systematic monitoring of individuals (e.g. processing personal data for behavioural advertising)
Carry out large scale processing of special categories (e.g. sensitive personal data, such as ethnic origins, religious beliefs etc.) This applies, even if candidates give you this information voluntarily.
If you are not required to appoint a DPO you should document and keep records of everything you do to prepare for the GDPR.
Safety, encryption and risk. With data protection soon to be stricter, so should your internal processes. You should take extra precaution to ensure that data is safeguarded and make sure regular tests take place. We also recommend you have a breach response plan in place.
Establish retention periods. Over the course of time, some users will become inactive or unresponsive. Establish retention periods so you can keep candidate information accurate and your database responsive.
Put in place privacy notices. Once you have assessed all of the above, make sure you clearly communicate to your clients and candidates what data you are capturing and why.
We advise that by May 2018 you ensure your agency can demonstrate that you are abiding by the new regulations and can show a process/ plan you have put in place to make your agency compliant.
For further support and advice on how to comply with the GDPR, register for our GDPR webinar.
Raffingers Chartered Certified Accountants