The General Data Protection Regulations (GDPR) come into force on 25th May 2018, which seeks to protect the personal data of all EU citizens. The regulations will give EU citizens new rights including the “right to be forgotten” or “how their data can be processed”.

It is fair to say that the importance of GDPR is only beginning to be understood by organisations. But with less than one year before GDPR becomes law a recent online survey conducted by YouGov in the UK discovered that  71% of UK organisations have still not started to prepare or consider its impact on their business.

Let’s start by reminding you that any breach of GDPR can expose an organisation to fines of up to €20m or 4% of their global annual turnover. History shows that for any new legislation to be taken seriously the regulator, in this instance Elizabeth Denham – Information Commissioner,  will surely focus her activities on industry verticals where abundant personal data needs better governance.

Once such sector is human resources and the recruitment industry.  Do any of these scenarios sound familiar?

• After posting a vacancy on LinkedIn within days numerous CV’s were emailed to me from multiple recruiters
• I have just received an unsolicited approach by a company who had my CV on their file
• A candidate hire via a recruitment firm has now being re-approached by the same recruitment offering them a new role with another company
• I received an unsolicited email from directly from a candidate attaching their CV.
• I have been asked to record a video answering questions raised and been told to upload so it can be sent to potential employers.
• I want to make an offer to a candidate please can you email me his full name, address date of birth and email.
• The recruiter has asked me to cc them on the offer letter and contract of employment

Let’s explore the impact of GDPR on scenarios such as those above and look at what companies need to start doing now to drive compliance and reduce the regulatory risk on human resources and the overall recruitment process.

1. Data protection beyond GDPR

Forty-four percent of UK businesses surveyed by Crown Records Management cancelled their GDPR preparations when the UK voted for Brexit. Not only is GDPR going ahead, but the government is planning additional data protection measures to data held by social media platforms, as it announced in the Queen’s Speech.

Recruitment is an integral part of all organisations and companies, large and small, must take notice of this regulation and start preparing for its enforcement.  Anybody involved in the recruitment process should now be assessing what personal data is captured, how is it collected, where is it stored and how is it used throughout the recruitment process. Existing workflows were never designed to be compliant with GDPR and now the simple act of sending a CV to a third party without the candidate’s consent could be deemed a data breach.

2. Informed consent

The common practice of maintaining unsuccessful CV’s on file for future roles will need to be reconsidered under GDPR. Recruiters and HR departments will now need to prove the specific consents the candidate has given. It will no longer be sufficient just sending them an email saying you planned to keep a copy of their CV on file or asking them to sign up to terms and conditions before you would engage. Every recruiter, online job board etc. will need to re-visit their consent process to ensure it is compliant with GDPR.  Recruiters won’t be able to use personal data of anyone who hasn’t given consent. They will only be able to contact candidates who have opted-in.

How many years of CV’s does your business have on file? Is this data being used for anything? How much of it can be deleted before the deadline? How much of it needs consent? These are all questions that recruiters must find the answers to before May 2018.

3. An individual’s right to access their data

The driving force behind GDPR is to protect individual’s personal data and give individuals greater, and more powerful rights in how their data is collected and used.    Employers need to be far more transparent in how personal data relating to an individual is sourced, why it is collected and how it will be used.

Recruiters, not only need to implement informed consent but will need to provide employees with access to their personal data so that they can ensure that it is accurate and updated as necessary.  Individuals also have the right to access all the data that is held on them and to know where that data has been distributed and used.

4. The Right to be Forgotten

The Queen’s Speech reinforces GDPR’s stance on the Right to be Forgotten. Candidates will be able to request the deletion of their data, and barring exceptional circumstances, recruiters will need to comply.

For example, a candidate that gets a job through the agency can then request data deletion, the business would then need to prove that retaining the data is a business necessity or would delete the data as requested. However, picture the scenario where a recruitment agency has sent a candidate’s CV to 5 different companies, within that company the CV has then being sent to the relevant heads of business which has now resulted in multiple copies of the CV – how can the recruitment agency be certain that ALL copies of that CV are now deleted within the organisations that received the CV?  This will be a key challenge and will need a shift change in how content is shared both from a technology and a human behaviour perspective.

5. Assessment of automated processes

Many recruiters rely on automated processes to make their jobs easier, but how much do candidates know about them?

For example, a person may apply for a vacancy that says ‘2:1 degree preferred’ because they have great work experience in a similar role, but they got a 2:2. Yet the application goes into a programme that filters out anything below a 2:1. Are candidates aware of this process? Do they know that they aren’t being assessed as a person, but on individual data points?

Under GDPR, recruiters will need to practice informed consent by being transparent about their workflow processes and how personal data is impacted.

6. Changes to business management

Recruitment agencies will need to maintain an audit trail to prove how CV’s have been sourced and exactly what permissions were obtained in relation to that CV.

All applications of data will require approval from the individual. If consent is denied, the data cannot be used. Candidates will also have the right to access and remove the data any organisation holds on them, if that data isn’t protected by another law.

Recruiters will need to carry out a full assessment of their current processes, systems and procedures, and plan what changes will be needed before GDPR comes into force.

Ten questions to ask

1.     What data does the business hold?

2.     Do people know that the data is being collected? Do they know why?

3.     Is all the data the business holds relevant?

4.     Where is it stored and what processes are in place to safeguard it?

5.     Who has access to it?

6.     Where did the business get the information?

7.     How is the business managing the risk of sharing personal data, such as CVs, with multiple 3rd parties?

8.     What kind of checks does the business have in place?

9.     Can the data be copied and stored elsewhere? How does this impact the ‘right to be forgotten’?

10.  Have candidates who don’t want their data passed on to third-parties had instructions followed?

Conclusion

GDPR cannot be ignored because the cost of non-compliance may prove to be catastrophic to businesses.  There is no doubt that it is going to be challenging across all sectors and business functions, not least HR.   However,  organisations must start acting now and getting ready before it’s too late and with only 29% of UK organisations reported to have started on their GDPR preparations there is a lot still to be done!