The recruitment sector is set to be one of the hardest-hit casualties of the forthcoming General Data Protection Regulation (GDPR), because of the large volumes of data it handles both at a transactional level and, more significantly, at the deeper level of engaging with candidate data.
Make no mistake, complying with the GDPR is no small undertaking - it will require all recruitment businesses to overhaul their current cyber-security and data protection practices. There’s a lot to get though and, unless you’re ready by 25 May 2018, one thing you’ll no longer be allowed to do is handle any candidate data for which you do not hold the individual’s active, purpose-specific and opted-in consent.
A survey by data management firm Veritas has revealed that less than one third of organisations believe they are ready for the GDPR. Failure to comply with the new terms of the GDPR will incur steep penalties - either four percent of your global revenue or €20M, whichever is greater - far higher than the current maximum fines the Information Commissioner’s Office (ICO) can levy.
And the GDPR is not an easy read. Its 99 Articles and 173 Recitals can be somewhat overwhelming!
At Volcanic, we’re here to help. We realised early on that, while focusing on the compliance of our own platform and ensuring that we, as a vendor partner, are GDPR-ready, we have a responsibility towards all our customers to support their compliance too.
Your website may present a potential risk
As a provider of websites and job boards to the recruitment industry, we have not only committed to all our customers that our platform will be fully GDPR compliant, but also that we’ll support them in their own journey towards GDPR compliance. Your website is, after all, potentially one of the highest risk areas of your business because of the large volumes of data it handles.
We have conducted a full data protection impact assessment (DPIA) of our platform that follows the requirements set by the GDPR guidelines. As a result, we’ve taken our platform back to design and development to produce new compliancy modules that are built with the GDPR principle of Privacy by Design / Privacy by Default at the core.
Putting the candidate first
Rather than introduce new complexities, we have quite simply gone back to our system’s roots to build in the requirement of privacy by design. We’ve developed a new self-service candidate dashboard that not only represents a huge time and cost saving in terms of your data management, record-keeping, tracking and accountability, but also significantly reduces the margin for error - and blame - by allowing candidates to manage their own data. Everything is captured and logged and can, critically, be traced back to its source and reported on.
So how does that help me as a recruitment agency?
Under the terms of the GDPR, an individual can at any time make a Subject Access Request (SAR) which means you must, by law, provide to them all the data and consent records you hold on them, having first checked that they are indeed that person and have the right to access that data - all within 72 hours of their request and in a format that they can use, AND then log that you have carried out their request.
Are you confident you can do all this? Because you’ll need to be able to long before 25 May 2018 - unless you’re prepared to delete all data for which you don’t hold its subject’s consent to process it.
What do I have to do if I get a subject access request?
An individual may request any of the following under eight principles set out within the GDPR. Take a deep breath. They have the right to be informed of the purpose for which you’re holding their data, to access their data, to change or delete their data under their ‘right to be forgotten’ (including tracking and requesting deletion of all data you may have sent out), to restrict processing of their data, to request you supply their data to a third party (in a format that they can use!) or to object to your processing their data. They can also object to being subject to automated decision making - which will likely have a huge impact on your marketing strategy if you use automated workflows, for example. You have no grounds for refusal of this type of objection.
And if the candidate believes their data has been used inappropriately they are perfectly entitled to report you to the ICO. We don’t recommend risking it!
What to do next?
Download your free guide to GDPR for Recruitment Agencies that walks you through the 12 principles set out by the ICO and gives pragmatic advice on how to deal with them.
Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadline. Our market leading web platforms will be developed in full compliance with the GDPR principles of privacy by design, data subject consent, breach protocols and full audit tracking.
Disclaimer: This blog sets out to share our general guidance on best practice in GDPR based on our extensive research and practical knowledge. It is not a legal document. We recommend that you seek expert legal advice before implementing your GDPR policy.