Connecting linkedin

Supporting the recruitment industry towards GDPR compliance

11 months ago by Alison Owen

W1siziisijiwmtcvmdgvmjmvmtuvmdavntkvmjkzl0jsb2cgsw1hz2uuanbnil0swyjwiiwidgh1bwiilciymjawedywmfx1mdazyyjdlfsiccisim9wdgltaxplil1d

The recruitment sector is set to be one of the hardest-hit casualties of the forthcoming General Data Protection Regulation (GDPR), because of the large volumes of data it handles both at a transactional level and, more significantly, at the deeper level of engaging with candidate data.

Make no mistake, complying with the GDPR is no small undertaking - it will require all recruitment businesses to overhaul their current cyber-security and data protection practices. There’s a lot to get though and, unless you’re ready by 25 May 2018, one thing you’ll no longer be allowed to do is handle any candidate data for which you do not hold the individual’s active, purpose-specific and opted-in consent.  

A survey by data management firm Veritas has revealed that less than one third of organisations believe they are ready for the GDPR. Failure to comply with the new terms of the GDPR will incur steep penalties - either four percent of your global revenue or €20M, whichever is greater - far higher than the current maximum fines the Information Commissioner’s Office (ICO) can levy.

And the GDPR is not an easy read. Its 99 Articles and 173 Recitals can be somewhat overwhelming!

At Volcanic, we’re here to help. We realised early on that, while focusing on the compliance of our own platform and ensuring that we, as a vendor partner, are GDPR-ready, we have a responsibility towards all our customers to support their compliance too.

 

Your website may present a potential risk

As a provider of websites and job boards to the recruitment industry, we have not only committed to all our customers that our platform will be fully GDPR compliant, but also that we’ll support them in their own journey towards GDPR compliance. Your website is, after all, potentially one of the highest risk areas of your business because of the large volumes of data it handles.

We have conducted a full data protection impact assessment (DPIA) of our platform that follows the requirements set by the GDPR guidelines. As a result, we’ve taken our platform back to design and development to produce new compliancy modules that are built with the GDPR principle of Privacy by Design / Privacy by Default at the core.                       

 

Putting the candidate first            

Rather than introduce new complexities, we have quite simply gone back to our system’s roots to build in the requirement of privacy by design. We’ve developed a new self-service candidate dashboard that not only represents a huge time and cost saving in terms of your data management, record-keeping, tracking and accountability, but also significantly reduces the margin for error - and blame - by allowing candidates to manage their own data. Everything is captured and logged and can, critically, be traced back to its source and reported on.

 

So how does that help me as a recruitment agency?

Under the terms of the GDPR, an individual can at any time make a Subject Access Request (SAR) which means you must, by law, provide to them all the data and consent records you hold on them, having first checked that they are indeed that person and have the right to access that data - all within 72 hours of their request and in a format that they can use, AND then log that you have carried out their request.

Are you confident you can do all this? Because you’ll need to be able to long before 25 May 2018 - unless you’re prepared to delete all data for which you don’t hold its subject’s consent to process it.

 

What do I have to do if I get a subject access request?

An individual may request any of the following under eight principles set out within the GDPR. Take a deep breath. They have the right to be informed of the purpose for which you’re holding their data, to access their data, to change or delete their data under their ‘right to be forgotten’ (including tracking and requesting deletion of all data you may have sent out), to restrict processing of their data, to request you supply their data to a third party (in a format that they can use!) or to object to your processing their data. They can also object to being subject to automated decision making - which will likely have a huge impact on your marketing strategy if you use automated workflows, for example. You have no grounds for refusal of this type of objection.

And if the candidate believes their data has been used inappropriately they are perfectly entitled to report you to the ICO. We don’t recommend risking it!

 

What to do next? 

Download your free guide to GDPR for Recruitment Agencies that walks you through the 12 principles set out by the ICO and gives pragmatic advice on how to deal with them.

 

 

 

Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadline. Our market leading web platforms will be developed in full compliance with the GDPR principles of privacy by design, data subject consent, breach protocols and full audit tracking.    

Disclaimer: This blog sets out to share our general guidance on best practice in GDPR based on our extensive research and practical knowledge. It is not a legal document. We recommend that you seek expert legal advice before implementing your GDPR policy.  

ABOUT 2 MONTHS AGO BY ALISON OWEN

W1siziisijiwmtgvmdyvmduvmtuvntavmtmvnja0l0deufigznj1c3ryyxrpb24uanbnil0swyjwiiwidgh1bwiilci0mdb4mzawxhuwmdnjil0swyjwiiwib3b0aw1pemuixv0

Since the GDPR became law last month, there's still confusion surrounding the more specific terms of the PECR Here, we set out to make things a little clearer for the recruitment industry. To give them their full title, the Privacy and Electronic ...

READ MORE

ABOUT 2 MONTHS AGO BY ALISON OWEN

W1siziisijiwmtgvmduvmzevmdgvntuvmzavnzmzl1njcmvlbibtag90idiwmtgtmdutmzegyxqgmdkuntuumtyucg5nil0swyjwiiwidgh1bwiilci0mdb4mzawxhuwmdnjil0swyjwiiwib3b0aw1pemuixv0

That’s the little big number so far across the Volcanic platform since last week; and that oxymoron really does sum up the mad rush post 25th May - Friday’s charge totalled 10 with further enthusiasm on the bank holiday being demonstrated by 5 req...

READ MORE

2 MONTHS AGO BY ALISON OWEN

W1siziisijiwmtgvmduvmtqvmtuvndmvndkvny9cscbpbnrlz3jhdglvbi5qcgcixsxbinailcj0ahvtyiisijqwmhgzmdbcdtawm2mixsxbinailcjvchrpbwl6zsjdxq

To further support our clients in meeting their GDPR obligations, Volcanic has launched a new integration with Bullhorn. This new service allows all our Bullhorn clients to integrate their GDPR consents directly and automatically from their websit...

READ MORE

5 MONTHS AGO BY ALISON OWEN

W1siziisijiwmtgvmdivmjivmtevmdcvmzivnti0l3nodxr0zxjzdg9ja18zotkyodg5ntuuanbnil0swyjwiiwidgh1bwiilci0mdb4mzawxhuwmdnjil0swyjwiiwib3b0aw1pemuixv0

In the second in the Volcanic GDPR video series we take a look at GDPR and security. GDPR compliance requires companies to take steps to ensure the ongoing confidentiality, integrity, availability and resilience of their systems, and to document t...

READ MORE