I’d estimate that less than 2-3 percent of the recruitment industry is ready for the GDPR. Most of the 26,000-27,000 recruitment agencies in the UK alone are still working on systems that will be redundant after the GDPR comes into force.
The recruitment industry is already a heavily regulated sector, but what’s different about the GDPR is that we don’t yet know what it means. As at today, the ICO has not published consent messages, for example, so we are left in a state of guesswork and confusion, which hardly seems fair when the GDPR becomes law in May. Not a guideline - but the law.
I see a real danger in that many legal teams seem to be telling their clients to avoid taking on responsibility by avoiding commitment. To put this into context, they’re saying that if you actively seek consent from a data subject, you’re aligning yourself to the regulation and could therefore be sued for not complying. To me, burying your head in the sand is not an option - this is law, black and white.
As it currently stands, there is no grace period, little room for interpretation and the recruitment industry seems to be a sitting duck. Don’t forget that the ICO is, after all, a government profit centre that has grown its numbers from around eight people to a couple of thousand in the last few months. It will need to prove its worth and its funding.
Currently, if an individual seeks compensation and can prove negligence, an average payout will be between £2,000 - £4,000. Multiply that by the number of candidates a typical recruiter holds on its database and the consequences of a breach would be devastating.
In my opinion, one thing is clear: it’s no use taking consent unless you are able to log and produce a dated and trackable record that you’ve got the relevant permissions, with auditable version controls and the required subject access requests in place.
At Volcanic, we’ve been working on our GDPR-compliant platform for months. We’ve build a gold standard of compliancy that will support all our clients’ websites.
Until the ICO is prepared to publish its statements and consent messages and gives the recruitment industry a clear definition of exactly how to comply with the GDPR, I can’t see how it will happen. Certainly not by May.
For the full story, listen to my exclusive interview with Idibu. At Volcanic we are Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadine. Download your free guide to GDPR for recruitment agencies that walks you through the 12 principles set out by the ICO and gives pragmatic advice on how to deal with them, or contact us for more information.