Connecting linkedin

Are you confident you comply with the GDPR’s strict data privacy terms? 

No matter how big or small your recruitment business, the terms of the GDPR apply to you

  • Days
  • Hours
  • Minutes
  • Seconds

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is the result of four years of work to bring data protection legislation in line with new ways that data is used. 

Designed to unify privacy laws across Europe, the GDPR sets out to give individuals better data privacy rights. It places a greater degree of control over personal data in the hands of the individual.  

To give you an overview of the GDPR requirement, some of the key points of the legislation are summarised below

Candidate data security 
  • You must protect the candidate data you hold.
  • Personal details such as candidate names, addresses, passport details and bank account information are commonplace in all agency systems, which means that you must take measures to protect this data.

Privacy by design
  • You must restrict access to candidate data to specified personnel within your business.​​
  • If, for example, you use spreadsheets to export candidate data, you’re potentially risking a data breach. Even a printed CV left in a desk drawer that identifies a candidate would be considered a data breach.

Fair processing notice
  • Before collecting data, you must tell the candidate who you are, how their personal data will be processed and whether a third party will be involved.
  • Candidate consent is usually obtained via a fair processing notice when you collect the data, which can take different forms depending on the method used to collect the data, including verbally over the phone, on a printed form or CCTV notice.

Subject access requests
  • Within the GDPR framework, candidates can make subject access request (SARs) at any time - ie request to see their data.
  • As well as the right to review their personal data, candidates have the right to modify their data, the right to be forgotten (RTBF) and the right to request their data be made available in a format they can use.

Data breaches
  • If there is a data breach, you must inform the supervisory authority and, in certain circumstances, the candidate.
  • Clear protocols must be set out to notify you, any third parties the data was supplied to, as well as the required authorities, of any data breach within 72 hours of the data controller becoming aware of a breach.

Potential fines
  • Failure to comply with the GDPR will result in harsh financial penalties.
  • The GDPR enables fines of up to 4 percent of annual global turnover, which apply both to data controllers and data processors. For a small business this could be catastrophic.

To give you an overview of the GDPR requirement, some of the key points of the legislation are summarised below

Principle 1
  • Processed lawfully, fairly and transparently
  • You must obtain consent to process personal data. When collecting personal data, you should also tell the data subject who you are, how the data will be processed and if the data will be disclosed to any other parties.

Principle 2
  • Collected for specified, explicit and legitimate purposes
  • You must only collect personal data for legitimate and specific reasons, and you must inform the data subject of these reasons.

Principle 3
  • Adequate, relevant and limited to what is necessary for processing
  • You should not collect more personal data than you need to meet your processing requirements.

Principle 4
  • Accurate and kept up to date
  • You must take reasonable steps to ensure personal data is accurate and kept up to date. This includes amending or deleting inaccurate personal data, or when a candidate informs you of any changes.

Principle 5
  • Kept in a form that allows the identification of data subjects only as long as necessary for processing
  • Your organisation should have a data retention policy that identifies when and how particular records may be destroyed.

Principle 6
  • Processed in a manner that ensures its security
  • Using appropriate technical and organisational measures, personal data must be kept secure to protect against unauthorised or unlawful processing and prevent accidental loss, damage or destruction.

What are the candidate’s rights under the GDPR?

The GDPR gives the candidate far greater rights than under the current Data Processing Act ​ 
The right to be informed 
  • The identity and contact details of the data processor
  • The purpose and legal basis for processing the data
  • How the data is to be processed
  • The parties involved in processing the data
  • How long the data will be kept.

The right to rectification
  • The right to request that any personal data held is rectified if inaccurate or incomplete.

The right to restrict processing
  • You may not be allowed to process the candidate’s personal data, but you are permitted to store it.

The right to object 
  • If you receive an objection you must immediately stop processing personal data, including for direct marketing purposes.
The right of access
  • Candidates have the right to access their personal data to see what data is held and how it is being processed.

The right to erasure (the right to be forgotten)
  • Candidates have the right to request that their personal data is deleted or removed if it’s no longer needed, consent is withdrawn, the data was unlawfully processed or to comply with a legal obligation.

The right to data portability
  • Candidate may request a copy of the data you hold on them, and may also request that this data be sent to another data controller in a format they can use. 

Rights in relation to automated decision making 
  • The GDPR protects against the risk of a potentially damaging decision being made without human intervention and the use of personal data in profiling or predictive measure