The General Data Protection Regulation (GDPR) is coming into force as of 25th May 2018 and with it comes a plethora of changes as to how data is gained, handled, stored, and deleted.
GDPR is a new piece of EU legislation which replaces the current Data Protection Act and looks to bring together data regulations within the EU by giving consumers greater control over their personal information.
If you are based in Europe or have clients or process data from EU citizens, then you will need to comply with these new regulations. Despite being an EU initiative, on-going Brexit negotiations will not stop this legislation being introduced in the United Kingdom.
Recruitment and sales organisations should be working now to ensure they are going to be GDPR compliant, with fines of up to €20 million (or 4% of global turnover – whichever is greater). But what does GDPR compliance look like, and what should recruitment agencies be doing between now and May if they haven’t started addressing this change?
How will GDPR change recruitment business models?
Some people have described GDPR as the end of modern recruitment as we know it, akin to a biblical tidal wave leaving nothing left in its wake. It’s not quite that dramatic, though. It could actually even help to build more trust with the general public!
The general day-to-day operation of recruitment agencies shouldn’t differ too much if previously complying with the Data Protection Act. The main changes that will impact recruiters are about being more transparent with your service users and how you work with and capture data about your clients and candidates.
There are a few significant nuances that need to be kept in mind when it comes to being more transparent:
- Specific consent must be given by anybody whose details you gather and you need to outline exactly which of your services they are signing up for. This is required for each separate processing activity such as registering for a vacancy, signing up for a weekly jobs email, promotional marketing, etc. This needs to take place at the point of sign-up so your users know exactly what they are handing over their personal data for. Under GDPR, consent must be given freely (no soft opt-ins or auto opt-ins).
- Implied or broad consent just won’t cut the mustard anymore and is not a valid enough reason to share personal data. For example, you can no longer acquire personal information on an individual from a jobs board and add that contact to your own database on the justification that a person is looking for work ergo they would naturally be interested in hearing promotional opportunities from a recruiter.
- All CV submissions to employers must be for a valid and specific role, which has to be agreed by the job seeker prior to being submitted on their behalf.
- You and your organisation will be directly responsible for complying with GDPR best practice and you need to be able to demonstrate all of the different stages of consent between the recruitment agency and the individual. This applies to any databases and cloud-based services you operate (such as Salesforce or NetSuite), it’s not their legal responsibility to ensure you are GDPR compliant. Keeping a paper trail is paramount.
Along with following the above requirements around personal data, recruiters also need to be able to demonstrate how they are complying with these principles.
What should recruitment agencies be doing?
The ICO has created a general 12-step guide (PDF) for preparing for GDPR. It’s a good place to start if you haven’t started work on your compliance yet. Here are some more recruitment-oriented actions you could take to ensure you are ready for its introduction next year.
1. Data Audit
The first thing you can do is look back over all of the information you currently have stored on your clients and candidates. What information do you collect, where do you store it, and why? You will also need to implement regular data audits to check for accuracy including looking at how long do you keep hold of it and how easily you can react to requests from users to add or remove them from specific services. All clients and candidates will have the “right to be forgotten” and the “right to object” to their details being used, held, or shared. Personal information in this context goes beyond name and contact details but also includes information such as IP address and geographical location.
2. Data Management
With new GDPR protocol, it is advised that all of this information is stored in one centralised system as having multiple Word, Excel, Outlook or CRM files is inefficient and hard to constantly monitor and police. Having a central CRM or database gives you clarity and removes any ambiguity about who, when, and where consent was given by an individual to be contacted. This paper trail is going to be imperative when GDPR is enforced.
3. Use the right medium
Make sure processes are in place so that you are only contacting individuals that you are authorised to, using the channel they elected to opt in with. If an individual has opted in using their email address, this does not give you permission to then contact them via phone as well.
4. Unsubscribe means do not contact
Individuals will have the right to unsubscribe and this means that you should not contact them under any circumstance. This includes contacting them to ask if they would like to be re-subscribed as this is viewed as unsolicited marketing, something which has recently got a couple of businesses in hot water.
5. Communicate across your business
Everyone in your organisation from top to bottom needs to know about the incoming changes. You should communicate this message and outline new processes and procedures as and when needed to make sure that everyone knows the limits of what can and can’t be done under GDPR.
You should also speak directly to your clients and any suppliers or job boards you work with as GDPR could change your relationship with them.
6. Consider reaching out to your current users
Using the medium that the individual gave you permission to use, one approach could be to re-engage with the people in your database and asking them if they would still like to remain. You could also ask if they would like to be kept up to date using other methods of communication. This is a risky strategy in general because reaching out to contacts like this is considered a form of marketing and if you are asking them to opt-in this is seen as a method of processing data, which is illegal if the person receiving the message has not authorised it.
“Data is like vegetables. Best when fresh and local.”
– Dr. Inga Dora Sigfusdottir
7. Retention periods
Consider implementing retention periods in your database whereby after a certain amount of time with no activity an individual’s details get marked as inactive or unresponsive. This ensures your information is accurate, responsive and fresh.
8. Privacy Policies
Ultimately, GDPR should improve your business by making it more open and transparent and should increase conversion rates as you will be working directly with people who also want to work with you. This is by no means an exhaustive list, but following these steps should put you closer towards being ready for GDPR when it lands in the middle of next year.