How will GDPR affect the recruitment industry?
Recruitment agencies and teams have anticipated the changes to their recruitment procedures, which will occur due to the General Data Protection Regulations (GDPR). Essentially, the GDPR demands that recruitment agencies or teams become more transparent with their collection of personal data and customer data. The recruitment industry is data-driven, therefore to avoid a data breach and to ensure protection regulation is upheld, the recruitment industry need to be well trained and informed regarding data protection.
The recruitment industry and achieving consent:
The GDPR now states that, unlike previously, a recruitment team needs to achieve separate consent from an individual, if they want to process the personal data of that individual for a separate activity. This means that, if an individual offers their personal data to a recruitment team for a specific job, the recruitment team then needs to ask for specific consent from that data subject if they want to process their personal data for another job vacancy.
Previously, the recruitment industry would utilise implied consent, which allows them to contact a data subject years later with different job opportunities, through processing their personal data. Now, the GDPR states that this implied consent is not specific, and therefore cannot be used. Specific consent occurs when a data subject offers their personal data to a recruitment agency for a specific job vacancy, not related vacancies which may occur years later.
Recruitment agencies previously would have considered an individual's personal data found on recruitment social media sites, such as LinkedIn, as implied consent which suggests that an individual is interested in job vacancies. However, the changes created by the GDPR nullifies implied consent as a legal premise used by the recruitment industry.
The rights of a Data Subject:
The GDPR states that a data subject has the right to subject access requests, to retrieve their personal data, if the request is compliant with the GDPR. Subsequently, the data subject has the right to data portability, meaning that they should be able to retrieve their data from the recruitment agency and move it to a rival recruitment site if they would prefer. Following this, the data subject has the right to demand their data is removed from a recruitment agency's database under the 'right to be forgotten'.
Data Protection Officer
The GDPR states that a data protection officer should be incorporated into an organisation to ensure protection regulation is upheld. If protection regulation is not upheld, then the Information Commissioner's Office (ICO) have the potential to fine an organisation up to €20 million or 4% of the organisation's global turnover, whichever is higher.
The Recruitment and Employment Confederation, a UK based professional body for the recruitment sector, has produced a range of guidelines and advice services, as well as maintaining communication with the ICO, to help the recruitment industry comply with the GDPR.
In August 2017, uncertainty regarding GDPR heightened as Peter Wright, director of the law firm DigitalLawUK, stated that there seemed to be a delayed and lethargic process underway across recruitment agencies in the UK. This did not look like promising preparation for the upcoming implementation of GDPR in May 2018. A solicitor at Irwin Mitchell, a British solicitor firm, re-affirmed that half way through 2017, there was not much convincing evidence of the recruitment industry implementing procedures that will comply with the upcoming GDPR.
The vast amount of personal data and customer data processed by the recruitment industry means that they will naturally fall under the spotlight of the GDPR. Therefore, their compliance with the GDPR is of particular importance. This compliance can be ensured through education and training of the recruitment team or recruitment agency.