The fundamental business model of recruitment agencies is handling personal data, so the UK’s new data protection law is causing quite a stir. Employment expert Chris Cook from SA Law outlines what you need to be thinking about.
What is GDPR?
On 25 May 2018, a new Data Protection Act will launch that incorporates the European General Data Protection Regulation (GDPR).
What will it do?
It gives EU citizens more control over how their data is collected and processed, wherever it is held. For example, if you had an Australian branch, it would need to comply with GDPR if it was placing an EU candidate.
So why is this happening?
The current Data Protection Act is 20 years old, and no longer protects people adequately. Large-scale data gathering has exploded over the last ten years, so the new law gives individuals more control, and makes organisations more transparent and accountable.
Why is there so much fuss about GDPR?
In a word, fines. The new law introduces a maximum fine of up to 4% of your annual global turnover. Although the Information Commissioner will take a reasonable approach to fines, there is still a much greater chance of serious financial damage if a data breach occurred through non-compliance.
What about Brexit?
Good point, but no. GDPR will remain part of UK law even after it leaves the European Union.
What else does the law change?
Many responsibilities remain the same, but some fundamental additions will need to be absorbed into your policies, processes and systems.
Most notable is the need to obtain unambiguous consent to collect and use a person’s data. That means no more assumptions or pre-completed tick boxes. You need to explain what you intend to do with someone’s data, and ask for their consent to do it.
The new law also gives individuals a new ‘right to be forgotten’, which means they can ask to have all data you hold about them deleted. Your polices, processes and systems must also be built with ‘privacy by design’ in mind, and data breaches must be reported to the Information Commissioner within 72 hours.
What does that mean for recruitment agencies?
It means taking a good look at how you handle all personal data for your candidates, customer organisations, contacts and employees. You must gain unambiguous consent if you want to continue holding their data. You must also make sure that employees are able to think in terms of the new law going forward as they conduct your business.
Writing job notices: Be careful how you word them as they can sometimes give away personal details you need consent for. For example, if you advertise for maternity cover you are disclosing someone’s medical condition, which is considered sensitive personal data.
Posting job notices: All organisations must clearly state how they intend to use the personal data they are given. Add a link to the privacy page on your website, and make sure the page is worded clearly.
Referees: Reconfirm consent before contacting a candidate’s referees. This avoids any embarrassing situations such as the current boss finding out about their team member’s departure prematurely, which could easily draw a complaint from the candidate.
Retaining information: Once you have placed a candidate, you will need further consent if you want to keep their details on file. One way to handle all of the new consent requirements is to create a single tick-box form that itemises it for the candidate to agree to as they see fit.
Deleting information: Delete information you no longer need. This fulfils your legal obligations, and also saves you time in the long run if a former candidate suddenly makes a Subject Access Request (SAR) to see all the information you hold about them.
Any other tips?
One of the key causes of data breaches is out-of-date contact details, so check the accuracy of your personal data regularly, particularly telephone numbers, and postal and email addresses.