On Wednesday 9th May 2018, TBOS teamed up with SA Law LLP and held a GDPR seminar in London for our recruitment agency clients. The event was attended by more than 30 recruitment agencies who came to find out how the new General Data Protection Regulations (coming into force on Friday 25th May 2018) would affect their agency. The seminar was opened by Stewart Roberts, Commercial Director from TBOS, who thanked the agencies for attending before introducing them to the speaker, Chris Cook, Head of Employment Law and Data Protection from SA Law LLP. Chris gave a 90-minute presentation including a question and answer slot regarding the new regulations and how they would affect the recruitment agencies on both a short and long-term basis.
During the seminar, there were a number of gasps and head-shaking moments where the reality of the legislation sunk in but by the end of the day, all attendees had a plan for how to conduct their own GDPR audit and ensure that their agency is fully compliant. The main points that our clients took from the seminar were about the following parts of the new legislation:-
- Agencies Should Review and Cull Their Databases
In order to maintain the accuracy of the personal data held and to ensure that the candidate and client has maintained their consent to hold the data, recruitment agencies will need to review and cull their own databases. It is important that agencies agree how long they can hold personal data for and what data is held (as holding unnecessary data is not allowable). The holding of CV’s beyond 2 years and reviewing personal data with the candidates and clients to ensure accuracy during that time should ensure that the data is correct.
- Review and Update Existing Terms and Conditions
Before the 25th May 2018, it is advisable for all recruitment agencies to get their terms and conditions updated by their employment lawyers to ensure they remain compliant under GDPR. These updated terms and conditions need to clearly define the type of personal data being held, how this data is processed and the obligations and rights of the data controller. You cannot automatically force the candidate or client to give consent as this needs to be given freely and be agreed separately to the main contract.
- Consent From Candidates and Clients
Under GDPR, recruitment agencies will need to obtain consent from clients and candidates about holding their personal data on file. This data can be a range of different types of information that allows an individual to be identified. It is therefore advisable that any phone calls with clients/ candidates are followed up with an email containing a web link to the agency’s privacy notice, asking to reply giving consent to hold the data and work on their behalf. Under GDPR, the consent needs to be given freely, be able to be withdrawn at any point and be easy to understand. If you do not get this consent or it is withdrawn then no further communication should be made and the data should be removed.
- Breach Notifications
- Should an agency breach the new GDPR rules and send personal data incorrectly then it is the responsibility of the Data Controller to inform the ICO of the breach in case there is harm to the data subject. The agency needs to have a process in place to monitor the data breaches, record them and inform the ICO and come up with a process to avoid the same breach again. If the agency can demonstrate that they have identified the issue and taken measures to ensure that the breach will not happen again then the ICO should be satisfied.
- Conducting an Internal GDPR Data Audit
Each recruitment agency needs to conduct their own internal data audit in order for the agency to be compliant under the new GDPR legislation. This aim of the audit is to understand the data held, how the data is processed and identify any gaps. This audit needs to look at the various data subjects (internal staff, job applicants, contractors/temp staff, ex-staff members, customers/clients, suppliers, visitors) and how the information on those is held (computers files, manual files, photographic and video files, audio files) to ensure the accuracy of the data. The agency should then collate the results as a GDPR policy document which is reviewed on a regular basis (every 6 months).
At the end of the seminar, all the agencies had a clear idea of how the new legislation would affect them and what they needed to do in order to complete their own internal GDPR Data Audit. SA Law LLP offered our agencies help by providing a GDPR Assist Pack, ad-hoc GDPR advice and GDPR –compliant contract template packs which many of our agencies have accepted.
To demonstrate our compliance with the GDPR legislation for our agencies and to protect them as the Data Processor, TBOS has implemented the following for our agencies; Updated Service Level Agreement, Data Processor GDPR Manual, Updated TBOS Freedom Contracts, Password Protected Documents, Online Payslips, Online Timesheets and New TBOS Placement Portal. All of these processes will ensure that TBOS has done everything possible to protect our recruitment agency clients from breaching the GDPR legislation.
For more information on the GDPR legislation can be found on the ICO website at www.ico.org.