General Data Protection Regulation (GDPR) – Client Guidance
With a significant change to data protection legislation going live in a few short weeks’ time, we thought it would be useful to provide some insights into how the new General Data Protection Legislation (GDPR) is going to affect the recruitment industry.
How companies collect and process personal data has always been a contentious issue, but from May 25th 2018 a new regulation will come into force that will further clarify what is expected of companies in this regard. GDPR is sure to have an impact across multiple sectors of business, and this is certainly the case in the recruitment industry, affecting not only how recruiters operate but also how companies that utilise recruitment services handle personal data provided to them.
What is GDPR?
The General Data Protection Regulation (GDPR) sets out how “personal data” of individuals living inside the EU can be collected and processed. It also gives individuals (known as a data subjects) a number of rights which will allow them to regain some control over their own data.
What constitutes personal data?
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”
With regards candidates, most of what recruiters provide to you should be considered as personal data. This includes CVs, right to work, work portfolios and work references.
Who can process data?
In terms of collecting, saving and processing personal data, companies will need to demonstrate that they have at least one lawful basis to do so. These being either:
- The data subject has given explicit consent to the processing of personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party to, or to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- OR Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
If recruiters are to follow not only the letter of the law but also the spirit of the law then recruiters are required to gain “explicit permission” from candidates to share their personal data with specific people for specific purposes. For example to send details to a data processor at company A in relation to vacancy X.
Some recruitment businesses may instead argue that they have “legitimate interest” in finding an individual a job and therefore do not require explicit consent. This may be technically correct however they must still be able to show that they have informed the data subject of their rights (below) including how their data will be processed prior to processing it.
What rights do individuals have over their data?
- The right to be informed – Data subjects should have clear and concise information on how their data is to be used
- The right to access – Upon request, a data user should be informed of the type of data being processed, be given a copy of that data and informed on the purpose of the processing
- The right to rectification – Data subjects have the right for all data to be rectified if it is proved to be inaccurate
- The right to erasure – Data subjects have the right for their data to be erased when retention of data is no longer necessary, where the data subject withdraws consent or when it has been gained unlawfully
- The right to restrict processing
- The right to data portability
- The right to object – to their data being processed by company A
- Rights relating to automated decision making and profiling – There are a number of exceptions to this right
As a “data processor” (someone that receives and processes personal data) what do you need to do?
- Check that you have a GDPR compliant data protection policy
- If your company has over 250 Employees you will need to appoint a Data Protection Officer
- Regularly check your recruiters have a lawful basis to process candidates data
- Minimise the number of people that are able to access candidates data
- Erase data from your systems following the application process or gain permission from the data subject to retain their data
- In cases where more than one recruiter puts forward a candidate, in the first instance ask both recruiters to demonstrate that they have a lawful basis for passing on a CV. We would also strongly recommend that you only work with recruiters who can clearly show that the candidate has consented to being represented by them to you.
Sanctions for non-compliance
While it is likely that a written warning will be issued for first offences or for non-intentional non-compliance, ongoing or intentional non-compliance can result in fines of up to €20 million or up to 4% of the annual worldwide turnover.
If you would like to discuss any of the above please contact Christopher Hannah on 01993 225055 or via email on firstname.lastname@example.org