How will the GDPR affect recruitment companies that hold large CV databases?

Recruitment companies will definitely be caught by the GDPR if they are processing data about EU residents and the impact may be significant.

If they hold large CV databases then this will constitute the processing of personal data for GDPR purposes and they will need to comply with their obligations under the GDPR. This will include, for example, informing candidates about the data they hold about them, the purposes for which they hold and use it, etc.

More specifically:

  1. A candidate seeking a role via a recruitment company will need to be told in very clear terms what use will be made of the data he gives it, to whom it will supplied and for how long it will be retained if he (a) is and (b) is not successfully placed by the recruitment company. He will need to consent to that by positive opt-in rather than opt-out (in other words, “tick the box to confirm your consent” is fine but “you will be deemed to consent unless you tick the box” is not).
  2. Having a huge database of contacts may no longer make a recruitment company look so attractive, especially if many of those entries are old and inactive. Even simply storing personal data is processing it, so all those old candidates will now have strengthened rights of portability, deletion, correction and indeed to be “forgotten”, i.e. removed from your systems altogether. In principle, they should each now be notified of those new rights, even though they may not have heard from the recruiter or vice versa for years. How far this will be complied with in practice is a separate question.
  3. So, one impact of the GDPR's emphasis on “minimisation” is likely to be a pre-emptive cleaning of recruitment company databases wherever there is no demonstrable need to retain candidate data. We have heard it said that little more than 10% of the candidates on such databases are ever actually placed, so that leave a lot of “dead wood”. Big may no longer be beautiful in these circumstances - now it will just mean a greater risk of inadvertent infringement and a higher data maintenance burden.

In particular:

  • the maximum level of fines will increase to up to €20 million or 4% of global turnover
  • claims for compensation will become significantly easier
  • regulators will be able to require companies to cease processing of personal data which is in breach of GDPR, and
  • the Information Commissioner's Office will need to be notified within 72 hours of data breaches

In addition, as non-compliance can have both a financial and reputational impact, adherence with GDPR will play a key role in the success (and valuation) of businesses in this sector.

Companies should act now to ensure that they are not at risk of breaching their obligations next year.

Here are the top five areas of impact which GDPR is likely to have on recruitment sector businesses:

1. Legal basis for processing and consent

The GDPR changes the current legal bases which are used to justify collecting and processing personal data, and requires additional transparency in informing individuals about when (and why) their data is collected, processed and transferred.

Traditionally, recruitment sector businesses have relied on an individual's consent to justify the processing of their data. However, under the GDPR, there are stricter requirements for consent – it must be clearly distinguishable from other matters, in an intelligible and easily accessible form and must be capable of being withdrawn. Separate consent must be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for an unrelated purpose).

Consequently, relying on consent alone is likely to become problematic and, in the future, you may need to rely on some of the other grounds for processing that exist. We can help you to examine the current basis for your data processing and assess whether this will still be valid under GDPR. We expect that most businesses will need to revisit and revise their current data collection and handling processes in order to comply with the new obligations. For example, some recruiters may need to ask existing candidates to re-register and remove any candidate who has not consented. Recruiters may also need to give candidates additional clarity about how they collect and use their personal data.

2. Data sharing

Under the GDPR, the relationship between parties who share data between themselves will become much more heavily regulated. If you share personal data with third parties (such as RPO companies, umbrella companies or payroll companies) then you must have a GDPR-compliant data sharing agreement in place. Policy on using data from job boards will, in particular, need to be reviewed carefully.

Consequently, you should review, and possibly amend, your contractual relationships with all those with whom you share data to ensure that they meet these new requirements.

3. Data processing

If you currently act as a data processor (e.g. if you collect and process an individual's personal data on behalf of another company, such as part of a RPO or payroll arrangement), the GDPR will implement more significant change. Under current data protection legislation, you have few direct obligations. However, under the GDPR, you will have direct responsibility for your own compliance with the GDPR, with the potential sanctions and other consequences of non-compliance set out above. Key client contracts will need to be reviewed in this respect.

4. Rights of individuals

The GDPR builds on existing rights of individuals (such as the right to object to the processing of data for profiling) and contains numerous new rights. Individuals will have wider rights of access and information and any inaccuracies must be rectified without undue delay.

There is a new right to have personal data erased where the data is no longer required, where consent is withdrawn or if the processing is unlawful. This accompanies a similar right to restrict processing where the accuracy of the data is contested (which might be the case where a contract worker disputes client feedback about attendance or quality issues) or the processing is unlawful. Lastly there is a new right of data portability which allows individuals to move their data to another controller (or recruiter) in a structured, commonly used and machine-readable format.

This “portability” right is likely to cause many headaches for unprepared recruiters. Will it be used to facilitate free migration of your contractors to a new supplier? Will you need to tighten up your other restrictions? Whatever the case, you will need to consider implementing internal processes now in order to ensure that you can comply with these new rights of individuals once the GDPR comes into force and you may need to start including relevant additional protections in client contracts to limit free migration. Free migration can significantly reduce the value of your key client contracts, and in turn, your business.

5. Security

Under the GDPR you will have a duty to implement measures to ensure a level of security which is “appropriate to the risk”. Appropriate measures may include:

  • pseudonymisation and encryption of personal data
  • the ability to ensure on-going confidentiality, integrity, availability and resilience of data processing systems
  • the ability to restore data in a timely manner in the event of an incident, and
  • a process for regularly testing, assessing and evaluating the effectiveness of security measures

This means that you may need to change your internal processes now in order to comply with the GDPR. If you are looking now at developing or buying in new CRM/ATS software to be in place after May 2018, then you will be wasting money if you do not future-proof for the GDPR.

You should also ensure that you have clear and robust social media policies in place to make it clear what your recruitment consultants can and cannot do with client and candidate data. Failure to do so could leave you vulnerable to breach “by the back door”.

How can we help?

GDPR compliance will take time to implement so we recommend that you act now to understand the impact of the GDPR on your business and identify what changes you need to make. The senior management of CyberscopeAcademy have over 60 years' experience in the recruitment sector. Our data privacy consultants have a deep understanding of the GDPR and are members of the IAPP (International Association of Privacy Professionals).

We are uniquely placed, with our data privacy experts, to help you navigate through the changes in a way that is relevant to your business.

We can offer workshops to help you understand the impact of the GDPR on your business and help you implement the GDPR so that you are compliant with the regulation before May 2018 and beyond.

Colin Rawlinson CEO Chartered Fellow FCIPD