Blog Img

GDPR’s Impact on Recruitment

Back to Articles

The General Data Protection Regulation (GDPR) comes into force on May 25 this year, designed to improve data and information security across Europe. The personal data of all EU individuals must be gathered, stored and disposed of in accordance with the new regulations and, despite Brexit on the horizon, the UK is no exception. Non-compliance with the GDPR could have a sizeable reputational as well as financial impact, with fines potentially taking the form of a percentage of the annual turnover.

Any business that handles personal data in any form is liable, and recruitment, whether in-house or through a specialist agency, is clearly at the forefront of that, with a simple date of birth or address on a CV. Organisations that recruit will already have a privacy policy in place, but now is the time to revisit this, as well as your other processes to ensure compliance. GDPR won’t change how recruitment happens, but there will be a new layer of accountability added to the procedure. Here are our suggestions to set the ball rolling:

  • Audit your database and map your data to understand its flow

Once your database is clean and up to date, you should document how personal data comes in and out of your business. During the recruitment process, it could come in directly from candidates; via social media; a referral programme; or from your website. At this stage, you should also identify which of the legal bases under GDPR you are justified in collecting and storing this data.

  • Draft a new data handling, compliant policy

GDPR includes new requirements that will impact recruiters. There is now no single consent agreement to cover all the uses of a candidate’s data, so separate consent, which must give a clear option to agree or disagree, must be gained for each individual activity. Don’t rely on your CRM system to automatically do this either, unless you have explicitly set it up to do so!

  • Train staff on what is required of them

Employees, particularly those involved in the recruitment process, should be trained and conversant in GDPR. It is the company’s responsibility to ensure that they know what is required of them and of the implications of not adhering to the legislation. Larger firms should consider hiring a Data Protection Officer to both gain and help maintain compliance.

  • Ensure all business partners are compliant

If you share data with any outside partners, such as a recruitment consultancy or outsourced payroll or I.T., then you will need a new data sharing agreement in place that complies with GDPR. For recruiters, this might include data that comes in via job boards, for example.

  • Communicate your compliance

Given the nature of GDPR is about being transparent with how you legally use personal data, then you should communicate it in an updated privacy policy, easy available on your website or as an appended document. Include everything, from where personal data will be shared and how long it will be stored.

Finally, it’s worth noting that, in today’s world of cyber threats, GDPR compliance also legally protects organisations should they suffer a data breach. While it may not deter hackers in any way, your company will be in a better legal position should you lose any data. You’ve got three months, so any questions, let us know!