What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. Furthermore, the UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Who does it apply to?
If you process EU residents’ personal data, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
When does it start?
GDPR changes come into effect on the 25th May 2018.
What does this mean for recruitment businesses?
The changes to GDPR will impact on how recruiters and recruitment businesses process candidate data. Your current business model will determine how much the GDPR will effect you as the significant change revolves around being more transparent to your candidates about how you collect, store and use their data.
The key points are:
Implied consent is no longer sufficient having obtaining a candidate from a job board. You must seek explicit consent from the candidate that you are allowed to use their information for the purpose of finding employment.
Separate consent must be sought for each role you put the candidate up for.^
You must provide each candidate with the following rights:
Right of access - Enables the candidate to request the personal data you hold about them.
Right to rectification - Enables the candidate to have any personal data rectified if it is inaccurate or incomplete.
Right to restrict processing - Enables the candidate to ‘block’ or suppress processing of their personal data as well as preventing you from submitting their CV to clients.
Right to erase - Also known as ‘the right to be forgotten’, this enables the candidate to request the deletion or removal of their personal data where there is no compelling reason for you to continue holding it.
- You will be responsible for your own compliance of the GDPR and must be able to demonstrate a paper trail of compliance in your records.
^ The act of “speccing” candidates will also come under further scrutiny within the new regulations. GDPR mandates that the sharing of personal data cannot be on a basis of implied consent and must come directly from the candidate. However, a grey area exists where organisations may also be able to rely on ‘legitimate interests’ and ‘necessary for the performance of a contract’ to process data, but these must be used only where appropriate. For recruiters, legitimate interest could be used to provide work-finding services generally but express consent would be required to transfer personal data to another party, such as an umbrella/payroll company.
An overview of the GDPR can be viewed on the Information Commissioner’s Office (ICO) website.
Feeling brave? Download the 88 page legal document
Will SW2 help me comply with the GDPR?
The simple answer is “yes”.
We are well underway with the development of a GDPR module and will be providing further information about this in the coming weeks.