In recruitment, personal data is the critical differentiator between success and failure. If you can’t find the best candidates and contact them, someone else will beat you to it. This competitiveness for success could also create risk – are you certain that the way your organisation handles candidate data is compatible with changes in data regulation?
On the 25th May 2018, new data protection rules will apply across the EU (including for the UK, regardless of other political movements). These new rules (known as the GDPR) are the first major update to legislation since the 1998 Data Protection Act.
For many organisations, there will be a change in how they need to think about things such as consent, privacy, profiling, and marketing. They will also need to consider how they will honour individual rights such as the right to erasure and the right to data portability.
My top considerations for adapting to GDPR regulation
A number of companies I’ve spoken to have given their thoughts on how the recruitment industry may need to adapt to the GDPR. In many ways, they are no different to other industries:
- Personal (candidate) data is held in multiple databases, systems and locations.
- Consent has been gathered in the past but we’re not quite sure what that means for the future or whether we can rely on Legitimate Interests to continue processing it.
- Access to personal data hasn’t always been as well controlled and audited as it could have been.
- Our customers are likely to demand more access to their data alongside transparency about how we use it.
- Things like Subject Access Requests, Right of Erasure and Data Portability could cause us technical and resource challenges.
If you’re in recruitment (or any industry) it’s likely you’re kicking off GDPR preparations or are already on the way there – the important thing is to not to delay. Your business leaders need to come together to understand the key risks posed and the top actions you need to take in regards to policies, processes, systems, training and just about every other function of your organisation.
Why consent will be a critical factor for compliance in the recruitment sector
A specific consideration for recruiters will likely be Consent – if someone sends you a CV for a job, do you have permission to store it and use it when looking to fill other positions? Think about how transparent this consent is to your applicants and how easy it is for them to access that information, change it or remove that consent later. Alongside this, you will also want your Legal people to find the dividing lines between Consent and Legitimate Interests and how they can be used by your business.
Also, the contact data held with an applicant record will change over time – how do you ensure that the data you hold on a data subject is accurate? Do you have policies in place to try and update data (or if you can’t update it, delete it)? Can the applicant update this themselves?
What’s the best way to get on track for GDPR adoption?
There will be many other considerations specific to your business. The best thing you can do is to get your GDPR team up and running. If you’re just starting out or have some things in place but aren’t sure what’s left to do then it’s a really good idea to do a data assessment. This can really zero in on potential unknown issues across the business and identify gaps in readiness. You may also want to check out a recent blog I wrote which gives 10 key questions on GDPR readiness to get a quick view on how well you may measure up.
The GDPR offers organisations the opportunity to grab a real competitive advantage. With better data practices comes the ability to identify and target individuals, and in the recruitment sector anything that helps to pinpoint the best candidates will no doubt be welcomed with open arms.
If you’d like to know more about how to quantify the scope of your GDPR activities and prioritise the preparation of your personal data for upcoming data legislation, you can visit our GDPR hub where you’ll find whitepapers, research reports and details on how Experian can help.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.