GDPR: What’s best practice for recruiters?

Nick Martindale

The recruitment sector is no stranger to adapting to new legislation.

However, the implementation of the General Data Protection Regulation (GDPR) from 25 May has the potential to impact on the very fundamentals of the profession.

“GDPR applies to all organisations which process personal data, and recruiters by their nature process significant amounts of this, including sensitive personal data,” says Lewina Farrell, a solicitor and head of professional services at the Recruitment & Employment Confederation (REC).

At its most basic, the rules give individuals much greater controls over how their data is used, meaning recruiters will need to have consent to use that information. “Recruiters will be required to confirm to the data subject what their personal data will be used for, who specifically it will be shared with, where it will be stored and how long it will be stored for,” points out Graham Robson, SME growth advisor with national network Business Doctors, and a former recruitment agency managing director. “It will become more difficult for recruiters to have arm’s length relationships with candidates.”

The focus for recruiters should be two-fold: a review of their existing data, and implementing new working practices going forward. A good starting point for recruiters is to carry out a data mapping exercise, says Tania Bowers, general counsel at APSCo. “Document what personal information you hold, where it came from and who you share it with,” she says. “Recruitment leaders should review contracts and update privacy and retentions policies to ensure they are transparent. Recruitment companies must also prepare to be accountable, take responsibility for their data and respect the right for individuals to be forgotten.”

Once firms have identified what data they have and how it is used, they can begin the process of cleansing that information. “This needs to happen across all devices through which staff can access personal data,” says Farrell. “Use this as an opportunity to get all staff working through the CRM – there is software which collects data via devices but will store them on the CRM rather than the device itself.” To help with the data cleanse, recruiters will need to know the legal bases on which they are processing data, she adds; just one of which is consent.

Such an exercise should also involve a data security review, says Mark Hill, group chief information officer at Frank Recruitment Group. “As an organisation, to ensure complete information confidentiality and regulatory compliance, you should determine which security framework best suits your business, based on industry regulations and geographical markets,” he says.

“Then, audit your existing security design against this framework to produce a gap analysis. These processes will provide the foundation for your security roadmap and allow you to prioritise based on risk.” It’s a good idea to appoint someone in the organisation to take responsibility for ensuring appropriate controls and risk mitigation, he adds, although he stresses the need for training to ensure everyone in the business is aware of the new requirements.

New processes around data usage will also have to be designed, and explained to staff. “The data minimisation principle will be applied, meaning recruiters can only process data that is needed for the specific purpose of the processing,” says Cecile Georges, global chief privacy officer at ADP. “Recruiters will need to set up individual rights requests, including the right to be forgotten, opt-in talent communities for candidate sourcing with consent, and data retention schedules.”

In practical terms, this may also change how people go about their job of finding potential candidates. “It’s very unlikely that a candidate would be happy for a recruiter to use personal information that is a decade out of date in order to assess them for a new role or present them to a potential employer,” points out David Stott, vice president, enterprise and international, at Bullhorn.

This could have implications for the way in which recruitment firms themselves operate, as well as individual recruiters, says Robson, challenging the criteria many clients use for preferred supplier lists. “Two key metrics are speed of response, and the number of CVs submitted to each vacancy,” he says. “Recruiters compete for candidates in a race to be first over the line and claim the candidate for a specific vacancy. This required speed of response leads to an arm’s length approach to candidate acquisition and in some cases consent not being sought.” Posting information on a job board or LinkedIn does not automatically convey consent for recruiters to download and process information without permission either, he adds.

Sellick Partnership is one company that has already been through the process of assessing its data-handling and working practices, and is confident of being fully compliant by the May deadline. The process has not been an easy one, says finance director Mike Hoyle, but has ultimately proved manageable. “At first we felt the guidance was very inconsistent and confusing, and it took us a while to break the information down and understand how GDPR was going to impact us,” he says.

“We attended numerous sector-specific briefings, took independent legal advice and read as much about the regulation as we could. After doing this we felt much more comfortable with what we had to do. By breaking each point down, it makes the work much more manageable.” Seeking expert advice also gave the business the confidence it was doing things correctly, he adds.

Recruiters need to use GDPR as an opportunity to re-engage with jobseekers and sell themselves to clients on the basis of the quality rather than the quantity of data they hold, says Farrell; something Dale Williams, managing director of Yolk, intends to do. “We will be preparing by doing a thorough audit one department at a time of all the data we have on file, looking at how it was collated, stored and who it is shared with,” he says. “We will also be reviewing the consents already held to meet the terms of the legislation, and carefully documenting this. Although it is a large task, we see it as an opportunity to review our current data collection and processes and make them as secure as possible.”