GDPR: How Much Will It Actually Affect You as a Recruiter?

The General Data Protection Regulation will be in force on 25 May 2018. There’s a countdown timer on the official GDPR website if you like visualising your deadlines.

Anyone in breach of GDPR could find themselves flirting with fines of up to 4% turnover. Or €20 million. Whichever you can least afford. This means, understanding it before it comes into force is a beneficial move.

If and when Brexit finally goes ahead then GDPR may not even apply. Because it’s EU legislation, there’s no obligation for the UK to retain it, post-Brexit, currently scheduled for April 2019.

It will still apply to anyone doing business in the EU however. So if you only recruit in Otley, this may all be totally irrelevant.

That said, given the extent the UK government and the ICO has been involved in GDPR, it’s likely that we’ll come up with homegrown regulations that very closely resemble it anyway.


Here’s what you need to know

We all know about GDPR.

Listen closely and you’ll hear it whispered throughout the halls of LinkedIn at night. A new set of rules to live by when it comes to handling our greatest commodity: data.

The word ‘data’ referring to any piece of information that can identify a person. So names, email addresses, medical records, mugshots and relatively accurate impersonations.

A lot of the things you’ll find on a CV. And any descriptive nugget from a database.

You’ll find personal data all over your office. Printouts of invoices, email exchanges, ring binders filled with lists of names, companies etc. But the humble CV’s perhaps the main data product you trade in.

What you do with this treasure trove of information could have huge consequences. As we’ve seen with news about the Cambridge Analytica.

Consent and the withdrawal thereof

One of the main reasons for GDPR is to reset expectations regarding data ownership. This will be done by putting the onus of control firmly in the subject’s hands. Essentially, individuals will have to choose who has access to their data. This means you. It also means your candidates. Clients. And anyone who has a data footprint.

There’s also a choice of what those in possession can do with that data.

And it’s not open ended.

In fact, you can withdraw consent at any time and every utterance of you will be deleted. Not doing so represents a breach. And a breach means prizes. Or, as the government call them, fines. 

Fines won’t come however if you can prove, legally, it’s one of the following:

– Within the public’s interest (like a Royal Wedding, for example)

– Documentary evidence of scientific and/or historic research

– A legal responsibility (in reporting a crime or supporting a legal case)

So unless your candidate meets the above criteria, you have to delete them from your database. Unless they’ve given you permission to keep them there.

Consenting into and out of any relationship that involves the use of personal data must be equal parts extremely easy and abundantly clear. You can almost hear the Mail Chimp servers buckling under the weight of a thousand mailshots.

All of them asking the same thing: Can we keep your data?

man on phone

Call in the hackers

Privacy by design’s a concept that calls for data protection by default, rather than as an addition. It could mean a redesign of certain systems and workflows. It could mean scaling up your CRM to provide next level encryption.

Data Protection is due an audit. At any point where information is transferred from the outside world to your firm. I’d say primarily from candidates sending in their CVs.

Accurate data is just as integral to its overall security. A ‘right to access’ enables the subject to request copies of their data, as well as information on where it’s been and why.

Processes that involve the storage and removal of data have to be audit proof. And that only happens when the systems themselves are fundamentally designed to guarantee the protection of data.

If your agency can say this right now, there’s no need to worry. If they can’t, you might want to look at your clunky old database a little more closely.

Are there any loopholes?

Look, it’s 261 pages, 99 articles and 11 chapters. Be my guest. The closest I could find was the Model Contract Clauses which seem to circumvent some of the more specific rules, as long as there’s an agreement in place that GDPR approves of.

GDPR seems complicated. Fortunately, it’s more about eradicating incommunicable terms and conditions and making things simpler.

The rules are: take ownership over the data entrusted to you, including care for its accuracy and security, and only process what you’ve been allowed to. Keep that ticking over and you’ll probably be fine.

Sounds like I need a Data Protection Officer?

You might need to appoint one, yes but probably only once. Click here for more information.

One of the most important things is the reporting of breaches. Specifically, not doing so. That’s where it gets expensive. Any data breach, whether mistakenly deleted, stolen or shown to the wrong person without consent, needs to be reported within 72 hours.

And breaches of any kind, means… yep fines.

Accounts Book

So, in summary…

The main benefit I can see from GDPR is that CV’s won’t languish on databases for years, unchecked.

If you want to work with someone, you’re going to have to be more present in their lives.

There will naturally be a shift towards increased data security and awareness. Whether this manifests in a more transactional capacity as we interact with our market or whether we start focussing completely on the candidate journey remains to be seen.

It’s likely candidates will become more selective in choosing agencies to share their data with. And clients too. For the general standards of recruitment, that’s not a bad thing.

Either way, we’ve got 20 million pretty convincing reasons to be more data aware.

I reckon it’s between recruiters and the insurance industry to see who cocks up first. And I just have this feeling that the first to do so will be made an example of.