GDPR for Recruitment Agencies - Everything You Need to Know

When did GDPR come into effect?

GDPR guidelines came into effect on the 25th of May 2018, meaning that recruitment agencies will already have had to change the way that they store and handle data.

The reason that these regulations were imposed was to update previous data legislation that was written in 1998 and wildly out of date regarding the technology used for data handling. The new guidelines offer individuals in the EU more control over who can access and store their personal data, as well as decreasing the risk of cyber attacks that may exploit this data.

What is personal data under GDPR?

GDPR legislation refers to the information it is designed to protect as ‘personal data’. In this context, personal data refers to information about an individual that could be used to directly identify them. It also applies to information that could indirectly identify an individual if it was used alongside other information.

In recruitment, this personal data will be the names, contact details and other descriptive information that candidates and potential candidates give to you. In some circumstances, personal data might also be more sensitive material, such as an individual’s criminal history. You may also store some of the personal data of your clients.

What are the penalties for failing to comply with GDPR?

If your recruitment agency is found to be failing to comply with GDPR, you run the risk of being fined either £20 million or 4% of your annual revenue, depending on which value is higher. The reputation of your agency will also likely suffer, with candidates and clients potentially leaving you for other recruitment firms.

What does GDPR mean for recruitment?

The big question that many recruitment agencies had before GDPR was implemented was how the new regulations were going to affect their business and internal processes. The most significant changes were:

Candidate Consent

Under new GDPR guidelines, candidates must give explicit consent for their personal data to be collected, stored and passed onto third parties (such as clients) by recruitment agencies. This applies to both general information and more sensitive data such as disability information and any criminal records.

You should make sure that your systems store proof of agreement to sharing personal data, so that you have evidence of when a candidate or client consented to let you store and share their information. As part of the new consent regulations, candidates must also be given the option to withdraw their consent at any time and have their personal data deleted from your agency’s database.

Legitimate Interest

In cases where you are collecting information about potential candidates with the intention of contacting them, you can store this data without their consent. However, the new regulations state that any information collected must be for “specified, explicit or legitimate purposes”.

These regulations mean that you can only collect data that is explicitly needed to contact potential candidates about a role or opportunity, and can’t just gather all the information you can find about them. You must also use this information to contact the potential candidate within 30 days, and after this the data must be deleted.

Candidate Access to Data

As well as giving their consent for recruitment agencies to store and use their data, candidates also have the right to access their personal data in order to check what information you hold or request that the data is changed. If one of these requests is made, your agency must respond within a month and be able to provide a copy of the candidate’s data.

Data Transparency

One of the most important things that recruitment agencies have to do under GDPR is to have a clear privacy policy regarding the personal data that you store, and make this privacy policy available for any clients or candidates who wish to read it. This privacy policy needs to state where you store personal data (such as in cloud-based software like an ATS) and should also state that the data will only be used for recruitment purposes.

Accountability

There is no formal assessment or accreditation that proves that your recruitment agency is compliant with GDPR, so it falls to the business to ensure that they are demonstrating this compliance through things like their privacy policy. You shouldn’t just state what you are doing; you need to have proof of every step you are taking to follow the guidelines.

Your agency should assume responsibility for following all the rules set out by GDPR, and be prepared to show accountability in the case of any issues and work to rectify them.

How to Ensure Your Recruitment Agency is GDPR Compliant

The new General Data Protection Regulations have been around for two years now, so it’s likely that existing recruitment agencies will have got up to speed on what changes they need to have made and implemented them. However, if you’re new to recruitment or just want to double-check that you’re doing everything you can to comply with GDPR, you’ll definitely benefit from the following tips.

1. Read up on GDPR

It might not be the most exciting of tasks, but the best way to ensure that you are following GDPR guidelines is to familiarise yourself with the new legislation, or make sure that a member of your agency is an expert. Appointing a data protection manager in your team is a good way to centralise your GDPR compliance strategy and provides a touchpoint in the case of any queries or data issues.

2. Map your data

In order to check whether your data handling is GDPR compliant, you first need to map out all the different kinds of personal data that your recruitment agency handles and establish where it is stored. This will help you to identify where in your recruitment process you need to secure consent from candidates to store their data, and where you should be outlining your privacy and data policy.

Mapping your data will also help you to assess how much of what you gather is actually necessary as part of your recruitment process. For example, you may be asking for multiple different contact details for potential candidates, when you may only need one piece of information for legitimate recruitment purposes.

3. Review your sourcing process

Collecting data with ‘legitimate interest’ is a big part of GDPR, and this really comes into play when you’re sourcing potential candidates online. By reviewing the process that your agency uses to source new candidates, you will not only ensure you are being compliant but probably also end up with a much more efficient sourcing procedure!

Make sure that you are only collecting the data of individuals that you legitimately plan on contacting, and put a protocol in place that means that their data is used to contact them as soon as possible. You should also make sure that you are only collecting data that is 100% essential to your sourcing process, and check that personal data is being collected lawfully.

4. Review your job application process

As well as ensuring that your candidate sourcing process is GDPR compliant, recruitment agencies should also review what data they are asking for in job application forms. Again, make sure you aren’t collecting any unnecessary information that doesn’t actually relate to the role.

On a job application form, you should make it clear to your candidates what you are going to do with their personal data and let them know where it can be found and how to remove it from your database. It’s also a good idea to make your privacy policy easily accessible, and let candidates know what information they can find there.

5. Establish a clear data policy

Whether you refer to it as your ‘Privacy Policy’ or ‘Candidate Terms of Use’, it is incredibly important to have a clear set of terms and conditions for your website that outline exactly how personal data is collected and shared. Within this policy, you should cover:

How you are going to store your candidate’s data
How candidates can access their data and what rights they have to remove it
How long you are going to store your candidate’s data
The reasons why you are storing your candidate’s data

This will ensure you are meeting GDPR requirements for disclosing how you handle personal data, and gives candidates access to all the information they might need in one place.

6. Check the compliance of external systems

It’s not only important to make your recruitment agency compliant with GDPR, it is also your responsibility to check that the software you are using complies with it as well. The majority of recruitment agencies use applicant tracking systems (ATS) to store and share their candidate data, and it is essential that this external software does not breach data protection regulations in any way.

To ensure that you are using compliant software to store your data, ask your provider what actions they have taken to ensure GDPR compliance, review their privacy policy and check that any other systems or companies that they work with are also following guidelines. If any of these reveal a red flag, it might be worth switching to a new ATS.

7. Create a data breach procedure

By following the guidelines set out by GDPR, you should be decreasing your chances of experiencing any breach of data. Make sure that every member of your recruitment agency is up to date on all the protocols that have been put in place, and regularly check that all preventative measures are being taken.

In the unlikely event that these preventative measures don’t work and your agency does suffer a data breach, GDPR states that you must act as quickly as possible to minimise the potential damage that could be done. You should make sure that your agency has proactive protocols in place to detect, investigate and report any breaches, and that you can collect evidence to show how you responded.

Summary

The changes brought about by the new GDPR legislation had a big impact on the way that recruitment agencies deal with personal data, from candidate sourcing methods to the way that information is organised and stored within agency software. GDPR recruitment processes do require time and effort to ensure compliance, but they are also designed to make your methods of data handling much more efficient and secure, which will benefit your recruitment agency.

Being transparent about what you do with personal data will improve the experience of both candidates and clients who work with you, as well as improving your agency’s reputation as an honest and reliable organisation. It might seem like a daunting set of rules to begin with, but once you’re in the know and have updated your procedures accordingly, recruitment GDPR will fit seamlessly into the running of your agency.

About the author

Tom Mcloughlin is the Director of Growth Recruits. A passionate marketer, he loves sharing his ideas with the industry and helping people take that knowledge and use it to get extraordinary results.

More on the Blog

Get in touch

Become our next case study

Get Your Free Proposal

GDPR for Recruitment Agencies – Everything You Need to Know