How Will The GDPR Affect Employers Who Are Recruiting
This article will answer a number of questions:
What is the General Data Protection Regulation (GDPR) and how will Brexit impact?
What does the GDPR mean for employers?
How will the GDPR affect your recruitment?
What do employers need to do to make sure they comply with GDPR?
How will GDPR affect employers who are recruiting?
You may be aware that data protection legislation is being updated through the General Data Protection Regulation (GDPR). This replaces the Data Protection Act (DPA) and is designed to give each person within the EU more control over their data and the unify the export of data outside the EU. The regulation was adopted on the 27th April 2016 and it becomes enforceable from 25th May 2018.
We don’t leave the EU until March 2019, but the government has confirmed that Brexit will not affect the implementation of this legislation. The extent to which the UK retains the GDPR legislation after Brexit will be clearer in time, but this should not divert attention from initial implementation. Failure to comply may still incur a new penalty regime.
Why will the GDPR affect recruitment to my company?
You are dealing with the personal data for all candidates who apply to your jobs, sends in their CV speculatively or gives you any other personal details, therefore this law applied to you!
The updates with the GDPR is designed to provide ALL individuals (including candidates) with better clarity on; how their personal data is stored, who has it, where it is, how long it is being kept and how it can be removed. It applies to both automated personal data and manual filing systems.
The law is addressing the following key areas:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
How will the GDPR affect recruitment for my company?
There are many ways in which the GDPR will affect your recruiting processes. Firstly, you decide on the legal basis of how you are going to process an application.
There are 6 legal basis you can choose to use, the most common for recruitment will be either consent or legitimate interest.
You must also inform them:
• How you will be processing their data
• How long you will hold their personal details
• How they can remove their personal details/application and their record
This means that whether you are advertising a job on a website, through your own careers site, requesting postal application forms or placing an advert in the paper, you MUST tell them all this information in your privacy statement /as a declaration.
If you are relying on consent only then there must also be an empty tick box for the applicant to opt-in and give you their explicit agreement for you to process their data.
Just because you receive the application from a candidate by email, it does not mean that they have consented for you to use their data for other jobs or keep their CV on your file. Just sending the privacy statement to the candidate on an auto-response email after they have sent in their CV does not mean you have their consent either. The legislation is changing this “assumed consent” to “explicit consent”. If you are relying on consent as the legal basis, you must have their explicit consent at the point that they send you their details, hence the blank tick box.
If you are relying on legitimate interest to process their application for the job they have applied for, then you will need to ensure that you have an LIA completed and you communicate your privacy statement with them.
What do you need to do to make sure you comply with GDPR?
If you don’t use an Applicant Tracking System (ATS) or you have a variety of ways to capture candidate data, then you will need to review your recruitment process. Maybe you have a contact form on your website? If so, you will need to add the declaration, above the button used to submit the application AND add a tick box for the explicit permission. You will also need to consider how you would remove the candidate's record if they requested it. You may also want to review what new routines you will have to create internally to fulfil the declaration you set out. E.g. removing a candidates record & CV after 6 months.
If you do use an ATS and this is the only route applications can come into your business, then you will want to find out from your supplier, what they are doing to address the regulations. You may also want to find out if there is anything you will need to do to ensure that the legislation is not breached.
The Flat Fee Recruiter Applicant Tracking System (FFATS) has been designed to get ahead of these changes. Amongst a variety of features, it allows the candidate to give their express permission and retract their details with the click of a button. Our prices start from £50 + VAT per month and tackle this new legislation head on. Which means that you can be confident you are ticking all the right boxes with no headaches!
Want to meet our Mr FFATS? Just get in touch and we can take you for a test drive. Why not have a look at his brochure in the meantime?
If you liked this blog, you may also like about Recruitment Legislation and other things: