The recruitment industry disseminates huge volumes of personal data every day – everything from job posting boards to emailing candidate CVs – and the quantity of data being managed is likely to increase. According to research by Investors in People, 1 in 4 UK employees are looking for a new job in 2017 (up from 1 in 5 in 2016) and 1 in 3 are unhappy at work. Article by Mike Williams, CEO – Pushfor.
The general data protection regulations (which come into force in May 2018) will have a significant impact on the recruitment process for both recruiters and employers. In particular, organisations will need to evaluate whether current workflows are robust enough to safeguard personal data that is often shared as part of the recruitment process.
Any business that breaches the regulations could face a fine of up to 20m euros or 4 percent of their global turnover. But they’ll also suffer reputational damage, as we all come to expect data privacy and protection to form the foundation of any organisation we do business with.
GDPR’s renewed focus on security
GDPR will force any organisation that deals with the personal data of EU citizens (or that stores its data in the EU) to renew their focus on data security. In 2016, British organisations were fined a total of £880,500 by the Information Commissioner’s Office for data breaches; under GDPR the total would have been £69m. The smaller businesses would have been hardest hit, with fines so large that they could have struggled to stay in business.
Recruiters deal with sensitive personal information every day. There needs to be a way to store this information securely, while minimizing the impact on the business – in other words data needs to be safe, but the right people should be able to access it without going through an administrative nightmare.
However, it’s not just their own data security that recruiters need to worry about. In November 2016, recruitment firm, Michael Page, hit the headlines for an attack on a supplier’s server. Capgemini had its development server hacked, and 780,000 people who used Michael Page to find work had their personal data compromised.
GDPR will force recruiters to address not just their own data security, but to find a way to guarantee that their third-party suppliers retain the same stringent security measures.
Data collection, use and consent
The key principle of GDPR is transparency. Individuals have the right to know why their data is needed, what it will be used for, who will be using it and how it will be secured.
While recruiters are used to requiring consent to use personal data, GDPR introduces tighter controls. A tick box on a contract won’t be good enough. For example, a recruitment agency would need to explain what information they were intending to pass on to potential employers. Do they intend to pass on the C.V. as is? Perhaps they intend to edit out information or emphasise a certain skill. Candidates would need to agree in advance.
Permission not only needs to be sought for each use of a person’s data, but it needs to be given freely. Individuals need to be informed of their rights, and their ability to withdraw their permission to access and hold their personal data.
For example, when a candidate posts their personal information on an online job site, their information can be accessed by a number of recruitment agencies. Currently, candidates may have no way of knowing who has accessed their data, or whether recruiters have printed it off or stored it on their own servers.
The question is, when the candidate decides to delete their profile from the site, who still has access to their data? Under GDPR, candidates have the right to be forgotten, but how can recruitment sites enforce this with third parties?
The fact, they can’t – not without changing the way they collect, store and give access to candidate data. If the recruiter’s client has the ability to download data, there’s no way know where that data will end up. But by keeping the data on servers they control, and ‘pushing’ it out for clients to read, job sites and recruiters can make sure that their data management practices remain compliant.
Our right to be forgotten
Article 17 of the GDPR is the Right to Erasure – or the Right to be Forgotten. Recruiters will be obliged to delete any personal data that individuals want them to (unless there is a legal or compliance related reason for the business to hold the information.)
Recruiters have to be able to meet this deletion requirement by May 2018. To do this, an individual’s data should be stored in a way that makes it easy to trace and remove if required. This may be impossible to achieve unless the technology that recruiters use, and the information sharing culture of the business, undergoes a fundamental change.
For example, imagine a business that receives more than 5,000 CVs per month. These CVs go from HR to the hiring manager, and from them to other people on the team or even other managers who are also hiring. After GDPR, what would happen if any of these candidates chose to implement their ‘right to be forgotten’?
Would the business be able to track down who had access to the information? Who had stored it on local devices, printed it out or taken it home? Would it be able to identify what systems the data was in and delete it easily?
Without implementing a new system, and a new way of working with personal data, businesses risk leaving themselves vulnerable to considerable fines under GDPR.Recruiters – both agency-based and internal – will need to assess what data they have and whether they really need to keep it. They’ll need to look at how data is stored, and how many databases, spreadsheets and systems it’s stored on. If I tell you to delete my data, will deleting it from the database be enough? Or could my data be on someone else’s hard drive or USB stick? Could it be sitting on someone’s computer in one of your international offices? These are the issues that recruiters will need to resolve before GDPR comes into force.
The individual’s right to control their data
The new regulations give individuals much more control over their data, but how will recruiters enable the exercise of these rights? How will they provide candidates with access to the data they hold on them?
Recruiters could set up accounts for each new person they work with, using it as a secure place to store and access their data. This would give people a clear picture of what data the business had, and how they were applying this data. People would be able to correct mistakes, and challenge decisions that they disagree with. It would provide greater transparency into how the recruitment process works.
The impact on background searches
It’s not just GDPR that the recruitment industry has to focus on. The Queen’s Speech reinforced the government’s commitment to data protection. It’s looking to extend the right to be forgotten by allowing 18-year-olds to ask social networks to delete any content posted by or about them prior to them turning 18.
Online searches and examining people’s social media accounts has become a normal part of the recruiting process for some in the industry. Will this new legislation lead to a change in attitudes and behaviour around the data we use to assess candidacies?
One thing’s for sure – the new data protection legislation will have a huge impact on the recruitment sector. The question is, how prepared will recruiters be when May 2018 rolls around? With the right systems and processes in place, there’s no reason why businesses should be negatively impacted by GDPR, but the changes need to start now.
