GDPR: What it Means for Recruiters
Where there are people there’s data and our industry couldn’t get any more human-focused. So is GDPR the dark cloud in every recruiter’s future? Will its new regulations on collecting, processing and handling data break us?
The facts are faint-worthy: €20 million or 4% of your global turnover is the penalty for breaching GDPR rules.
Basically, you’d be a fool to ignore it this close to D-Day (GDPR comes into effect this May). Accept that the job needs doing and protect your business from the wrath of the EU Supervisory Authorities (SAs) and their new data regulations.
The Deal With GDPR?
It’s not about you. GDPR is about companies that are misusing their customer’s data. About giving the people the power to keep their data private at all times. So they know exactly how and why their details are being used to make more informed decisions surrounding personal security online.
The new regulations from GDPR are pretty straightforward and in the interest of all of us. The basic premise for recruiters: you need consent (which we’ll discuss in detail shortly) at the time of collecting candidate data to process it, add it to your records and use it. A compliant privacy notice is also required and candidates can request that you delete their records or object to having their data processed at any time.
The major boon from GDPR will be enhanced trust between a recruitment business and its candidates. And with stronger relationships comes greater loyalty and more bountiful connections
Stay compliant using these simple steps, protect your business and build trust between you and your candidates..
Stage One: Organisation
Before you go on a big holiday, you need to prepare thoroughly for a smooth vacation. GDPR won’t give you sunshine and tequila but it works the same way.
Prepare for GDPR compliance by implementing a customer relationship management (CRM) system into your business (if you haven’t already).
Why? If your recruiters are all using different files to document customer data, following that paper trail when you need to prove GDPR compliance is going to be a nightmare. Get everyone in every area of your business to store information on the same system and throw your post-it notes in the bin
Certain systems will also allow you to capture consent and store it in your customer records. So when the SAs come calling your paper trail is enough to get you the green light.
Once that’s taken care of, pick a person with an eye for detail to be your data protection officer. With the responsibility to run data audits, they can fix any inaccuracies in your customer data quickly. And by centralising all departments and creating a plan of action, they can determine what is needed and when to stay in line with GDPR. .
Stage Two: Knowledge
You need to know the origins of all your candidate data to accurately review your data policies for GDPR compliance. So you can hone in on where you need to obtain consent and develop lawful data procedures.
To do this, map out your candidate journeys. How did you initially collect their data? Perhaps they opted-in by signing up to your careers page or an event. Or maybe you sourced them from LinkedIn. Understanding this will get you clued-up on how to obtain consent for your existing and future connections.
But for the recruiter, things can start to get foggy here. Because you can contact candidates using their data on the basis of “legitimate interests”, according to Article Six of the regulation. As long as the needs of your business don’t override the needs of the candidate, you should have the grounds to email or call them.
For instance, if the candidate you want to contact is a marketing manager who has set their LinkedIn profile to ‘open to opportunities’ and you’re advertising for a relevant role, this could signal a legitimate interest allowing you to send them an introductory email. Notice how we use ‘might’, ‘could’ and ‘should’ here: legitimate interest is on the cryptic side of GDPR so playing it safe is your best option.
If there aren’t grounds for legitimate interest, you can ask for the candidate’s consent to contact them further, as we’re about to discuss.
Stage Three: Action
Consent is the GDPR buzzword. To put it simply, you need to know when, why and in what context consent was given by a candidate for you to contact them. And you need proof of this to play by GDPR rules. This can shake things up for the recruitment process
Let’s say you’re looking for new candidates. If they don’t satisfy the legitimate interest clause and haven’t opted-in to updates from you, you can’t justifiably contact them. If the opposite is true, you can ask for their consent. Gain that and it’s safe to make a move.
This procedure of gaining consent must be followed by all of your recruiters. You also need to ensure you have consent to use data from your existing contacts. Do this by sending them an email clearly stating how you want to use their data. For example, your opt-in could be: “Would you like to receive vacancy updates from us?” Make sure you do this before the 25th May: if you don’t, you’ll need to delete your existing contact details to stay GDPR compliant.
Your privacy notice probably needs updating too. It must include:
- Your contact and company details
- The way you store candidate information
- How long you intend on storing the data
- What rights a candidate has over their data
- How a candidate can request to delete their data
Ensure you’re candidates have easy access to this information. You can provide a link to your updated privacy notice in any initial emails you send along with your opt-ins for GDPR foolproof communication.
Don’t let GDPR stringent regulations discourage you. Your recruitment business isn’t doomed, in fact, you can benefit from these new data rules. Enhanced data protection will strengthen the trust between you and your candidates, and let’s face it, a little more faith in recruiters will go a long way.