A hot topic for the recruitment industry at the moment is the GDPR (General Data Protection Regulation) changes which will be coming into force next May. It is expected that recruiters will be hit hard with the new regulations as personal data is something they all deal with on a day to day basis in their recruitment CRM but how will the GDPR changes affect them?

What are the changes?

Individuals must give explicit consent for their personal data to be collected and used as well as knowing how that information is going to be used. It will be in the agency’s best interest to have a justifiable retention period for all types of data. People will also be able to object to the processing of data for profiling and can request for their personal data to be erased when it is no longer required or when consent is withdrawn.

Companies must also inform all individuals affected by any security breach (including cyber-attacks) and the Information Commissioner’s Office within 72 hours.

For those who share data with another party (including umbrella or payroll companies), it is vital that consent should be sought from the data subject to do so.

Potential penalties for anyone not compliant with the new regulations may encounter fines of up to €20 million or 4% of global turnover.

How will this affect recruitment and what can you do?

Between now and May 2018, recruitment agencies will need to revisit their current data and update their processes to comply with the new regulations. This could involve asking existing candidates to re-register with them. It’s also important that your team are informed of the new regime and the importance of safeguarding personal data. They must also be made aware of the penalties which your agency could face.

Every recruiter’s database will definitely take a knock as you must ensure that every single candidate you have on your database has given you permission to store their personal data. You must also make sure that separate consent is received for recruiters to use personal data for reasons other than what they originally asked for. For example, even though you have someone’s permission to send their CV out to clients, it doesn’t mean you can send them mailshots until they have also given their consent for that.

With regards to the new third party data rule, it’s worth checking job boards’ policies and see how they will affect you and the data you store.

Finally, for anyone who still uses the process of ‘speccing’ without the candidate’s consent or knowledge, then it’s time to stop! With the new GDPR changes, implied consent (that may come from the terms and conditions laid out by a job board) is not enough as personal data cannot now be shared on that basis. It is now also a legal requirement that all candidate submissions are submitted to a valid role and they have been contacted by the recruiter and given the details before the CV is sent.

Luckily for everyone, the Information Commissioner’s Office have generated some useful content to guide you through the process. Have a look at this document to find out how you can prepare for the changes and if you require any more information then their website is the best place to go!