Are You Ready for GDPR? A Step-by-step Guide for Recruitment Agencies


The European General Data Protection Regulation (GDPR) will affect businesses of all sizes from 2018, no matter where in the world they are located. With an effective date of May 25th (put it in your diary!), recruitment agencies are gearing up for stricter regulations, tougher fines and the mammoth task of auditing their current candidate data to ensure it’s GDPR compliant.

Are you prepared for the changes?

If not, don’t worry. Our handy GDPR guide explains the key details you need to know and contains a step-by-step guide for managing the rollout.

What Is GDPR?

The General Data Protection Regulation, or GDPR, is a ramped-up piece of data protection legislation originating from the European Union. It impacts any company, anywhere, that retains EU customer data, including small recruitment agencies with fewer than 250 employees.

The legislation is built around two key principles: giving the public more control over their personal data and standardizing regulations for data processing so far as it relates to EU citizens. The purpose is to ensure that everyone has the right to actively consent to use of personal data, the right to be forgotten, and the right to seek compensation should they suffer a data breach.

Failure to comply will result in massive fines of up to €20 million or 4 percent of annual turnover, whichever is higher. There’s no excuse for ignoring the changes. The regulators clearly mean business!

Seven-Step Checklist for Recruitment Agencies

Here are the seven steps you should be taking to prepare for the GDPR. Be aware that the legislation does not just affect your talent pool. Rather, it applies to all the data you are holding and using, whether it belongs to candidates, past and present employees, partners or suppliers.

1. Check and Refresh Your Current Processes

GDPR requires that you have clear processes in place to detect, investigate and report data breaches, and to locate, monitor and edit data. How would you react if a candidate asked to have her personal data deleted for example? Providing an easy-access online portal where candidates can edit their personal data and manage subscription details and job alerts should now be considered basic practice.

2. Audit Your Data

It’s important to understand what personal data you hold, where it came from and who you share it with. So, take a look at your website registrations, databases, spreadsheets, shared folders, event lists, timesheets and all the other places where you process information. Moving forward, you’ll be expected to maintain records of the various touch points.

3. Update Your Privacy Policy

Update your current privacy notice to include the information you have to tell people under the GDPR. Typically, this will include:

  • What data you’re storing
  • Why you’re storing that data
  • How you’ll be using it
  • The categories of recipients you may be sending the data to (employer, supplier, etc.)
  • How long you’ll be storing the data for. Best practice suggests that you should not retain candidate data for longer than two years with a re-opt in.
  • How candidates can withdraw consent (and make it easy for them to do so)

The UK Information Commissioner’s Office has issued guidelines for drafting clear, easy-to-understand privacy notices which you might find useful. Transparency is key, and regulators are likely to clamp down hard on companies that seek to hide data-protection information in the small print.

4. Rewrite Your Candidate Agreement

Under GDPR, you must get explicit consent to storing a candidate’s personal data — no more pre-ticked boxes on your website sign-up. You have 30 days from the point of storing the data to get consent, and current EU guidance recommends that consent requests be kept separate from other terms and conditions. In practice, this means rewriting your website candidate agreement to include a very clear, specific statement of consent and a positive opt-in.

5. Re-paper Your Current Candidates

Reach out to everyone on your database, confirming they’re still happy to be on file. Point candidates towards your new candidate agreement and have them re-opt in to confirm consent. A central tenet of the GDPR is not holding onto data longer than is necessary, so use the legislation as an opportunity to monitor “dead” data. Your recruitment software should highlight which candidates are active and which are inactive so you can plan to refresh or delete data accordingly.

6. Update Your Internal Policy Documents

GDPR requires that every staff member understands and plays their part in data protection, so update your internal policy documents and train your employees in data protection and the process for managing data-access requests. Build processes to pick up any data breaches and report these to the person responsible for compliance. Just one slip-up from a team member could seriously cost your agency, so ensure that everyone understands that they’re accountable.

7. Delegate Data Responsibility

If required, appoint a data protection officer (DPO) to ensure the agency complies with GDPR and be the contact for any data-protection queries. Not all recruitment agencies will need one, but given the consequences of GDPR violation, it’s wise to have someone accountable for your team’s compliance.

Sounds Complicated – Why Should I Care?

No doubt GDPR compliance can be overwhelming, but handled properly, it ultimately could benefit our business. No one likes having their data stolen, lost or shared without proper consent. By proving that your agency is compliant with the new laws, you could earn your candidates’ trust, enhance your reputation, and be the agency that respects personal data and better secures candidates against the future pain of data breaches.



Leave a Reply

Your email address will not be published. Required fields are marked *