It is has been almost two decades since the introduction of the Data Protection Acts (DPAs). As technology develops, business operations and human activities keep changing. The laws governing these activities must keep pace with the rate of change.
The European Union seems to have taken heed of this advice and, on May 25 2018, will introduce the General Data Protection Regulation (GDPR) which strengthens the previous DPAs to keep them at par with the current global technology developments. The new regulations introduce stringent conditions on how organizations should manage personal data.
There is no doubt that this new law will significantly affect the way recruiters operate. Recruitment forms an integral part of organizations. It handles vital information concerning the company’s entire workforce. As a result, those involved in processing such information must act in conformity with the regulations governing data protection. Any person participating in the recruitment process will have heard by now about this law and taken some considerations regarding the kind of personal data they capture, the procedures they use to collect it, how they store it and its use throughout the recruiting process.
The current workflows in most companies were never structured to be compliant with the new EU regulation. Due to this, recruiters must conduct a comprehensive evaluation of their existing processes, systems and procedures and strategize on what will be required to ensure GDPR compliance before its effective date. Several current processes that involve personal data will be deemed illegal and attract huge fines if companies fail to introduce significant changes. For example, a common practice by recruiters, such as forwarding a candidate’s CV to a third party without their consent, will constitute a crime punishable by law.
Candidates’ consent and CVs
Informed consent as enshrined in the GDPR will be a significant headache to most recruiters. Past practices such as keeping unsuccessful candidates’ CVs for future consideration will require re-valuation under the new law. Before such a decision to maintain somebody’s CV in the company’s file is made, recruiters will be obligated to prove the specific consents given by the candidates. All recruiters including online job boards will have to reconsider their consent procedures to align them with the regulatory requirements. The law will bar recruiters from using personal data without legal basis.
Subject Access Right
The new law tends to grant users more powers and control over their personal data. This calls for recruiters’ transparency. The areas of interest include how they source personal data, reasons for sourcing, and their use. The recruiters will have to implement systems and processes that provide employees with access to their personal information. Employees may ask for such access under the subject access right to crosscheck their data’s accuracy and provide necessary updates. They also have the right to access and confirm the entities with which their employer might have shared such information.
GDPR will force recruiters and their agencies to maintain an audit trail that shows how personal documents such as CVs have been obtained. In addition, they will have to get approval from candidates to use their data in any way. In cases where consent is denied, the law bars recruiters from using subjects’ data. Recruitment agencies must be prepared to delete any information when asked by the owner unless it is protected by another law. Besides, they will be required to ensure data security and report breaches immediately.