GDPR and Recruitment Agency

GDPR and the Recruitment Agency

This Month: The Recruitment Agency…

Welcome to the ninth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Recruitment Agents out there.

We hope it makes your GDPR life that little bit easier.

Dear Recruitment Agent…

Firstly, no, we’re not looking for a job, although there are plenty of people out there who are currently sizing up their next role – and some of whom will be on your books.

That means you’ll be holding a fair amount of personal candidate data on them, regardless of whether they’re actively seeking a position or not…

And if you’re holding personal data, then the next obvious question is how well aligned are your practices with the GDPR?

Here’s some basic guidance and gentle reminders on how best to manage your GDPR role…

GDPR Tips for the Recruitment Agent

If only your role with personal data meant that the exchange of information was just between you and your candidates, it would be so simple! Of course, that’s rarely the case, especially when you routinely need to share each person’s details with countless others as part of the job-hunting process.

So, here are some things to consider:

1. Be sure you’re applying the right lawful basis to process candidates’ data.

Apart from health records, there are very few other documents that contain as much personal data as someone’s CV. So, however you acquire a candidate’s details, you need to be sure that you’re using the correct lawful basis to hold and use that information (as well as clearly documenting that basis in an easy-to-read and transparent Privacy Policy).

Remember that it’s possible to have more than one lawful basis and so, in recruitment, it’s usually ‘consent’ and ‘legitimate interests’ that are used (whereby it’s necessary for your legitimate interests, or the legitimate interests of a third party for the data to be processed).

Within that, also make sure that you’re only requesting or collecting data that you need for the recruitment process. Asking a candidate to provide their contact details, home address and information relating to their education and work history are all givens, but unrelated data such as cultural information, political opinions, religious or philosophical beliefs, trade union membership or that concerning health or sexual orientation would be completely unnecessary.

When was the last time you reviewed your lawful basis/bases for processing?

2. Transparency is everything.

Letting people know how you use their data – what you do with it, who you share it with/where it goes and what then happens to it – and then what you do to safeguard it is a key part of the GDPR, and never more so than in recruitment where so many other parties are involved.

Do you tell candidates what happens to their data and, if so, how much detail do you provide? This area is full of potential pitfalls, particularly if you happen to be sharing their details with all and sundry or posting on job boards where, even though you may not have supplied a name, you’re still giving out identifiable information.

In the same way that your Privacy Policy clearly sets everything out about your GDPR approach and how it affects candidates, you need to proactively be up front with them – e.g. via your Ts & Cs and in your correspondence with them.

Do your candidates know exactly how you’re using their data?

3. Have a detailed overview of everything to do with your data processing.

For you to be able to tell your candidates exactly what happens to their data, you need to have a clear understanding of every single step in your processing chain.

Carrying out a data mapping exercise will let you know just that: where and how people’s data is stored (e.g. as individual hard copies, in spreadsheets or in an applicant tracking system), who has access to it and where else it’s passed on.

As well as being good practice in helping you track and locate every single place where candidate information is stored, it’ll prove particularly useful if you receive a subject access request or ‘right to be forgotten’ request (where candidates have the right to ask you to delete and stop processing their personal data).

And – dare we mention it – it’ll make your life much easier should a dreaded data breach occur.

How well do you know the whereabouts of all your candidate data?

4. There are right and wrong ways to gather data.

It’s imperative that any data gathered is lawful and in accordance with the GDPR, and so you should be clear about where and how you source candidate information.

For instance, are you scraping data from LinkedIn or other social profiles, adding it to your database and then sharing it? Or collecting candidate data via application forms linked to your job ads? Gathering data in this way is allowed, provided those profiles are publicly accessible and you can reasonably assume that candidates expect to be contacted.

If so, you must follow up and contact those candidates within 1 month, letting them know that you have their information and what you plan to do with it – and only once they’ve given their consent. Otherwise, anything that follows will be unsolicited and in breach of the GDPR.

And be careful of data lists provided by third parties as they may be sharing individuals’ details without their permission…

How legit is your data-gathering?

5. Only retain what’s appropriate and keep it safe!

It’s so tempting to build a massive database so you can speak of having a huge talent pool and increase your chances of filling a client’s vacancy. However, simply adding candidate data to your books in case you need it in the future is not legal under the GDPR!

To retain candidates’ information legally, you need to keep in regular touch with them to ensure that they want to remain active; otherwise you need to delete them (and you certainly can’t include them in your numbers when you boast about the size of your database!).

And if you’re gathered a candidate’s data in the ways mentioned above, and they’ve not provided consent – or you’ve received a right to be forgotten request – then you need to delete their details immediately. (The same goes if, having acquired their details, you decide not to contact them (because you’ve changed your mind for whatever reason); in which case, you must delete them.)

Finally, make sure that what you have is kept safe – even to the extent of knowing how safe others keep any data that you’ve shared or passed on.

Could your database do with a clean-up?

In-the-Know… Summary

The Need-To-Knows

  • You must use the correct lawful basis to process candidates’ data.
  • You should only collect and store candidate data that’s relevant to the recruitment process.
  • You need to let your candidates know what you’re doing with their personal data.

The Good-To-Knows

  • Proper data mapping will help to keep you on top of your processing.
  • A clear and transparent Privacy Policy lets everyone know where they stand.
  • The size of your database can only refer to ‘active’ candidates!

The No-Nos!

And whatever you do, please…

  • Don’t dismiss GDPR or not find time to take it seriously.
  • Don’t gather or retain data unlawfully!
  • Don’t put off asking for help if you need it.

Help and support is only a quick email away

Despite the complexities, if you’re well on top of your GDPR responsibilities, you’re hired!

However, if there are still some gaps to fill, get in touch and we’ll be only too happy to help.

Because the last thing we want is for your business to fall foul of the GDPR regulation – and create a raft of ex-recruitment agents ‘actively seeking new opportunities’… ?


Next month in GDPR and The Professional: The IT Manager…

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Register for News from Databasix

If you would like to stay up to date with the latest news and events from Databasix please click below, add your details and you will be added to our mailing list.

Contact Databasix

Tel 01235 838507

Databasix UK Ltd
is a registered company in England & Wales
Registration No. 08771007

Harwell Innovation Centre
Building 173
Curie Avenue
Harwell Oxford
OX11 0QG

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business