Unless you’ve been living under a rock, you know that a new EU wide data protection regulation is coming into effect on May 25th 2018. GDPR aims to strengthen existing laws and enforce the protection of the personal data of all EU residents. You’ve probably already received a few emails from the various services you use with updated privacy policies as companies begin to prepare.
Of course, it is going to mean changes for the recruitment industry as much as any other if not more and will enforce ethical conduct to counteract the shadier recruitment practices that drive us all insane.
This is a very important topic but isn’t exactly the most interesting one. EU wide data legislation is never going to replace a listicle about the “Top 10 Game of Thrones Easter Eggs” as something everyone will rush to read but we’ll do what we can to keep this short and engaging and focused on the impact on candidates.
We’re not a lawyer and we’re not going to claim we an expert on GDPR. We are expert recruiters though and are passionate about data privacy and your right to have your information respected and protected.
Before beginning it is necessary to outline the key phrases you’ll probably hear a lot. The most important of these are “personal data” “legitimate interest”, “consent” “data processor”, “data controller”, and “right to be forgotten”
Personal data is anything that could be used to personally identify you. If we just have your name, it’s not necessarily “personal data”. For example, if your name is Patrick Murphy and that’s all we have – that’s a common name so it may not count. However, if I have Patrick Murphy, CEO of CodeyCorp – that’s much more information and can be used to identify an individual.
“Legitimate interest” means that any company who holds or uses the personal data of an EU resident will need to have a legitimate business interest to do so. It is one of the six legal bases companies must have for processing personal data. In the case of a recruitment company, this means they have a business interest in your CV, your LinkedIn profile, and (in our opinion) your public GitHub profile. There is no right to be interested in your holiday pictures posted on Facebook. They don’t have the right to know your marital status, medical information, or what colour your kitchen cabinets are. (Unless, we suppose, it’s a job as a kitchen fitter?)
This is interesting because a higher proportion of people than you might think include all kinds of personal data on their CV’s. We’ve mentioned it before, but we often see passport numbers, PPS numbers and/or information about family. We don’t need to know that and after May 25th, we literally shouldn’t know that!
For recruitment companies, the main pain point will be their databases. Most companies will have a ton of old CV’s in their database which contain outdated information. It’s won’t be possible to claim legitimate interest on old CV’s under the new law so new consent must be sought if they wish to hold onto your data and they must make efforts to keep the data up to date. This means you can expect to get a lot of emails from recruitment companies over the next few weeks requesting consent! (How long a time legitimate interest can be said to last isn’t set in stone – for some industries it could be years. For others, a short period of time. It’s up to each industry to decide how long is a fair amount of time.)
Data Processor and Data Controller are two forms of company that will have your data. A data controller is any company who will hold your data and wish to use it for business purposes. They will manage how it is processed. The data processor both will hold your data and as the name suggests, process it. The controller determines how the data will be used and instructs the processor on how the data is to be managed. For recruiters, they will act as data controllers in most cases. A great many companies use some kind of ATS software to handle CV’s and applications. The ATS software will act as data processor in this instance.
Right to be forgotten/Right to erasure is one of our favourite parts. This means that you will be able to ask for your data to be removed from a company’s database at any time. For you, this means that you can ask for your CV to be deleted from a recruitment database and ask to no longer be contacted and the company must comply. You can then apply to a new job and your application must be assessed fairly. It’s interesting though – if your CV has been removed from the database – you may still be contacted via Monster.ie or another platform because the record of you asking to be removed will also have been removed. This may be a double-edged sword for some as they are contacted by those companies they removed their CV from due to the company losing record of this request.
We strongly feel that GDPR is going to be a hugely positive move for the recruitment industry. Recruitment consultants who were already behaving in a responsible manner as regards personal data will notice virtually no change in their day to day. Those recruiters who do the things that have provided inspiration for many of our “Why do recruiters do terrible things?” blogs will have to shape up their acts! This is nothing but good for the industry and the candidates with whom we deal.