General Data Regulation Protection - GDRP

The General Data Protection Regulation (GDPR) is a set of data compliance regulations that were introduced in May 2018 to replace the Data Protection Act – which was used as a guideline for businesses to use when handling personal data. Whilst we are already familiar with the DPA (and many of the key principles of the DPA are still present in the new regulations), there are some crucial changes involved with GDPR that will have a big impact on the recruitment sector.

 

What’s the aim of GDPR?

The main aim of the GDPR is to offer EU citizens (and this includes UK citizens too – Brexit or no Brexit!) a level of protection from privacy and data breaches that the DPA can no longer offer. This is because we now process vastly more data than we did back in 1995 (when the DPA was first created), meaning our digital landscape has now outgrown the DPA, and the GDPR has been created as a solution to this. Failure to comply with GDPR best practices could result in a fine of €20 million or 4% of global turnover - whichever is highest. 

 

What’s Genesis Executive Search doing about GDPR?

In the run-up to May 2018, we put a lot of focus on assisting our clients and candidates with their GDPR-compliance efforts. If you’re already a Genesis client or candidate you will be able to review details on our recruitment database software (owned by Zoho Corporation) which is GDPR compliant. 

 

The good news is, we’re already in great shape to provide our clients and candidates with a GDPR-ready recruitment process and methodology.

 

Addressing rights for individuals with Genesis Executive Search

The GDPR aims to provide eight new rights for individuals that businesses must now demonstrate their ability and willingness to offer. Here’s a rundown of what Genesis is and will be doing to facilitate this.

 

1.   The right to be informed

Under GDPR, individuals have the right to be informed on how a business has acquired their data, as well as how it will be stored and used. Once you have decided our lawful basis for processing personal data we’ll need to create or update a Candidate Privacy Agreement on your website (this will be a page similar to your Terms of Use or Cookies Privacy outline). Our Candidate Privacy Agreement needs to provide clear, unbundled clauses for the candidate to opt into, and these clauses should explain how, why, and for how long you’re going to store their data.

 

2. The right of access

From day one of establishing Genesis, we’ve always put our client and candidate first, so GDPR fits our model exceptionally well. We believe the best way to earn trust and ensure complete data accuracy is to allow candidates to clearly access (and edit) the data you’re storing on them from the outset.

 

GDPR also recommends that “where possible, organizations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information” (source: ICO)

 

To facilitate this, all our candidates have a fully branded and mobile-responsive candidate portal where candidates can log in to update their cv profile, job preferences, communication options and track their recruitment activities from any location, at any time. 

 

3. The right to rectification

Candidates must now also have the ability to edit, update and rectify any missing or incorrect information you have stored on them. And if any personal information is edited, it’s your responsibility to inform third parties of the change and let the individual know which third parties their data has been shared with (and whom you’ve notified of their rectifications).

 

As it is our job to represent the candidate to interested third parties, having a clear and transparent way to carry this process out is going to be imperative. However, as the recruitment Software (owned by Zoho Corporation) allows candidates to have full access to their own profile information, the onus is on you to ensure that your profile details are accurate and up to date.

 

Candidates can also clearly see which third parties they’ve agreed to share their information with and state any companies that they do not want their details to be shared with.  We then ensure that every recruiter on our team respects the candidate’s requests by not sharing their CVs with companies they don’t want to be shared with.

 

4. The right to erase

Under GDPR, candidates will be able to submit a ‘request to be forgotten’ at any time or even object to your legitimate interest for storing their data. For this reason, it’s not an exaggeration to say that our role may change overnight!

 

In order to maximize potential placement opportunities in our database, you’re going to have to ensure that you keep candidates actively engaged: Job alerts, engaging blogs, or any other compelling reasons to stay in touch and add value to your candidates on top of having jobs to offer them, is going to be vital.

 

5. The right to restrict processing

Every time a candidate fails to show up for an interview or even worse their first day on a new job, by default they’re restricting your ability to process their information.

 

Genesis is taking the approach of encouraging candidates to be more professional and make it easy for them to tell you that there are just not that interested in the position anymore. Each time a candidate submits their details with interest in a role, they will also have the ability to withdraw their interest at any time via their candidate portal, and this will automatically restrict your processing of that particular recruitment process.

 

6. The right to data portability

Under GDPR, the candidate must have the ability to download and export their information at will, and if requested, we have the new GDPR-standard of 30 days to comply with their request.

 

7. The right to object

We’re making it our mission to ensure we’re best placed to avoid any ‘right to objects’ from our candidates, and the area where candidates are most likely to object to our actions will concern direct marketing. Genesis combines all marketing activities in one place and prevents accidentally reaching out to a contact who has opted out of marketing.

 

All clients and candidates can clearly opt-in and out of individual marketing channels at their free will (e.g. email, job alerts, SMS, and email campaigns) and these preferences are taken into account when a recruiter creates a new recruitment campaign. For example, if a client has opted out of receiving email marketing or SMS messages, the recruiter will not be able to include that candidate in either your email campaign or bulk SMS marketing, thus ensuring that we abide by candidates’ wishes and permissions at all times.

 

8. Rights in relation to automated decision making and profiling

Finding the perfect candidate isn’t just about how they look on paper, which is why technology will never replace us when it comes to selecting the best candidate for a job. Whilst technology should enhance the tour toolset and help us become more effective at what we do, there are decisions involved in the recruitment process that will always be up to us to make.

 

And this is exactly the philosophy that our software adopts: We make potential matches on contacts, companies, candidates, and jobs to streamline our efforts, save time and guide us in the right direction. However, these matches are based on information provided and accessed by the candidate directly – there’s no automated decision-making when it comes to processing or profiling.

 

Advanced Security

Once data is collected, we need to ensure it’s stored in a secure manner and in accordance with the security provisions of the GDPR. This means we need to use the appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental loss, disclosure, access, destruction, or alteration.

 

In light of this, we’ve increased the level of password security and temporary password management on our software, ensuring peace of mind for our customers in the rare case of any potential security breaches. 

 

Auditability & Accuracy 

As a business owner, we have a responsibility to ensure that we keep accurate records to demonstrate their compliance efforts under GDPR (for example, records of candidate consent or of the candidate agreeing with our legitimate interest to store their data).

 

But let’s be honest – we’re all going to need a little help with this! We can support our efforts by instantly highlighting records that are due to expire under a particular compliance certificate or are approaching the end of a particular timeframe within which we are able to retain their data without any engagement from them.

 

It’s likely we’ll see more updates and further changes to the regulations that the recruitment industry will have to absorb and adapt to. But don’t worry! We’ll be doing everything in our power to help you embrace the changes as seamlessly and painlessly as possible, whilst continuing to focus on our mission to ensure we are maximizing our client and candidate engagement levels through our software.