Most recruiters know the importance of obtaining candidates’ consent to use personal data in order to comply with their obligations under data protection legislation.
From May 2018, however, when the new General Data Protection Regulation (GDPR) applies, consent will rarely be the most appropriate basis upon which to rely when processing candidates’ personal data.
What does ‘processing personal data’ mean?
Personal data includes any information which could be used to identify a person. Apart from obvious identifiers like names, addresses and NI numbers, personal data can also include bank details, CVs (even ‘anonymised’ ones, potentially) and references.
The definition of “processing” will cover virtually everything that a recruiter might do with a candidate’s data, including collecting, organising or using personal data in any way.
While the GDPR will not apply until 25 May next year, recruiters should take steps now to ensure compliance. A key element of the GDPR is that it applies not only to personal data processed after 25 May 2018, but to all personal data already held at that date.
The pitfalls of relying on consent
You probably currently rely on candidates’ general consent to process their personal data, but the new standards that must be met for consent to be valid are set much higher than those under the existing legislation, any consent previously obtained is unlikely to discharge your obligations under the GDPR.
The GDPR emphasises the importance of offering individuals genuine and informed choice and control, as well as positive opt-in process, as opposed to pre-ticked boxes or ‘blanket’ consent.
ICO Draft Guidance has indicated that when relying on consent under the GDPR, it is necessary to name all the third parties to whom any personal data will be disclosed. In practice, however, few recruiters could name all the hirers to whom they might send a candidate’s personal data, not to mention other organisations, such as HMRC, former employers (for referencing purposes), and payroll providers.
The ICO also suggests that if you would still be able to process the candidate’s data without consent, it could be ‘misleading and inherently unfair’ to rely on consent in the first place. For example, a candidate might consent to you retaining their data for your records, but even if consent is withdrawn you would still be obliged by law to retain some data under the Conduct Regulations.
These are just two reasons why recruiters should consider a basis other than consent, where possible. Given the hefty fines that the ICO will be able to impose (up to £17m, or 4% of turnover) it is important for recruiters to get this right.
What about sensitive data?
The rules are stricter still for special categories of data, which include sensitive information about, for example, health or disabilities, to which recruiters are likely to have access. Processing such sensitive data is prohibited, with very few exceptions, one of which is for the purposes of assessing the working capacity of an “employee” – but is an agency worker an “employee” for the purposes of GDPR?
Recruiters will also have to address the issue of personal data in respect of their own employees and former employees.
GDPR is really important for recruiters, particularly as it applies to data already held on 25 May 2018. We are receiving unprecedented numbers of queries from recruiters on GDPR here at Lawspeed. An emerging, and worrying trend, is for hirers to attempt to avoid liability under the GDPR by passing the risk on to recruiters. With the ICO able to impose severe penalties, it is critical that recruitment businesses fully understand the issues and how to address them.
Lawspeed recently announced its seminars on the GDPR, to be held in Manchester and London in October. The full day seminars will explain how GDPR affects recruiters and the practical steps needed to be taken in relation to the recruitment process, as well as in respect of your own employees.
For more information please call Lawspeed on 01273 236236 or email us at info@Lawspeed.com