New approach to risk as recruitment agencies review data laws
There are few organisations that deal more closely in personal information than recruitment agencies. Think of the personal records we keep on clients, candidates and associates as part of our efforts to match people with career opportunities. With the advent of the new GDPR in May 2018, every organisation needs to think about what it means for the data they hold and how they protect it.
Risk assessment
Accountability for data invites an assessment of risk. This type of risk assessment is commonplace in most disciplines particularly in terms of security, health and safety, and equality and diversity. In our approach to the GDPR, we should pause and consider the risk with every activity regarding the processing of data. It might be worth formalising this process to emphasise its importance and gain compliance. Think about who might test your systems; computer hackers, dissatisfied customers or staff, the media, your local MP, suppliers and regulators. What weaknesses might they find in your systems?
Data Protection Officer
The first place to start might be with the appointment of a Data Protection Officer. This is a legal requirement for organisations with more than 250 employees. But, however small your company is, it is worth charging a named individual with this responsibility, even as part of their existing role. This could be a good development opportunity for a keen employee. Having a dedicated role should help to keep this crucial issue top of mind. After all, penalties for a data breach can be as high as €20 million or 4% of turnover. Brexit offers no parachute, as UK law is likely to replicate the regulations.
Databases audit
The next step might be an audit of your databases. Ask yourself how they are organised, how often they are cleaned, and how frequently are records deleted? Your accountability as a data controller means being able to demonstrate the processes you follow to protect each ‘data subject’ with verifiable records and clear documentation. Consent to use the personal data of clients and candidates must be explicitly collected, and individuals must be told what you will use it for. You must allow access to the data if you are asked for it and delete it once its useful life is over.
‘Personally identifiable information’ could include IP addresses as well as names and postal addresses. In addition, there are specific rules around sensitive personal data such as religion or belief, and sexual orientation. In recruitment terms, this data is often collected for monitoring purposes and represents a high-risk area.
Update communications
There may be aspects of your communications that require updating to ensure that consent is specific and that approval, once obtained, is collected and stored automatically. Review your online forms to make sure that they ask explicit questions about consent. Organisations should also review their Data Protection Policies and make sure they are published and kept up to date. It is your responsibility to show that you are compliant.
The burden of responsibility may seem daunting at first, but the new legislation also represents an opportunity for recruitment agencies. It provides a fresh and legitimate reason to contact clients and prospects. As well as giving your business development a boost, you will be showcasing how proactive you are with this important legal issue, and it will help reinforce your reputation for professionalism. See the Information Commissioner’s 12-step plan to get started.
Tags: Compliance, Consent, Data controller, Data protection officer, Data Protection Policies, Data subject, Database audit, GDPR, Information Commissioner, Personal Data, Records, Risk assessment