GDPR and recruitment: Upping the stakes on privacy protection for candidate Personal Identifiable Information

New privacy standard for individuals means better business IT security

Barely a week passes without some news of a major information security incident. Recently, we’ve had ransomware attacks exploiting the ageing population of Windows XP computers that are still being operated by the creaking NHS, and media and entertainment giants like HBO, who really should be locking things up better, being blackmailed over stolen episodes of Game of Thrones which are yet to be broadcast.
However, across the globe, information security is set to get a shake-up. On 25 May 2018, GDPR, or formally the European Union General Data Protection Regulation (EU-GDPR) comes into force. It is one of the most significant changes to the regulatory frameworks which govern business practice for many years.
Ostensibly, GDPR is a legislative instrument aimed at protecting privacy and the rights of individuals in regard to how Personal Identifiable Information (PII) is controlled and processed by businesses and public bodies. While this may seem to be of benefit mainly to citizens, it is actually a very strong premise from which to build a universal security framework.
Adhering to the framework enables businesses to achieve a better standard of security and helps to promote a more consistent approach to information security. For recruitment agencies this means greater confidence when sharing information with clients and supplier organisations as well as delivery partners and other third parties.
Following the framework also means the processes that support achieving compliance become embedded. The GDPR is designed to provoke a change in culture, and it doesn’t just include IT security measures and the practice of technology staff; it includes each and every user of business technology in your recruitment firm.

GDPR overview – the quick facts recruitment firms need to know

A good way to get a handle on GDPR is to consider the following key points about the legislation.

• The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.

• In the case of the UK standing outside of the EU as a result of Brexit, the UK government has stated its intent to write GDPR into UK law in the next parliament. One of the reasons for this is to remove any potential barriers to trade and security post-Brexit, that might arise if the UK had a different data protection framework.

• The GDPR widens the definition of personal data, bringing new kinds of data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.

• The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data.

• The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects. The inclusion of PIAs is mainly due to the influence of the UK’s Information Commissioner’s Office (ICO).

• The GDPR introduces a common data breach notification requirement that harmonises the data breach notification laws in Europe. This is intended to ensure organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.

• The GDPR introduces the right to be forgotten. Organisations are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected. Data must be deleted at the request of the data subject.

• The GDPR requires that privacy is included in systems and processes by design. Software development processes must factor in compliance with the principles of data protection. Essentially, all software will be required to be capable of completely erasing data.

• The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines for non-compliance of up to €20m or 4% of group annual global turnover.

Implications of GDPR for the recruitment industry

Recruitment businesses hold important and valuable information about significant numbers of people. In fact, with the exception of medical records, recruitment firms often hold some of the most valuable personal information that individuals possess.
If, address, phone numbers and email seem like run of the mill pieces of data, DoB, educational achievement, professional qualifications and accreditations and work histories certainly are not. Then, there may be copies of passports, driving licence and immigration documents.
And it’s not just the information your agency holds. It’s also about what data you share and who you share it with. The GDPR requirements around obtaining permission to process data, data breach notification and the penalty system are going to focus minds across the business world.

Best advice on GDPR and ETZ

The best advice is for all recruitment firms to take control of preparing for GDPR as soon as possible. With the GDPR set to enter force on 25th May 2018, some might be forgiven for wondering: “Why the rush to take control of it now?”
However, there are no quick fixes to GDPR compliance. The best approach is a comprehensive assessment of where your recruitment business currently stands on IT security. Engaging with a good IT support company that is able to audit, identify gaps and work out how to get you to where you need to be to meet the GDPR standard is a good approach.
ETZ is developed and hosted from cloud infrastructure operated in line with ISO 27001, the internationally recognised standard for information security. Where appropriate, our systems will be updated to meet any changes to the standard required to accommodate GDPR.
For more on GDPR click here to take a look at ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’ from the Information Commissioner’s Office (ICO).