How does GDPR affect the relationship between you and your recruitment agency? GDPR is so broad that it can be hard to tell. There are however, 2 key things which require some focus.
1. Sorting your Data Controllers from your Data Processors
The ICO state on their website, under ‘Key definitions’;
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
The Recruitment Agency View Most recruitment agencies will see themselves as Data Controllers for the data that they hold on their candidates (Data Subjects). When working on a requirement for a client, and gathering data in relation to that requirement, recruiters will typically intend to use that data to provide to other clients for suitable vacancies (provided the candidate gives their consent). So, the recruiter determines the purpose and means of processing the personal data and is a Data Controller.
The Client View Some organisations are taking the view that Recruitment Agencies are suppliers and therefore processing data on their behalf, making them Data Processors. That would assume that the Recruitment Agency doesn’t intend to use that data for their own separate purposes.
Other organisations understand that the Recruitment Agency is a Data Controller, but what does this make the client? Probably also a Data Controller in their own right.
2. Obligations of a Data Controller
Full obligations of a Data Controller are too extensive to go into here. That said, there is one obligation which requires attention. A Data Controller (both Recruitment Agency and Client) has an obligation to inform a Data Subject (candidate) that they are holding their data, their intentions for the use of that data, and what the source of the data was. This obligation must be fulfilled within 30 days of receipt of the data, or as soon as you start to process the data, whichever is sooner.
So technically this means that every time a client receives candidate data from a recruiter they will need to contact that candidate and fulfil this obligation. Also, if this data will be reviewed (processed) pretty much immediately in relation to a job vacancy, the obligation will need to be fulfilled at that point rather than within the full 30 days. This shouldn’t be anything new to a good recruiter, as recruitment is all about relationships and you should be in constant contact with your clients and candidates anyway.
In summary, there could be a lot of additional work involved in informing candidates for both recruitment agencies and their clients alike. Automation can help with this to an extent, but what if the client didn’t receive candidate data in the first instance.
What if recruitment agencies were to open their CRM’s to allow clients to view data without taking receipt and becoming Data Controllers. Would that help to protect recruitment agency clients against some of the obligations and workload resulting from GDPR?