Picture the scene – the ICO poised to speak about the GDPR to approximately 500 recruiters at Bullhorn Live yesterday . The lights were dimmed, the anticipation of receiving some clarity was almost palpable. Surely after this session we’ll all understand what we need to about the GDPR?
Fast forward to an hour later, the result ? Widespread disappointment. Why? Because as one attendee told me “the ICO didn’t have anything specific to say to the industry”.
Why didn’t the ICO have anything specific advice for recruiters?
In my view, expectations of the session were unreasonable. For the GDPR to make sense in a particular business context it requires a deep working knowledge of the GDPR and the industry sector, this is why the ICO are relying on the industry bodies to do this. There would be widespread outrage if the ICO issued a set of recruitment industry specific rules without any context or consultation. For example a ruling that “in the recruitment sector personal data is considered to be out of data after 100 days” or “recruiters should not keep any data for longer than 90 days”.
How can recruiters gain a better understanding of what the GDPR means?
Later another disappointed delegate told me that last week, he had attended a brilliant session on the GDPR specifically for recruiters. He had clarity for the first time about what he needs to do about the GDPR. I was intrigued, who had delivered this session? My colleague Lucy Kendall from ComplyGDPR! We hear this feedback over and over again about our sessions for recruiters.
To be clear the ICO session was helpful and gave consistent generic advice. The difference is that ComplyGDPR deliver the same message using our knowledge of the industry combined with guidance from our legal advisors at CMS Law.
We explain how the impact of the GDPR will play out in the context of a recruitment business. We can do this because we understand the business processes as we come from the industry ourselves. The ICO can not and will not do this. They have stated in the past and repeated again yesterday that the ICO do not give industry specific advice. Instead, they welcome the industry bodies to represent their members and to provide codes of conduct
What should recruiters do about the GDPR?
The GDPR has very few hard and fast rules, there are general principles and guidance. These needs to be interpreted against the background of data privacy laws. Even if data privacy is news to many recruiters it is not a novel concept.
The GDPR requires that a recruitment business undertakes some work to interpret how those rules apply to its own business operations.
What are the benefits of the GDPR?
ComplyGDPR are working with a large number of recruitment businesses to define their policies and processes so that they can comply with the GDPR whilst being able to operate their business in a way that takes data privacy seriously. Yes, work and change is required and it can be challenging to some existing practices. However, once the concepts are grasped, the GDPR begins to make sense and recruitment businesses begin to see how this can bring wider benefits. Weaknesses are identified, poor working practices are addressed and security is tightened. All of this results in a better managed business where a range of risks are minimised. The upside being that less time you spend dealing with things that go wrong the more time you spend earning money!
GDPR exam or coursework?
We see our clients move from fearing the GDPR as a single exam taking place next May on which pass or fail is going to be decided on their performance at one exam, to thinking about it as an on-going assessment based project that will be marked on evidence of their GDPR coursework.
The ICO reiterated at Bullhorn Live, that recruiters should do their best to prepare and comply. How? By looking at how they can make data privacy a cornerstone of their business; identifying the risks that they create for others in their business; by processing their data and taking action through technical and organisational measures in order to manage those risks. Businesses need to ensure that they have a legal basis of processing data and be able to demonstrate through documentation how the business is dealing with the new rights of an individual under the GDPR.
How can recruiters know whether they have interpreted the GDPR correctly?
The marking scheme is dependent on the regulators being able to see how a business has arrived at its answers and the amount of effort that it has put in. It’s not a single pass or fail exam, the effort counts. If a GDPR coursework folder is empty then low marks are inevitable. Fear of getting it wrong is not a valid reason for not trying your best.
How can recruiters fast track their GDPR project?
If your GDPR folder still only contains blank pages, you can get a head start by using our toolkit which provides a structured action plan for a recruitment business and a wealth of resources in order to manage your project and help you identify what you need to do. We provide a substantial amount to help you from implementation workshop, toolkit, resource library, templates, practical advice, helpline and staff training. Plagarism of our work is 100% encouraged.
If you need a steer on what sort of questions you need to be answer, contact us for our free GDPR readiness checklist or watch one of the recorded webinars or podcasts available through our website.
ComplyGDPR work solely with businesses in the recruitment sector, executive search, contingency recruitment, interim management. We work in conjunction with CMS Law. Our clients range from sole trader to international businesses with multiple offices. We have pricing models that are appropriate to the size and complexity of the business.