Connecting to LinkedIn...



GDPR compliance - recruitment is ahead of the game

The world of recruitment has gone GDPR-crazy. Hardly surprising, as everywhere you look self-styled GDPR experts are emerging, sharing conflicting advice and pushing legal jargon. If all this isn’t frightening us half to death, it’s making us want to hide in a dark room until it all goes away.

In case anyone’s been living under a rock for the past 12 months, the GDPR is the General Data Protection Regulation that comes into force on 25 May 2018.

And according to new research by the Federation of Small Businesses (FSB), only eight percent of small businesses in the UK are fully prepared for the forthcoming General Data Protection Regulation on personal data, and a massive 20 percent are unaware of its existence. Add to this that more than two-thirds have either not yet begun to take steps to ready themselves or are only in the early stages of doing so, and the recruitment sector is looking pretty good by comparison.

How can your website help?

Generally speaking, in the GDPR compliance arena, we’re finding that the recruitment industry is ahead of the game. Every recruitment agency is not only aware of the GDPR and what it needs to do, and many are well along the path to compliance.

What recruiters may not know is that the FSB is currently calling on the Information Commissioner’s Office (ICO), to introduce a “safe harbour” that would allow businesses to voluntarily report themselves if they realise they are in breach. By reporting themselves, companies would first receive business advice on how to meet the GDPR requirements rather than an immediate penalty.

At Volcanic, we believe that a recruitment website should help every business in its data compliance by providing a data management tool. This particularly applies to supporting the candidate rights introduced by the GDPR.  

Fair processing information

For example, the responsibility is on the recruiter to provide fair processing information, typically through a privacy notice, and let individuals know about their right to object at the first point of communication. This can be handled automatically by your website. Version control is critically important when adding and updating your privacy policies, to support Privacy Directive messaging and show which version of your policy the individual has consented to.

Data access

Data access is nothing new. Data subjects have long had the right to request access to their data - the GDPR just enhances those rights.

Under the new data protection regulations, the new right to be forgotten and the right of data access (Subject Access Request or SAR) are important. Recital 63 of the GDPR explains the Right of Access clause.

“A data subject should have right of access to personal data which has been collected, and to exercise that right easily and at reasonable intervals, in order to be aware of and verify the lawfulness of the processing.”

If an individual makes a subject access request (SAR), you must provide this information free of charge within one month of receiving the request. And it’s essential to log when you received the request and when you responded by supplying the data.

Self-service recommended

What’s interesting is that Recital 63 makes the specific recommendation: “Where possible, organisations should be able to provide remote access to a secure system, which would provide the data subject with direct access to their personal data.”

This self-service model which is recommended by the GDPR should form the cornerstone of your approach to compliance. All technology needs to be built from the outset to comply with the core GDPR directives of privacy by design and privacy by default, and a self-service candidate dashboard mirrors this recommendation.

A candidate dashboard managed through your website puts data control into the hands of every candidate - the data subject - in compliance with the terms of the GDPR. It allows every individual to make their own subject access request and time and date stamps the request to create a log of the transaction. This also covers off the right of data portability - by allowing an individual to access and download their own data.

This is also the way the right to be forgotten (RTBF) is handled. It’s important that this action is validated by a recruiter’s compliance officer or designated person, as there may be circumstances where data should be kept (eg where there is a legal duty to keep records).

Keep calm and choose Volcanic

The GDPR is no cause for alarm - and the right technology will support your compliance and candidate-centric approach. If you want to talk to Volcanic about how our web platform can help your business, get in touch. To help train your team in what the GDPR means for your business and help avoid the risk of data breach, download our GDPR Awareness Training video.


Neil Pickstone

Managing Director

0161 217 1517