The EU may be thousands of miles away, but its laws still affect Australian recruiters. Implemented in May 2018, the General Data Protection Regulation (GDPR) is a wide-ranging piece of information security legislation intended to safeguard the 28-member blocs’ citizens – and place tighter restrictions on organisations that process their personal data.
Crucially, the GDPR applies to any business that uses the personal information of an EU data subject – even if that person is not based within the EU. So Australian recruitment firms, even those which don’t work specifically with EU clients or candidates, are still subject to its strictures.
If you’re an Australian recruiter, of course, you know that the industry is resilient and open-minded. A recent Bullhorn survey reflected this: 71 per cent of those surveyed claimed that GDPR hadn’t adversely affected their ability to engage with clients and candidates and 73 per cent said the same of the way they use recruitment technology. More emphatically, 79 per cent said it wouldn’t have a negative impact on the industry in the long-term.
The optimism is encouraging – but Australian recruiters should approach GDPR with caution, rather than complacency. Over a third of recruiters working at firms with a global reach claimed that they intended to expand their data privacy policies to non-EU markets now that GDPR is in effect: far too few, given the considerable challenges cited. The three most pressing challenges were achieving clarity around the regulation’s terms (cited by 58 per cent), implementing new data processing policies (56 per cent), and auditing IT and data systems (44 per cent).
If you’re running a recruitment firm in Australia, the wider Asia Pacific region, or anywhere else in the world for that matter, it’s better to be safe than sorry. Fines for GDPR non-compliance can run into the millions of dollars, and even smaller penalties can have significant financial implications for a business. Australian agencies use personal data for myriad reasons throughout the recruitment lifecycle, and they will now have to gain explicit consent every time they use it for a new purpose.
The EU often goes beyond Australian privacy law: the EU’s ‘right to be forgotten’, for example, is not covered under the Australian Privacy Act 1988, and the notion of ‘explicit consent’ means different things in each jurisdiction – the EU’s meaning being far stricter.
Different as the letter may be, the spirit of Australia and the EU’s respective laws is similar: to improve accountability and transparency, while shoring up individual rights. If you’re complying with Australian law – and you should be – then you’re partway there. However, that isn’t going to be enough for full compliance. For that, you need to go further.
Educate your team
The GDPR is an EU-wide regulation, but definitions of what constitutes ‘personal data’ are left up to individual EU countries. Conducting a thorough audit of your database – and ensuring that each definition is adhered to – should be a priority. From there, clean and qualify the database to ensure it’s fully compliant, and draft and implement policies to control how data is handled in future.
Then make sure your employees are aware. Policies are no good unless they’re obeyed. Training, education and information should be readily available to everyone who is interested in it and imposed on those who need it. This isn’t to say that everyone needs to become a Data Protection Officer, but they should have a working knowledge of how information can and can’t be used. You may eventually decide to hire a Data Protection Officer (in some cases, you may need to), but for the meantime, focus on getting your consultants and other staff members up to speed.
Consult and communicate
Employees must comply with GDPR, but it’s also essential to seek the right assurances from external stakeholders. All supplier agreements must adequately protect all parties’ data, and risk and responsibility for controllers and processors must be clearly defined. Where possible, third-party audits and certifications should be undertaken to ensure that production, governance, change management, backup and software development processes are fully adherent to EU and Australian law.
Where possible suppliers should also facilitate effective data portability, and be able to show compliance with international regulations such as the EU-US Privacy Shield Framework. Most forward-thinking suppliers have kept data protection front-of-mind and have made it easier to use systems in a compliant manner.
New data, new processes, new tools
Acquiring and retaining data under the GDPR will have several new requirements. Separate consent must now be gained for each stage of the recruitment process; a single agreement cannot comprehensively account for everyone.
Every time a candidate’s data is used for anything, that candidate must provide their explicit consent. In practice, that means a clear option to agree or disagree to the recruitment firm’s desire to collect, process, or disclose their personal information.
Setting up processes to account for this is essential. Without clear permission from a client or candidate to handle data, the firm will be in violation of the GDPR. Automated processes can therefore be dangerous, especially if software is not set up to check consent. The right to be forgotten, and the right to have any inaccuracies in their record corrected are key elements of this legislation, and must be accommodated through the firm’s customer relationship management (CRM) system and other data-driven tools.
Ultimately, GDPR isn’t here to inconvenience recruitment firms – or indeed, any other business. It’s here to protect the people who have entrusted firms with their personal information. It may be inconvenient in some respects; in others, it’s quite necessary. Recruitment professionals, wherever in the world they operate, would be well-advised to ensure that it is accounted for – for their clients and candidates, and for their own collective peace of mind.