Harsh warning for recruiters who ignore new data protection rules

An employment lawyer has warned it may already be too late for recruiters that have failed to prepare for new data protection rules.

With the rules set to come into force next May, if new procedures haven’t begun to be put in place yet, agencies could be hit with fines running into the millions.

Recruiter has put together a useful guide to advise recruiters on what to do to comply with the new regulations, which is in the Guide to Recruitment Industry Suppliers 2017/18 supplement, out with September’s issue of Recruiter.

Government is due to publish details of its new Data Protection Bill today, which will transfer the European Union's current General Data Protection Regulation (GDPR) into UK law.

Proposals included in the bill include will:

  • simplify procedures for people to withdraw consent for their personal data to be used
  • enable people to request for data about them to be deleted
  • require firms to obtain ‘explicit’ consent when they process sensitive personal data
  • expand the definition of personal data to include IP addresses, DNA and small text files known as cookies
  • allow people get hold of the information organisations hold on them much more freely.

While there is nothing new in terms of the contents of government’s bill announced today, Peter Wright, founder and managing director of law firm DigitalLawUK, warned it may already be too late for agencies that have failed to prepare for the new rules, which could leave them with fines of £17m for major breach of the new rules.

These preparations, Wright told Recruiter, should include:

  • purchasing a secure and compliant premium product for the sharing of candidate data
  • ensuring the data is only used for the purpose for which it was acquired, so not using candidate’s data to spam them
  • ensuring proper consent to use candidate’s data is received by using multiple tick boxes, as well as returning to candidates for consent if you start using their data in a different manner at a later date.

But Wright told Recruiter if agencies are only now starting to think about these new rules, it could already be too late to avert the risk of hefty fines. 

“We have less than 200 working days to go until the 25 May 2018, and for a big organisation with multiple offices – or even worse multiple offices in different countries – it may already be too late to get the right things in place in terms of governance, in terms of policies, in terms of training, in terms of insurance and in terms of security in tech solutions.”

And Dr Sybille Steiner, partner solicitor at Irwin Mitchell, says it appears that very few recruiters have started implementation of procedures to adapt processes to the new rules. 

“This is concerning, as next May’s deadline is fast approaching and with so much at stake, there’s a real possibility that a large number of recruitment agencies will not be compliant in time. The low level of awareness of GDPR is caused by a number of misconceptions that exist about the new rules and this has led to a level of complacency. 

“It appears that many agencies believe GDPR will have no impact on [them] and is not an issue for their sector. However, the reality is that the rules encompass a wide range of personal data, including employee data, payroll and pensions records. They also apply to data in a business context in relation to customer and supplier data.

“While time is running out and many large agencies may not have enough time to address all of their issues, it is important that they use the remaining time to identify the gaps they need to address and ensure that they can at the minimum show that they have some processes in place to prevent a breach. Further developments can then continue once this basic principle has been established.”

But Christopher Tutton, partner at Constantine Law, told Recruiter he believes awareness of the new rules among agencies is growing.

“Recruiters are increasingly aware of the new data protection obligations which will apply from May 2018, under the EU-wide GDPR, and which will be incorporated into the Data Protection Bill. The GDPR will significantly broaden and deepen the regulatory duties for agencies as controllers and processors of personal data, in particular in relation to their candidate data, which is one of their key assets as a business.

“It is not too late for recruiters to prepare for the introduction of the new laws in my view, yet recruiters should start preparations now.”

And David Whincup, partner in Squire Patton Boggs’ London-based labour & employment practice, offered up some comfort for recruiters in terms of the penalties they could face for minor breaches of the legislation.

“While the GDPR will impose considerable administrative and technical burdens on recruitment companies by virtue of the sheer volume of personal data they are likely to hold, it will not much affect the broad principles underlying the existing data protection legislation – the protection of the individual’s data, rights of access to it and information about it, and the collection of no more of it (and its retention for no longer than) is properly required for the purpose for which it is held, etc.

“A recruitment business, which already takes successfully all reasonable precautions to achieve those objectives, will certainly need to revamp its contractual documentation with candidates, end-users and third-party data processing partners in line with the GDPR, but should not fear the sort of huge fines referred to in the press for minor slips of form as opposed to substance.”

For more on the GDPR, see Recruiter’s Guide to Recruitment Industry Suppliers 2017/18 supplement, out with September’s issue of Recruiter.

• Want to comment on this story? Email us at recruiter.editorial@redactive.co.uk or tweet us below to tell us your thoughts. We will run comments online in a round-up at the end of the week.

Email story to a friend

Visa cap set to be waived for NHS

Recruiters have welcomed reports government is about to relax immigration rules to enable more doctors and nurses from outside the EU to come and work in the UK.

Legislation 14 June 2018

Supreme Court ruling upsets flexible working apple cart in landmark case

The rights of flexible workers have been thrown back into the spotlight in light of a plumber’s legal victory in a Supreme Court ruling today.

Legislation 13 June 2018

EU law could hit recruiters using memes under new copyright rules

Recruiters using memes to market their business could see these memes removed by social media platforms, if new European copyright rules are given the go-ahead.

Legislation 12 June 2018

Senior recruitment staff guilty of opting temps out of pension scheme

Senior staff at a national recruitment agency have pleaded guilty to trying to save money by impersonating their temporary workers to opt them out of their workplace pension scheme.

Legislation 8 June 2018