This blog is the first in our series of data protection advice. Part two covers Measures Recruitment Agencies Must Take to be GDPR Compliant in the UK and part three is Data Controllers vs Processors in Recruitment Agencies.
Privacy rights are granted to individuals under GDPR in the UK and are designed to empower individuals by giving them control over their personal data and ensuring transparency and accountability in data processing activities. Recruiters need to understand and remember these rights and make necessary adjustments to their databases and processes to enable individuals to protect these rights.
These rights include:
- The Right to Information: Individuals can request information about the type of, and reason for, data being held in a company.
- The Right of Access: Individuals have the right to view the personal data that is being processed about them.
- The Right to Rectification: Individuals can update or correct their personal data if they believe it is incorrect or outdated.
- The Right to Erasure: Individuals can request the immediate deletion of their data from an organisation’s data files.
- The Right to Restriction of Processing: Individuals have the right to request that their data be handled in a specific manner under certain conditions, including ceasing processing as requested.
- The Right to Data Portability: Individuals, under specific conditions, have the right to obtain their personal data in a commonly used format, transfer it to another controller, or use it for personal purposes.
- The Right to Object: Individuals can object to the processing of their data, including profiling, under certain conditions.
- The Right to Avoid Automated Decision-Making: Individuals have the right to avoid legal consequences arising solely from decisions made through automated processing, including profiling.
By being aware of these privacy rights and taking the necessary steps to comply with them, recruiters can establish trust with candidates, demonstrate their commitment to data privacy, and mitigate the risk of non-compliance and potential penalties and/or claims.
There are some specific aspects where recruiters should be vigilant regarding privacy rights:
- Consent and Information: Recruiters should obtain informed and specific consent from candidates before collecting and processing their personal data, e.g., the information needed for a background check. They should provide clear and transparent information about the purpose, scope, and duration of data processing.
- Access and Rectification: Recruiters must be prepared to fulfil requests from candidates who want to access their personal data held by the organisation. They should have mechanisms in place to facilitate such requests and ensure the accuracy and timeliness of rectifications or updates requested by candidates.
- Data Retention and Erasure: Recruiters should establish clear retention periods for candidate data and delete or anonymise it when it is no longer necessary or upon request from the candidate.
- Data Security and Protection: Recruiters need to implement appropriate technical and organisational measures to safeguard candidate data from unauthorised access, accidental loss, or disclosure. This includes ensuring the secure storage, transmission, and disposal of personal data.
- Data Portability: If a candidate requests the transfer of their personal data to another organisation, recruiters should have processes in place to provide the data in a commonly used and machine-readable format.
- Objection and Automated Decision-Making: Recruiters should respect candidates’ right to object to the processing of their personal data, including automated decision-making and profiling, and provide a means for them to exercise this right. For example, an applicant may request job alerts but ask that their information not be stored on your database. The organisation must ensure that they have the means to process this request.
- Privacy by Design: Recruiters should adopt privacy by design principles, integrating privacy considerations into their recruitment processes and systems from the outset. This includes implementing data protection measures, conducting privacy impact assessments, and minimising the collection and retention of unnecessary personal data.
- Privacy policies must be readily available to individuals on request and you must disclose where you store application data and state that it is only used for recruitment purposes.
If we can help with any GDPR issues, contact us at firstname.lastname@example.org.