Top 5 Common Data Protection Mistakes in the Recruitment Sector

Data protection is important for any business, regardless of the sector they are in and those that work in the recruitment sector face some unique hurdles and threats in this field. The following are five of the most common mistakes we encounter when auditing and consulting in this sector.

1. Not understanding the difference between data controllers and data processors – There are cases where a recruitment agency acts on behalf of an organisation to source candidates for a specific position where they will be a data processor.  Other times when they look for possible placements for a candidate, they will be a data controller. The difference between these is very important as they have different responsibilities. For example, a data controller should handle subject rights requests. If you are confused, you can check out our guide to data controllers and data processors to avoid making some common mistakes.

2. Holding data too long – Under the GDPR you should not be holding data indefinitely, yet many recruitment agencies do this with some keeping CV’s in their systems for 10 years or more. It is important to regularly review the data that you hold and securely dispose of the data that is no longer in use. We recommend having a data retention policy to state how long different types of data are held.

3. Incorrect use of consent – Consent is one of the 6 legal bases you can use to legally process data under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA 2018). There are also a number of conditions that consent has to meet for it to be considered valid. Consent as the legal basis is often not suitable for data related to employment, as consent needs to as easy to withdraw as it is to give and the withdrawal of consent would cause employers a lot of problems. It is usually more appropriate to use fulfillment of a contract as the legal basis, as this can cover collecting information as necessary to enter into a contract.

4. Poorly written privacy notices – Data protection legislation requires you to inform your candidates of a number of things. In our experience, these notices are often missing, incomplete, vague or incorrect.

5. Having no breach response plan – Studies show that between 60% and 70% of businesses affected by a cyber-attack close down within 6 months of the incident, yet many of the recruitment agencies we audit still lack a plan to respond to these incidents. The key to not being one of these statistics is to have a robust plan in place that has been tested. If you are stuck, our template is a great place to start.

….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.

Speak

RELATED PRODUCTS