GDPR - is it all down to interpretation?
As many of you will be aware, there are major changes underway around the laws governing data protection in the form of GDPR, or the General Data Protection Regulations. The regulations are being updated in the light of the changing world in which we live and the huge amount of data that is held or shared, much of it online.
As recruiters, we take data protection very seriously and have spent months understanding and preparing for the new changes. One of these changes is ensuring we have a lawful basis for processing data and, given that GDPR is not recruitment specific, a lot of this is down to how the legislation is interpreted.
Now finally, the ICO (the governing body – the Information Commissioners Office) has released a 46-page piece of guidance around one of the lawful basis that can be used, and hidden away in this guidance are a few paragraphs specific to recruitment.
Many candidates post their CVs on CV databases online, such as Monster, Jobsite, CV Library etc, that many recruiters subscribe to. Most recruiters will download suitable candidates onto their own database to enable notes to be taken against the candidate regarding conversations etc. What we and most recruiters who follow The Conduct of Employment Agencies and Employment Businesses Regulations 2003 do, ensuring we work in an ethical and transparent manner, is gain explicit permission from a candidate before their CV is submitted to any client. This means that our candidates always know where their CV has been sent, and always with their consent.
What the ICO's advice is around CVs downloaded from CV databases is that it is in the agencies’ legitimate business interest to send the CV to clients, because the fact that it was posted on a CV database, it is ok to send it out to clients without explicit permission from the candidate. The specific wording in the guidance is “they [the candidate] would clearly expect that recruitment agencies would access the CV and share with it their clients”
It remains my view that downloading the CV would be expected and is in the recruiter's legitimate interest, and this does not override the rights of the individual so is in keeping with one of the foundations of the legislation, however it remains my, and my company’s, view that a CV should not be sent to any client without the explicit consent that we have always sought, and will continue to seek.
Although I don’t expect the ICO to understand the nuances of every industry sector, this simple example just highlights the complex platform that GDPR is creating, the huge room for interpretation (misinterpretation could be very expensive for a business), and the problems that many businesses (it affects ALL businesses in the UK) face in trying to comply.