GDPR for Recruiters

Get ready over night and take the fear out of GDPR

The General Data Protection Regulation (GDPR) is a set of data compliance regulations that were introduced in May 2018 to replace the Data Protection Act – which was used as a guideline for businesses to use when handling personal data. Whilst most Recruiters will already be familiar with the DPA (and many of the key principles of the DPA are still present in the new regulations), there are a some crucial changes involved with GDPR that will have a big impact on the recruitment sector.


What’s the aim of GDPR?

The main aim of the GDPR is to offer EU citizens (and this includes UK citizens too – Brexit or no Brexit!) a level of protection from privacy and data breaches that the DPA can no longer offer. This is because we now process vastly more data than we did back in 1995 (when the DPA was first created), meaning our digital landscape has now outgrown the DPA, and the GDPR has been created as a solution to this. Failure to comply with GDPR best practices could result in a fine of €20 million or 4% of global turnover - whichever is highest. 


What’s Firefish doing about GDPR?

In the run up to May 2018, we put a lot of focus on assisting our customers with their GDPR-compliance efforts. If you’re already a Firefish customer, you’ll be receiving fortnightly ‘Tips from the Tank’ to your inbox, with details on the latest changes you can be making through our software to become more GDPR compliant. We’ll also be publishing new GDPR-focused content on our blog over the coming months, so make sure you book mark our GDPR blog page!


The good news is, we’re already in great shape to provide our customers with a GDPR-ready recruitment process and methodology.


Addressing rights for individuals with Firefish

The GDPR aims to provide eight new rights for individuals that businesses must now demonstrate their ability and willingness to offer. Here’s a rundown of what Firefish is and will be doing to facilitate this.


1.   The right to be informed

Under GDPR, individuals have the right to be informed on how a business has acquired their data, as well as how it will be stored and used. Once you’ve decided your lawful basis for processing personal data you’ll need to create or update a Candidate Privacy Agreement on your website (this will be a page similar to your Terms of Use or Cookies Privacy outline). Your Candidate Privacy Agreement needs to provide clear, unbundled clauses for the candidate to opt into, and these clauses should explain how, why, and for how long you’re going to store their data for.


As Firefish Software converts candidates straight in from your recruitment website, our customers can automate the tracking of each candidate and clearly indicate the date/time that they opt in to your Candidate Privacy Agreement.


2. The right of access

From day one of developing Firefish we’ve always put the candidate first, so GDPR fits our model exceptionally well. We believe the best way to earn trust and ensure complete data accuracy is to allow candidates to clearly access (and edit) the data you’re storing on them from the outset.


GDPR also recommends that “where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information” (source: ICO)


To facilitate this, all our customers have a fully branded and mobile-responsive candidate portal where candidates can log in to update their cv profile, job preferences, communication options and track their recruitment activities from any location, at any time. 


3. The right to rectification

Candidates must now also have the ability to edit, update and rectify any missing or incorrect information you have stored on them. And if any personal information is edited, it’s your responsibility to inform third parties of the change and let the individual know which third parties their data has been shared with (and who you’ve notified of their rectifications).


As it’s the recruiter’s job to represent the candidate to interested third parties, having a clear and transparent way to carry this process out is going to be imperative. However, as Firefish Software allows candidates to have full access to their own profile information, the onus is on them to ensure that their profile details are accurate and up to date.


Candidates can also clearly see which third parties they’ve agreed to share their information with and state any companies that they do not want their details to be shared with. Firefish then ensures that every recruiter on your team respects the candidate’s requests by warning or blocking the recruiter if they try to shortlist, spec or alert the candidates to any jobs with companies they don’t want to be shared with.


4. The right to erase

Under GDPR, candidates will be able to submit a ‘request to be forgotten’ at any time, or even object to your legitimate interest for storing their data. For this reason, it’s not an exaggeration to say that the role of the recruiter will change overnight!


In order to maximise potential placement opportunities in your database, you’re going to have to ensure that you keep candidates actively engaged with your company: Job alerts, engaging blogs, or any other compelling reasons to stay in touch and add value to your candidates on top of having jobs to offer them, is going to be vital.


Firefish has all the content generation tools you need to do this, with automated job alerts, candidate nurturing triggers and website plugins that help you create the great content you’ll need to succeed.


5. The right to restrict processing

In the context of recruitment, every time a candidate fails to show up for an interview or even worse their first day on a new job, by default they’re restricting your ability to process their information.


Firefish is taking the approach of encouraging candidates to be more professional and make it easy for them to tell you that there are just not that interested in the position anymore. Each time a candidate submits their details with interest in a role, they will also have the ability to withdraw their interest at any time via their candidate portal, and this will automatically restrict your processing of that particular recruitment process.


6. The right to data portability

Under GDPR, the candidate must have the ability to download and export their information at will, and if requested, you have the new GDPR-standard of 30 days to comply with their request.


To prevent this from becoming yet another time-consuming admin task to add to your workload, Firefish has integrated an automatic export button on each candidate’s record, so they can easily export their profile information with one click. 


7. The right to object

We’re making it our mission to ensure you’re best placed to avoid any ‘right to objects’ from your candidates, and the area where candidates are most likely to object to your recruiter’s actions will concern direct marketing. Firefish combines all your marketing activities in one place and prevents recruiters from accidentally reaching out to a contact who has opted out of marketing.


All candidates can clearly opt in and out of individual marketing channels at their free will (e.g. email, job alerts, SMS, and email campaigns) and these preferences are taken into account when a recruiter creates a new recruitment campaign. For example, if a candidate has opted out of receiving email marketing or SMS messages, the recruiter will not be able to include that candidate in either your email campaign or bulk SMS marketing, thus ensuring that your recruiters abide by candidates’ wishes and permissions at all times.


8. Rights in relation to automated decision making and profiling

Finding the perfect candidate isn’t just about how they look on paper, which is why technology will never replace the recruiter when it comes to selecting the best candidate for a job. Whilst technology should enhance the recruiter’s tool set and help them become more effective at what they do, there are decisions involved in the recruitment process that will always be up to the recruiter to make.


And this is exactly the philosophy that our software adopts: We make potential matches on contacts, companies, candidates and jobs to streamline your recruiters’ efforts, save them time and guide them in the right direction. However, these matches are based on information provided and accessed by the candidate directly – there’s no automated decision-making when it comes to processing or profiling.


Advanced Security

Once data is collected, you need to ensure it’s stored in a secure manner and in accordance with the security provisions of the GDPR. This means you need to use the appropriate technical and organisational security measures to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration.


In light of this, we’ve increased the level of password security and temporary password management on our software, ensuring peace of mind for our customers in the rare case of any potential security breaches. We also operate under a great partnership with Microsoft Azure, providing our customers with the enhanced protection and 99.98% availability that the service provides. 


Auditability & Accuracy 

As business owner, you have a responsibility to ensure that all of your recruiters keep accurate records to demonstrate their compliance efforts under GDPR (for example, records of candidate consent or of the candidate agreeing with your legitimate interest to store their data).


But let’s be honest – we’re all going to need a little help with this! Firefish Software can support your efforts by instantly highlighting records that are due to expire under a particular compliance certificate, or are approaching the end of a particular timeframe within which you’re able to retain their data without any engagement from them.


It’s likely we’ll see more updates and further changes to the regulations that the recruitment industry will have to absorb and adapt to. But don’t worry! We’ll be doing everything in our power to help you embrace the changes as seamlessly and painlessly as possible, whilst continuing to focus on our mission to ensure you’re maximising your candidate engagement levels through our software.



Sign up to the monthly Firefish Software GDPR newsletter


Firefish: Engaging your candidates


An Infographic showing facts about GDPR by Firefish Software

Download the Firefish Software GDPR eBook by clicking this CTA


Disclaimer: This information on EU data privacy should not be taken as legal advice for your company to use as guidance when complying with EU data privacy laws like the GDPR. Instead, it should serve as background information to help you better understand how Firefish Software is and will be addressing some important GDPR requirements that you will be legally obliged to show intent to comply with. So please –  do not use this information as legal advice, nor as a recommendation of any particular legal understanding. Remember, we’re not lawyers!

Last updated 19.1.18