GDPR: Where to Start, Understanding Consent, and Navigating Data Retention

GDPR: Where to Start, Understanding Consent, and Navigating Data Retention


Clair Bush, international marketing director for Bullhorn


Paul Janoo, GDPR consultant
Tania Bowers, general counsel, APSCo
Vince McLaughlin, director of sales engineering, EMEA and APAC, Bullhorn.



The General Data Protection Regulation (GDPR) is a sweeping series of data privacy enactments that goes into effect for European Union countries and citizenry beginning on May 25th, 2018. It’s the most important data privacy directive since Sarbanes-Oxley and will have a cascade of effects on consumers and businesses operating, even tangentially, in the EU.

Bullhorn recently convened a forum featuring experts on GDPR to discuss how enterprise recruitment agencies can prepare for and navigate the directive. While this is by no means a prescriptive blueprint for “solving the challenge of GDPR compliance,” as it were, it offers a good place to begin framing one’s strategy.

Excerpted below are highlights from the forum, which was moderated by Clair Bush (international marketing director for Bullhorn), and featured panelists Paul Janoo (GDPR consultant), Tania Bowers (general counsel, APSCo), and Vince McLaughlin (director of sales engineering, EMEA and APAC, Bullhorn).

The panel addressed three main areas of interest around GDPR:

  • Where to start
  • Consent
  • Data retention


Clair Bush (CB): GDPR is one of the biggest things to revolutionise our industry in decades. There’s lots of fear-mongering and threats of fines, but where do we start?

Tania Bowers (TB): Well, I think the first thing to do is to think about the data that you hold and what is “personal data”. Personal data is information that identifies individuals, so it’s quite broad. This includes client details, and of course candidate data. As recruiters, you can hold a lot of personal information and have built up a personal data set. It’s absolutely fundamental for the recruitment industry to understand it’s change. Under the data protection act, you own that data, so it’s your responsibility how you own that, what you do with that. Firstly, you need to do some form of data audit to drill down into what data you have, how long you’ve had it, where you have it, what you want to do with it. After that, you can make decisions on what you want to do.

Paul Janoo (PJ): I would say, keep calm and carry on. There’s too much scaremongering going on and yes, there is a lot to do, but all things need to be proportionate to the size and nature of the business. Ignore (for now) all the IT resellers trying to sell you their latest silver bullet professing to offer a single solution for GDPR compliance in a box.

Put together a cross-functional working party with some form of executive sponsorship. Assess whether your organisation needs a Data Protection Officer (DPO), and if you decide you do, then when choosing someone for the role understand the skills required and what the responsibilities of the role are. Make sure that you formally document your decision making process and add the responsibilities into the person’s job description. The DPO doesn’t need to be an employee of your company as the GDPR talks about using service contracts if needed. In other words, you can use a third-party DPO as a service if you wish to outsource this role.

Talk to your staff as soon as possible about what the GDPR is, when it goes into effect, and what it means for your company. In the coming weeks and months, your clients may be reaching out to ask what you are doing to prepare, because they themselves are preparing and assessing their supply chain. Don’t let your consultants be caught off-guard; prepare them with some basic knowledge and tell them to whom to direct client queries. You want to be seen as proactive.


CB: Next, we’re going to talk about consent. Consent within GDPR is expressed consent given; it’s opting in. How can we ensure consent is compliant within GDPR?

Vince McLaughlin (VM): A crucial consideration around this for a recruitment agency specifically is: how to track back to when the person first came into your database (how you obtained the person’s contact information), for what specific purpose, and your ability to represent this candidate back to clients.

PJ: Consent is an area that every recruiter is talking about, and it’s a grey area. The Information Commissioner’s Office (ICO) is going to give further guidance and interpretation during the summer. One thing you should look at is, given personal data will be coming from multiple channels, how can you funnel it into a single consent mechanism? I would imagine probably using some form of portal. Remember a data subject has the right to withdraw consent and this needs to be as easy for them to do as giving it, and again a portal would facilitate this requirement.

Have a think about what your consent mechanism will look like. The sooner you amend your consent mechanism the better, as you will then be able to say come 25th May 2018 that you have (hopefully) 10 months of “compliant” data. If you leave this for 6 months, then that’s 6 months  worth of candidates you will have to go back to, as well as all your other historical candidates, to reaffirm GDPR-compliant consent.


CB: Going back to data auditing, understanding what you’ve got and how you collected your data, can we talk about this from a legal perspective?

TB: Well, you’ve got your database. It’s either tidy, or you’ve had that database for 30 years and haven’t thought about it. You’ve all got very different databases. I would agree that the sooner you get to a point that you’re collecting data compliantly, that you’re actively reducing your problem and that you’re aware of the law, the better off you’ll be. Also, to me, some form of self-service portal seems like it will become central to recruiters. Data needs to be accurate. The easiest way is putting the onus on them to confirm that their information is accurate.

In terms of consent, it needs to be looked at in a wider context: you have to have a fair process and condition. The other two that potentially apply in recruiting is legitimate business interest, but there has to be a balancing act between your business need to have a data and the individual’s rights. The other is contracts. If someone sends you a CV for a particular role, that’s not a consent issue, because they’ve given it to you. But as recruiters, you want to use that CV for other roles, and then that becomes a yes/no, is that person happy to have a conversation with you, and then it becomes a consent issue.

Also, lawyers at ICO, they’re aware of recruitment, and that processing happens without consent, so they’re thinking of having an employment practices code, and they’re trying to discuss that later in the year.

PJ: Consent is described in the text, but you’re looking for additional context. You need to find out whether or not you need consent, or if you can use one of the other mechanisms for lawful processing, such as legitimate interest or as Tania said, legal or contractual obligation. As an example, you have a legal obligation to retain certain information for HMRC with regards to temps who have worked for you; this would be your lawful basis for processing and would supersede consent. You can rely on contractual obligation for the processing of internal employees’ data, as long as you don’t collect information you don’t really need or anything defined as “sensitive personal data” which would need explicit consent.

Fundamentally, the consent you hopefully have today may not be sufficient anyway. Did they opt in? Was it clear and transparent? Most importantly, can you prove it? If you can’t prove if they gave you consent, and for what purpose, you need to go back and get the individuals to re-consent to your processing/holding of their information. And you need this for candidates and clients. You may have a lot less contacts come May, because people may ignore your request and silence isn’t consent.


CB: This talks back to the data set in the first place. Vince, the engagement piece, being able to constantly engage and contact your contacts, what’s your thought on it?

VM: Well, we have candidates and contacts, and your need to contact them is different. Who from my organisation is contacting them and for what reason? You should be able to tie that back to the consent you got in the first place.

TB: How you’re using that data feeds back into retention. Apart from consent, this is the other huge area. It’s likely that you’ll have much smaller databases, but hopefully much more usable. Also, retention of a prospect is much different than retention of a customer. There are obviously other rules where you’re keeping data for six years. I spoke with an MSP that has been asked by a client to hold onto screening data until a candidate retires. Because the client has outsourced responsibility to them then under agreement, they need to keep that sensitive information. Holding that data for 20-30 years under GDPR is a scary prospect.


CB: From a processing and retention perspective, we have a client that every time they have a vacancy, they use candidate resumes coming in, and after the vacancy is filled, they require that the resumes be deleted. What are the specific ways that you can run your agency and think about data retention policies?

PJ: When we talk about retention, I think that you need to, as an organization, define and document what your retention policies are for different categories of data. Then, you need to figure out a way to implement. How will data be purged? I would advocate for automation, or at least a semi-automated process to reduce the administrative burden on your staff doing this manually.

VM: Around retention specifically, you need to think about where you’re storing that data and how you’re storing that data. Encryption, for example: are you obscuring certain data through encryption, and are you able to expose certain data when you need it? Backups: if you have a backup and then purge records, you still have and own that data. You need to make your main database complaint, but other places where you retain data need to be secured as well.


CB: What about transfer of data across different offices?

TB: That’s quite a big one. One thing I’m always thinking about is email. Just think about how your business uses email and how many scans of passports they receive on email. Everyone needs to get to grips with email and it will be a lot tougher. A very large organisation, by example, is now deleting their email on a regular basis. The general email inbox will be purged after a year in this company. It’s Draconian, and it’s hard to control individual behavior, but it’s something you need to consider.

In terms of moving data across different areas, it comes down to paperwork. It’s easy for people to ask for a GDPR statement, but you can’t get anywhere near that until you know your data. It comes back to intergroup data agreements, but it’s not the first thing you think of when starting a recruitment company and establishing subsidiaries.


CB: What are your expectations as a service provider? Where do you see the compliance risk piece?

VM: From a systems perspective, I would want to make sure the data I’m interacting with is GDPR-compliant and how I would know that. Whatever consent you’re gaining throughout the process, it should be visible when you’re interacting with individuals. You should ensure the activity you’re undertaking is compliant, so your system should be able to flag it. In terms of deleting data, you should also be confident that the system you’re working with is able to do that.


CB: Is there a size of firm that needs legal counsel, or should everyone have it?

TB: I think that most recruiters are going to need some form of external advice, whether it’s something like Paul or a traditional law firm. You need to find an adviser who’s right for you. I’d be wary of someone selling you a package to make you compliant next week. Always be aware of your budget, but ultimately as a business owner, you own the decision. You ultimately decide how lax or strict you wish to be, but getting professional advice with the protection of  professional indemnity insurance provides comfort.

PJ: On gap analysis, take a look at the ICO website. There’s a wealth of information about the GDPR and the current data protection law in plain(ish) English. Have a look at the ICO self assessments; these will tell you how compliant you are with the current law and cover areas such as information security, records management, and direct marketing. The assessments will output a report and give you guidance and further reading on areas to improve as well. There is also a GDPR readiness assessment, but run this after the others as the ICO assumes you are already 100% compliant with the current regulation!

In terms of making decisions generally in relation to the GDPR, you have to at least try and analyse and cover as much as possible. Some areas you will decide as an organisation not to address and that is okay. Again, all things need to be proportionate to the size and nature of your business. Make a note of these decisions and add them to your risk register. The regulators will be looking for evidence that you have at least spent time and effort preparing for GDPR and that an informed decision was made on areas of risk that you may choose to not address. The GDPR is quite wooly in places, purposefully, and until there is some case law on this a lot will be down to interpretation.


CB: What’s the one thing that recruitment firms should do tomorrow to prepare for GDPR?

TB: It depends where you are on the journey, but I think the first thing is getting the board on your side. These things flow down from the top, and without the board understanding the importance, it will be a problem.

PJ: With all the noise and scaremongering, businesses are losing focus, or getting bogged down in the details.Take a higher-level approach. Slow and steady wins the race, so start now and do something. Don’t leave it until next year. Data discovery, writing new policies, these will take time.

VM: As well as socialising within your organisation, start to socialise to your suppliers. Multiple job boards and technology interacts with people’s data, so at a high level at least, ask them where they’re at in their journey.

CB: Ask questions of the data sets you’ve got and that you use every day and that you want to keep using. Interrogate your data, find out who you’re talking to, and why you’re doing it. Once you start asking questions, more will come up. The more you ask, the better informed you’ll be for writing a strategy.