A year on from GDPR, it is clear that there is an increased understanding and awareness of how personal data is used and what our legal rights are.

We looked forward to GDPR at the time, and whilst we have spent time ensuring our policies are up to date and compliant, our working practices were largely in line with GDPR already. In this, we were in minority – in a survey conducted by Invenias for Bullhorn 87% of recruitment firms report that GDPR resulted in improved working practices. As we predicted at the time, it seems GDPR has been beneficial for the recruitment industry.

Invenias’ survey showed that executive search firms felt the biggest challenge around GDPR was ‘knowing if the actions taken to comply are sufficient’. However, the same survey highlighted a growing belief that GDPR represented an opportunity to improve working practices, reduce business risk and to improve the quality of data held. Whilst these areas all scored highly before GDPR came into effect, the numbers are significantly higher a year on. Not only that, but 60% of respondents now feel that GDPR has resulted in an improved service offering.

This is great news for the industry. However, GDPR has also empowered candidates, giving them a way to deal with unethical practices. For example, whilst sending CVs without a candidate’s permission is now illegal, we still hear tales of this happening, and several of our candidates have exercised their rights under GDPR to be represented by us over an agency who had previously sent their CV for the same role, but without their knowledge.

Whilst candidates are using GDPR to choose their representation, very few have asked us to have their details deleted, and we have had no data subject access requests. This mirrors the wider industry experience, with 80% of firms having had less than 10 requests, and 40% none at all.

Invenias’ survey also shows that firms are increasingly using legitimate interest as their lawful basis for storing candidate data, up from the anticipated 65% pre-GDPR to 91% today. By comparison, Fram uses a mix of legitimate interest and consent. When it comes to retention of data, policies vary greatly.

Beyond the world of recruitment, GDPR has changed both general awareness of data protection, and the way firms handle data. DPAs are also increasingly enforcing the law, moving away from the guidance and recommendations in the early days, to flexing their increased fining muscle. The ICO recently issued heavy fines to BA & Marriott, and there have been significant fines issued elsewhere in Europe too. This graphic shows some of the activity. GDPR has also influenced thinking around data protection laws across the world, among them India, South Korea and Brazil, and the EEC countries all have aligned laws.

---