Coronavirus challenges v GDPR obligations

Business Insights

21/10/2020

Your executive search or recruitment business probably had to adopt hastily to coronavirus. Perhaps changing where employees are located, how you communicate with clients or candidates, what systems you use, or even the types of services you offer.

However, your GDPR compliance commitments haven’t changed. If you have taken your eye off the ball due to coronavirus disruption, how can you get your executive search or recruitment business back on track?

Re-opening your office – GDPR considerations

As an employer, you have obligations to ensure the health and safety of your employees. If, due to coronavirus, it becomes necessary to collect additional personal data, GDPR should not prevent you.

However, you must carry out your data collection lawfully, collecting only the minimum data needed for your purpose; and safeguard the data you are collecting. For example:

Only ask for data that is absolutely necessary. For example, you might only need to record a yes/no fact of whether virus symptoms are reported, with name, date and action taken, such as self-isolation or homeworking.
Handle health related data separately from any candidate assessments to avoid the possibility of discrimination.
Restrict who has access to data and where you store it.
Only use data for the purpose it was collected.
Keep data for the minimum amount of time necessary.
Be clear and transparent with employees, candidates or visitors about what data you are collecting and how you will use it.

If you need to collect any health data, be aware that it is classed as Special Category Data, which has extra rules around its collection and processing.

Keep a record of all decisions you make about the data you collect and how you will use it, just as you are obliged to do with any other personal data, to comply with GDPR.

Working from home risks

Are you confident that the measures you have in place enabling employees to work from home are compliant with GDPR?

The ICO (UK’s data protection regulator) stresses the importance of organisations ensuring their systems are safe. If your workforce transitioned to working remotely in a hurry at the start of the coronavirus lockdown, re-assess risks to personal data and take action. For example:

How might employees access, store or use some types of personal data differently when homeworking?
Do you have an up-to-date policy for working remotely that sets out procedures for protecting person data?
Have you assessed security matters for employees using their own devices?
Have you provided clear guidance for handling or disposing of physical documents when homeworking? Like printed candidate CVs, assessment notes or shortlists.
If employees have remote access to data, give your IT support team clear instructions to follow in terms of who has access to what.

Document any risks you identify and, in response, what actions you are taking to improve your organisation’s processes and security, demonstrating that you are taking data protection obligations seriously.

Engage your employees to help protect your business

The majority of data breaches are caused by human error, so your employees play a crucial role in your organisation’s data security.

Working at home, employees don’t have the usual support or supervision around them. Have you educated employees on how to keep personal data safe in their day-to-day activities and about key risk areas? For example:

Have you clearly briefed employees on your data security expectations and kept a record of this?
Are employees trained to identify and handle phishing, viruses and other high risks?
Have you given employees clear instructions about passwords, device security and when to report incidents to their manager?
Have employees been trained on GDPR recently - what to do, and what not to do?

To help protect your business, take steps to refresh every employee’s awareness of their responsibilities for data security and complying with GDPR.

Overall…

Remember, GDPR holds your business accountable for how personal data is handled. Check that the key records you use to demonstrate how you handle personal data (your data map, privacy policy, legitimate interest assessments, policies etc) are up to date and that you have recently trained all employees on GDPR compliance.

Anna Wisdish, Director, Comply GDPR Ltd

ComplyGDPR helps executive search and recruitment businesses comply with GDPR, through training, practical resources and expert support services.

If you have questions about any GDPR matters for your executive search or recruitment business, or to discuss employee training, guidance sheets or other support, please get in touch!