Europe-wide data protection requirements could hit recruitment in 2015
13 January 2015
2015 could be the year that new European data protection requirements, backed by the threat of costly fines if not followed, will finally emerge after several years of debate and negotiation – and potentially have a major impact on the recruitment industry.
Tue, 13 Jan 2015 | By Nicola Sullivan
2015 could be the year that new European data protection requirements, backed by the threat of costly fines if not followed, will finally emerge after several years of debate and negotiation – and potentially have a major impact on the recruitment industry.
If finalised this year, the Data Protection Regulation (DPR) will have a two-year implementation provision, meaning that it would take effect in 2017.
According to Kevin Barrow, a partner at law firm Osborne Clarke, the DPR, coming from the European Parliament, could have a huge impact on the recruitment industry. It will be much more specific about what businesses can and can’t do with regards to data, and penalties for data protection breaches will go up to €100m (£78.3m) or 5% of worldwide turnover, said Barrow.
Crucially the new rules, which observers had hoped would be completed in 2014, will give individuals the statutory right to be forgotten. This will allow people to have personal data erased by organisations should they request it.
Barrow told Recruiter: “Under the statutory right the data subject will have the right to have all references removed if they request it. I don’t even know if that is going to be possible [to do] for someone who runs a database.”
He added: “My understanding from others is that the statutory right that the European parliament is discussing is technically going to be very difficult for people to comply with.”
Another major development would be that organisations processing or holding data on individuals will need consent to transfer details about them to other parties.
“Obviously [recruiters] are going to be passing stuff on to potential employers and hirers.” Barrow added: “An RPO [recruitment process outsourcing] company receives CVs from staffing companies and passes them on to the hirer. Has that been consented to? Did the candidate really know that [the data] was going to an intermediary?”
However, he said that without the seeing the final wording of the legislation it was difficult to speculate on how the rules might affect these sorts of processes.
Also, data protection could be particularly challenging for recruitment firms that provide services in Europe but process data in countries like the Philippines or China. “If they do that they have to ensure European data standards are being maintained in those locations,” said Barrow.
“As recruitment companies have globalised they haven’t really kept up with that and because the penalties are going up it is something that they can’t afford to neglect for too much longer.” He added: “A lot of them are compliant but some of them grow first and comply later.”
Commenting on the challenge presented by cyber criminals, Tony Samuel, sales director of CyberSecurityJobsite.com and Securityclearedjobs.com, told Recruiter: “It is amazing how much loss to cybercrime is going on that doesn’t get reported. It has only been in recent years that [companies like] banks have all got together and said we need to attack this.”
While he doesn’t think hacking is a huge issue for job boards at the moment, he did say that logins and passwords are valuable for hackers because people often use the same details for other sites.
This year, the job boards provider will move to a new platform as part of efforts to further increase the security of the sensitive data it holds on its sites. A third-party hosting provider will hold all data offsite, and passwords and other details will be encrypted and therefore not sent over the internet. An independent penetration company will test the site every quarter.
Recruiter recently reported on claims made by two job boards that their clients’ data was being illegitimately resold by recruitment firms.
• For suggestions on how to deal with the impending legislation, see the February issue of Recruiter, published next week.
DeeDee Doke contributed to this article.
If finalised this year, the Data Protection Regulation (DPR) will have a two-year implementation provision, meaning that it would take effect in 2017.
According to Kevin Barrow, a partner at law firm Osborne Clarke, the DPR, coming from the European Parliament, could have a huge impact on the recruitment industry. It will be much more specific about what businesses can and can’t do with regards to data, and penalties for data protection breaches will go up to €100m (£78.3m) or 5% of worldwide turnover, said Barrow.
Crucially the new rules, which observers had hoped would be completed in 2014, will give individuals the statutory right to be forgotten. This will allow people to have personal data erased by organisations should they request it.
Barrow told Recruiter: “Under the statutory right the data subject will have the right to have all references removed if they request it. I don’t even know if that is going to be possible [to do] for someone who runs a database.”
He added: “My understanding from others is that the statutory right that the European parliament is discussing is technically going to be very difficult for people to comply with.”
Another major development would be that organisations processing or holding data on individuals will need consent to transfer details about them to other parties.
“Obviously [recruiters] are going to be passing stuff on to potential employers and hirers.” Barrow added: “An RPO [recruitment process outsourcing] company receives CVs from staffing companies and passes them on to the hirer. Has that been consented to? Did the candidate really know that [the data] was going to an intermediary?”
However, he said that without the seeing the final wording of the legislation it was difficult to speculate on how the rules might affect these sorts of processes.
Also, data protection could be particularly challenging for recruitment firms that provide services in Europe but process data in countries like the Philippines or China. “If they do that they have to ensure European data standards are being maintained in those locations,” said Barrow.
“As recruitment companies have globalised they haven’t really kept up with that and because the penalties are going up it is something that they can’t afford to neglect for too much longer.” He added: “A lot of them are compliant but some of them grow first and comply later.”
Commenting on the challenge presented by cyber criminals, Tony Samuel, sales director of CyberSecurityJobsite.com and Securityclearedjobs.com, told Recruiter: “It is amazing how much loss to cybercrime is going on that doesn’t get reported. It has only been in recent years that [companies like] banks have all got together and said we need to attack this.”
While he doesn’t think hacking is a huge issue for job boards at the moment, he did say that logins and passwords are valuable for hackers because people often use the same details for other sites.
This year, the job boards provider will move to a new platform as part of efforts to further increase the security of the sensitive data it holds on its sites. A third-party hosting provider will hold all data offsite, and passwords and other details will be encrypted and therefore not sent over the internet. An independent penetration company will test the site every quarter.
Recruiter recently reported on claims made by two job boards that their clients’ data was being illegitimately resold by recruitment firms.
• For suggestions on how to deal with the impending legislation, see the February issue of Recruiter, published next week.
DeeDee Doke contributed to this article.
- Want to comment on this story? The Comment box is at the bottom of the page. Sorry for the glitch but just scroll right down and share your opinions!
