Why Australian Agencies Can’t Afford to Ignore GDPR


Australian recruiters have no doubt heard about the imminent enforcement of the General Data Protection Regulation (GDPR) and know that the legislation affects how businesses can gather and store data. But while the legislation’s been produced in the European Union (EU), Australian recruiters can’t afford to ignore it. GDPR applies to not only organisations based in the EU, but also to any company that does business with persons based in its member states. Given here are serious consequences for those who breach the rules, no agency that does business in regions where GDPR rules are in effect can afford to ignore the law or fail to be compliant.

What is GDPR?

GDPR is a new data protection law which comes into effect on 25th May 2018. Its aim is to better protect the data that companies hold on individuals, and to give people more control over their personal information and how it’s used.

Under GDPR, candidates will have to give explicit consent for their personal data to be collected and used, or recruiters will have to demonstrate a legitimate interest on the part of the candidate in doing so. Candidates can object to their data being processed for profiling purposes and at any point they can ask for their personal information to be deleted.

Failure to comply penalties are up to the equivalent of €20 million ($31.2million) or 4 percent of your company’s global annual turnover in the previous year (whichever is the greater), enforceable by the Information Commissioner’s Office (ICO). Consequently, it’s important to understand the legislation and how it might affect your agency if your agency processes the data of individuals in the EU, or supplies workers or services to countries within it.

Where can you go for guidance?

The ICO has plenty of guidance. Two particularly helpful pieces are its list of FAQs and a checklist that takes you through the necessary preparation steps.

Ian Turnpenny, Managing Director of Volcanic’s APAC operation, notes that GDPR shares a lot of requirements with the Australian Privacy Act, and he highlights the additional terms to be aware of. You may find your agency is already complying with many of the necessary steps, but it’s wise to check.

It’s important to show regulators that you’ve done all you can to be compliant and that every employee is fully on board, so keep a record of the steps you’ve taken to ensure your agency’s compliance. For example, keep a list of attendance at any staff training sessions on GDPR. Some agencies are collating relevant resources in an online folder, which employees confirm in writing that they’ve read. This helps to keep everybody up to date with the latest developments and guidance. One significant step is to ensure you have a GDPR-relevant agency privacy policy and share this with affected candidates and clients. The ICO resources also give guidance on how to do this.

If you’re unsure whether or not your agency is compliant, seek the advice of a specialist. Being GDPR compliant means you’ll have the processes in place to significantly reduce the risk of data breaches, such as cyber risks, which can be costly both in terms of business and reputation. Knowing the law will positively impact the trust that your clients and candidates place in you.

To find out more about other legislation affecting Australian recruiters, check out The New Data Privacy Law Your Recruitment Agency Can’t Risk Breaching.

Subscribe to the Recruitment Blog

Subscribe for trends, tips, and insights delivered straight to your inbox.