What Are Recruitment Agencies Doing to Prepare for GDPR? An Interview with Prism Digital


There isn’t long to go until 25th May when General Data Protection Regulation (GDPR) rules come into force. At this stage, you’ll have thought about what this means for your recruitment agency and what you’ll need to do to be compliant. But many agencies are still unsure if the steps they’re taking are enough.

Recently, I spoke with Alex Dover, Director, and Oliver Palethorpe, Marketing Manager at Prism Digital, a specialist Technology and IT recruitment consultancy, to learn how their agency has been preparing for GDPR and what they’ve been doing to ensure their whole team is fully on board.

Kieran Edwards (KE): What do you think of the general information and training on GDPR that’s been made available so far? Would you say it’s given your agency a good awareness of what GDPR is and how to prepare?

Oliver Palethorpe (OP): We think there’s plenty of useful information out there and we got quite a lot of good free information from the Information Commissioner’s Office. The most important pieces of information for us were its list of FAQs and a checklist that takes you through the necessary preparation steps.

We’re also a member of the Recruitment Director’s Lunch Club (RDLC), which has given us invaluable opportunities to network with other recruiters, and there’s been a lot of discussion about how we’re all preparing for GDPR, and together we share resources. The RDLC is also offering training for members, which we’ll be taking up. But we’ve actually found Bullhorn’s recent webinars featuring Lucy Kendall of ComplyGDPR to be the most helpful resources of all.

KE: What kind of staff training have you had, or do you plan to have on GDPR?

Alex Dover (AD): We started by giving all staff some initial training by doing a presentation explaining the basics of what GDPR is and what will be expected of all of us when GDPR becomes enforced. We’re also looking into running some further training courses, such as e-learning courses from London Management Consulting and ComplyGDPR, to make sure our staff are fully up to speed on the regulations now that there’s more clarity about what they’ll entail. The initial course will be an intensive one over a few weeks. Moving forward, we’ll monitor how staff are doing with data controlling, and do training ‘top-ups’ every quarter or so. We’re keeping a diary of all of the GDPR training we’re doing, with links to resources that we find such webinars, which keep all of our team fully up to date.

KE: Why do you think it will be important for staff to receive such training?

AD: Well, we have to have staff buy-in to be compliant. Our recruiters are going to be controlling data as much as anyone else in the company. If they don’t process it properly, then the whole effort will be for nothing. We need them to understand the role they play in maintaining people’s data, acknowledging their right to privacy, and helping to ensure our agency remains compliant.

KE: With that in mind, how will you ensure staff of all levels are on board, and how will you monitor whether they’re following company policy on GDPR or not?

AD: We’ve been making sure that staff are fully involved at every stage. For a lot of recruitment agencies, there’s a mindset that the bigger the database, the more valuable it is and we have to ensure our recruiters don’t view it that way, too. Their buy-in is vital because they’ll be using and controlling the data that we have.

We began by getting consultants involved in what we called the ‘data cleansing process’: we asked them to identify the core areas they recruit into and create an array of search strings which were then used to put candidates into long lists. We then archived all CVs outside of those protected candidate lists. We ended up cutting about 75 percent of our database, but because our consultants were so closely involved in deciding which candidates were going to form the core to retain and protect, it was easier for us to get them on board with the idea of making these cuts in order to retain the right data.

Obviously, it’s impractical to monitor consultants 24/7, but we feel that if management has a clear overview of what every member of staff should be doing to ensure compliance and our consultants understand the importance of their role in this, it should work. The benefit of being a small company is that we can be agile and really shape our activities in a way that allow for best practices to be adopted quickly. Plus, it’s obviously easier to get the entire workforce on board and compliant when there are fewer of you.

KE: Most recruitment agencies have an understanding that an integral part of being deemed compliant with GDPR hinges on their ability to demonstrate they’re at least doing their absolute best to be compliant. With that in mind, what kind of methods and documentation do you plan to use as evidence?

OP: We’ve already started documenting our procedures. We have a spreadsheet at the moment with all of our steps in the GDPR process but, once we’re properly settled, we’ll be relying on our recruitment CRM quite a lot to help us document these sorts of things. We’ve also drafted a GDPR action plan detailing what we know we need to do, what we think we have to do, and what we need to find out.There’s still an element of the unknown, but we’re keeping on top of it that way.

KE: Recruitment agencies don’t just have internal data. Sometimes you work and share personal data with third parties such as RPO companies, umbrella companies, or payroll companies. What kind of steps will you take to ensure that all of your partners follow the rules?

OP: When we have a better understanding of our own data, we’re going to create a privacy policy document and a separate external procedures document. We’ve spoken to our accounts team and they’re putting together a GDPR policy, too, so we’ll ensure that there are the correct procedures in line. As recruiters, we must share data with our clients, but we’ll be showing them our privacy policy document and asking for confirmation that they’ll either work according to our policy or have a similar policy in place.

KE: Let’s now consider the ways that you’ll be collecting and processing data. What security precautions do you have in place to ensure they’ll take place in a compliant way?

AD: We’ll be using some of the tips from one of Bullhorn’s recent webinars, such as ensuring we have encryptions on our laptops and screen protectors. We’ve just started working with a new IT provider called Keybridge IT, which is up to speed with its own GDPR process, and we’ll be liaising with them to improve our security across our devices and internal systems. We’ve also done an audit of our data, checking that it’s all stored on the cloud so it’s accessible for monitoring purposes.

KE: What kind of technology will you use to facilitate your GDPR compliance?

AD: We’re going to be using Bullhorn, our recruitment CRM, intensively to record and monitor our data. It will be an important tool, especially for seeing when candidates have been on the system for a while and haven’t been contacted or updated.

KE: I’d like to end by getting your own views on GDPR. Which positive aspects do you think GDPR will have for recruiters? Do you think there will be any negative consequences of GDPR for the sector?

AD: On the negative side, I think there’s a panicky feeling around GDPR at the moment. It’s making people a bit jumpy and perhaps a little too militant on the enforcement side. There’s a growing realisation that we can’t be perfect and won’t be expected to be, but as long as we show that we have the proper structures in place and are trying to be compliant, then we should be okay.

OP: We’re actually really looking forward to getting our data in order! It’s going to be good to clean up a lot of old records. I think it’ll be a really great opportunity to look at how we work more generally, and see if we can improve our method. In the past, I think we, like most recruiters, have been guilty of holding on to far too many candidate records. But this new legislation will show that less is more: we’ll have fewer but better records, and we’ll place more value on the data that we hold. I think we’ll be more effective at note taking as a result, and that GDPR will encourage improved administration from a CRM perspective.

The introduction of GDPR gives recruiters a fantastic opportunity to reassess and clean up legacy data, giving you a clearer view of the candidates you want to focus on engaging with. Seize this opportunity to develop a powerful candidate engagement strategy, and reap the rewards of the old adage that says “less is more”.

For more information on GDPR, check out this GDPR Resource Centre for more articles and a 3-part webinar series featuring advice from Lucy Kendall of ComplyGDPR.

Go to the GDPR Resource Centre

Subscribe to the Recruitment Blog

Subscribe for trends, tips, and insights delivered straight to your inbox.