The REC (Recruitment & Employment Confederation) has published this useful update on the GDPR’s right to erasure rules, which need to be understood and acted upon by recruiters and third parties to which they transfer personal data.
There have been many questions about how the EU General Data Protection Regulation (GDPR) will affect the recruitment industry. A key concern for recruiters is the right to erasure.
What is the right to erasure?
Along with many other rights, the GDPR will introduce the right to erasure, otherwise known as ‘the right to be forgotten’. This will give individuals the right to request that their personal data be erased without showing that the processing of their data caused them damage or distress (a current requirement under the Data Protection Act 1998).
How do recruiters demonstrate compliance with a right to erasure request?
Many recruiters have asked how they can demonstrate that they have complied with a right to erasure request, and whether archiving a candidate’s personal data will be considered erasure under the GDPR. The answer to this is that the right to erasure requires a complete removal of a candidate’s personal data so archiving a candidate’s personal data will not meet the erasure requirements under the GDPR as there will still be an element of processing involved and the candidate’s data will still exist in your database.
The right to erasure requires a complete removal of a candidate’s personal data so archiving a candidate’s personal data will not meet the erasure requirements under the GDPR …
Recruiters will not be able to retain a candidate’s data in order to demonstrate that they have complied with a candidate’s request for erasure as demonstrating compliance will involve removing all traces of the candidate’s personal data. Any third parties that you have transferred the candidate’s personal data to will also have to be informed of their request to have their data erased.
What are the exceptions?
The right to erasure is not an absolute right. There are exceptions under the GDPR where an organisation does not have to comply with a right to erasure request. For recruiters, the most relevant exception is having to process data in order to comply with a legal obligation.
For example, recruiters may need to keep records in order to demonstrate compliance with the Conduct of Employment Agencies and Employment Businesses Regulations 2003 which require the retention of work-seeker records for at least a year after their creation and at least one year from the date they last provided their service (i.e. the date from which a recruiter last sent the candidate’s CV to a client). Additionally, for the purposes of payroll, National Minimum Wage records must be kept for three years from the end of the tax year they relate to and this may also be something for recruiters to consider. It is important to emphasise that a right to erasure request will still need to be responded to and if personal data is being retained for legal purposes then this will have to be explained to the data subject.
Where to get more information
Other queries about the GDPR often revolve around whether it will restrict a recruiter’s ability to carry out criminal records checks, how recruiters engage with jobs boards and social networking sites and whether recruiters can rely on consent to transfer personal data to third parties. Many of these topics have been covered in [the REC’s] newly designed guide to the EU GDPR for members.
In addition, the ICO has produced useful information on the right to erasure. As we continue to liaise with the ICO on a variety of data protection concerns for the recruitment industry, we will update our guide as well as the GDPR and data protection sections of our Legal guide. For all legal updates, please visit our legal news feed.
Source: REC | Najat Jebari | 26th October 2017