GDPR: Almost One Year On
Back in the spring of 2018, we carried out our last candidate engagement drive; Nearly one year on, we’re about to start our next candidate engagement drive. and given the large amount of personal data we process, as the Data Controller at ESP, I believe it’s important that I explain what we did a year ago in preparation for GDPR and why.
The background to GDPR
Just in case you’re not sure what GDPR is and how it affects you, and us, let’s give you a brief overview. The General Data Protection Regulation was designed to update the laws that protect you and your personal information, and changes what businesses like us, and the public sector, can do with your information. The Data Protection Act 2018 is the UK’s implementation of GDPR and controls how your personal data is used by businesses, organisations and the government.
So, that’s the background to GDPR. Now to the background work that ESP did in preparation for GDPR. In the 18 months prior to the new GDPR regulations coming into effect, we carried out a huge data cleansing exercise. We took our candidate database of nearly 17,000 records and, bit by bit, reduced this to just 8,000 records.
Two of my colleagues and I went through every candidate record, reviewed the information we held and decided whether it was still relevant to our business of sourcing and recruiting staff for the education support sector. We emailed every candidate in our database advising them of the data we held and asked them to confirm (a) if they are still looking for a job, do they wish ESP to continue to hold their data, and (b) if they are no longer looking for a job, to confirm by return email that they wish us to destroy the personal data we hold on our database. This task took many months of gruelling work, including over evenings and weekends, but in the end, we had a much cleaner and relevant candidate database as a result.
At the same time as working our way through our candidate database, we went through a process of removing redundant data stores, cleansing existing mailboxes and destroying old mailboxes that were held online and on the hard drives that remained in the office.
The improvements at ESP
We’ve been working hard to make a number of significant improvements at ESP. We moved all our systems and applications onto Office 365, making our old on-site server redundant. This move meant we were able to ensure complete deletion of any data on demand once Microsoft had perfected their content search functionality. On top of this, we have just completed the project of moving all our computers, laptops and other devices on to Windows 10, ensuring that all the devices at ESP are managed centrally by InTune as well as being encrypted, secure and compatible with each other, including our on-site desktops. It was an expensive task, but one that is well worth the investment, allowing us to deliver a safer data environment.
Our staff have been attending a range of training courses and we are constantly looking at ways in which we can improve data flows in the business, minimising duplication, unnecessary data retention and risk.
In many ways, GDPR has made us much more aware of where data is stored, how it is used and how to manage the data more effectively and securely.
Our latest candidate engagement drive – the ‘Spring Clean’
For us, it’s important that we remind candidates that we have their details and why we’re holding them. So many candidates on our database are either not aware that we hold their CV, or have long since forgotten they sent us one; in some cases, we hold further documentation about the candidate. It’s worth reminding everyone that, in some instances, we have a legal reason or obligation to retain some forms of data, for example we have to hold P60s and P45s for a minimum of 6 years. This is one of the reasons why we carry out a ‘Spring Clean’ every year, to allow candidates to update us about their position. Information has the greatest currency when it is live.
Shortly we will be beginning our ‘Spring Clean’ process again, emailing candidates from our CRM to remind them that we hold their data securely. Although we would like to retain this information because we believe it could be relevant for advancing their career at some point in the future, we also advise our candidates that they can request that it be updated or removed, with the exception of any data that we need to retain for legal reasons, as mentioned above.
We suspect that our ‘Spring Clean’ process likely puts us the Top 10 of recruitment companies when it comes to Data Protection. To undertake this comprehensive and important candidate engagement drive is a costly process, but I hope candidates understand why we do this and work with us to keep their data where it should be.
A little ‘nota bene’
Finally, I want to clarify how we collect your data, why we retain it and how we look after your data. Your CV and any supporting documentation are collected in several ways but principally by:
- the submission of your CV, and any other documentation, by you via our website, via an online job board or via direct mailing, or
- downloading the CV that you posted on a paid for job board, for legitimate reasons.
We will retain the data you have sent to us, or we have downloaded from a paid for job board, in order to carry out our business of providing recruitment services to our candidates and our clients. We want to reassure you that we will never send a candidate’s data to anyone without their specific consent unless there is a clear legal reason to do so. Where possible, we will always declare from where we have received your data, although some of our older records may not have this information.
At ESP, we are dedicated to sourcing the right job for the right applicant, and matching the right applicant with the right employer. To discuss your job requirements in more detail or for valuable advice, contact us today. Alternatively, view the range of jobs that we are looking to fill on our website.