With GDPR coming into effect in May 2018, many temp agencies have to adapt their internal processes to be in compliance.

Having a big database of candidates, freelancers and independent contractors has always been considered an asset but will this still be the case with the new regulation in place?

The EU General Data Protection Regulation (GDPR) was adopted in April 2016 and will take effect across the European Union (EU) on 25 May 2018, when it supersedes the 28 current national data protection laws based on the 1995 Data Protection Directive

Every organization that processes or shares personal data now has to comply with the new Regulation. This involves organizations understanding what personal data they currently hold or process and the risks to that data, adapting their business processes and infrastructure, implementing tools and compliance processes, and changing the way they collaborate with suppliers.

What Are the Penalties?

Ignoring GDPR or getting it wrong could be costly: organizations found to be in breach of GDPR face administrative fines of up to 4% of their annual global turnover or €20 million – whichever is greater.

What Does This Mean for the Temp Agencies?

Obtaining Candidate’s/ Temp staff consent

Temp agencies have to obtain a ‘’valid consent’’ from candidates, freelancers and temp staff to justify the processing of their personal data. Consent must be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”.

What if ‘’smart’’ techniques are used to ensure consent?

Silence, pre-ticked boxes or inactivity do not count as consent. The temp agencies have to keep records to demonstrate that consent has been given by the relevant individual. Finally, consent must be explicit when processing sensitive personal data or transferring personal data outside the EU.

How to obtain consent from those candidates and temp staff whose personal data is on file?

It depends on the contact details that are kept on file. If the temp agency has an email address, the best approach would be to send an email to the individual asking for her/his consent. If the consent has not been obtained, the data needs to be deleted.

What about consent withdrawal?

Once the consent has been obtained, it can be withdrawn at any time. The data processor aka the Temp Agency or the Staffing Agency needs to ensure that the individuals can withdraw their consent as easy as they have given it at any time.

How can this be practically achieved if the consent has been obtained via an email?

Theoretically, the individual who has given the consent will keep the email and revert back to the temp agency informing that consent is to be withdrawn. As this is not in compliance with the requirement to be able to withdraw consent as easy as it has been given, the best would be to grant the individuals an access to a portal which allows to easily exercise their right.

The best temp agency software solutions support individual profiles and the candidates, freelancers and temp staff have access to their profiles at any time. The individuals can easily check what data is kept for them on file and withdraw their consent via a click of a button.

The Right to Be Forgotten (RTBF)

Individuals have the right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. There are a number of exemptions to this right, for example in relation to freedom of expression and compliance with legal obligations.

How can this right be exercised if the candidates and temp staff have no access to their data?

Probably the fastest and cheapest solution is to publish an email address on the web page of the temp agency or a special contact form that are to be used to exercise the right. However, this is a short-term solution only and is feasible if the database is relatively small.

When does RTBF apply?

• The data is no longer necessary and there is no valid business case – e.g. the candidate is no longer interested in the services of the temp agency;
• The consent has been withdrawn;
• The candidate, freelancer or independent contractor objects to processing based on legitimate interests;
• The personal data has been processed unlawfully, or
• An EU law requires erasure.

Exceptions:

• Exercising the right of freedom of expression and information;
• The retention of personal data is required by an EU law, or
• For the establishment, exercise or defense of legal claims

The permanent solution addressing the needs of temp agencies of all sizes is to give the individuals an access to their profiles and data and the right to delete the profile or to request the profile to be deleted.

It is important to note that not only the individual’s profile needs to be deleted but all records kept on file need to be deleted. This could be a challenge if a number of departments have access to a copy of the data extracted from the profile of the individual.

Other Rights

• Right of access
• Right to rectification
• Right to restriction

What are the practical steps that a temp agency can undertake to ensure compliance?

Let’s assume that temp agency keeps on file the personal data of 10 000 candidates, freelancers, temp staff and independent contractors. The data has been collected over 5 years and none of the individuals has access to her/his profile and personal data.

Moreover, the sales have been sluggish and there is a very limited budget allocated to compliance.

What could be the short – term solution in such situation?

A possible way of action to address the compliance requirements on the short-term would be to:

• Send an email to all individuals whose data is kept on file asking for their consent AND providing an option to withdraw their consent.
• A second email is to be sent in 30 days to those individuals who have not acted.
• Finally, one more email is to be sent to those individuals who have not bothered to take action informing them that if within 14 days no action is undertaken, their personal data will be deleted.
• Effectively delete the data of those individuals who have not acted or have withdrawn their consent.
• Publish a special contact form or email on the web page of the temp agency allowing candidates, temp staff, independent contractors, etc. to exercise their rights to be forgotten, access the data on file, withdraw consent, etc. This is a short-term solution only as the processing of such requests needs to be automated, historical data to be kept proving that the request has been addressed, etc.
• Sending regularly information to the individuals informing them what personal data is kept on file, etc.
• Update the Privacy Policy to reflect the GDPR requirements

What could be the long-term, permanent solution?

All of the above needs and rights are well-addressed by a number of temp agency software solutions. An advanced temp agency software will not only simplify the compliance process but will also result in substantial cost reductions.

So how to select a temp agency software?

A good temp agency software shall:

• Grant candidates, temp staff, freelancers, employees, etc. an access to their profile and the data that is kept on file
• The individuals shall have the right to amend the data, withdraw their consent, ask to exercise the right to be forgotten (RTBF), etc.
• Allow the temp agency to keep track of the projects these individuals have applied for, the payments that have been transferred, etc.
• Allow the temp agency to delete the data of the candidates, temp staff, freelancers, etc. in line with the Privacy Policy, etc.
• Send messages to the individuals to inform them about relevant changes in the Privacy Policy, etc.

Legal Disclaimer

Transformify is a CSR Recruitment Platform providing HR software, Temp Agency Software, payments, etc. solutions. Transformify is not a legal practice and this article under no means constitutes a legal advice.