Posted on

Are Recruiters Liable for Data Breaches When Sending CVs Via Email?

The ongoing joke of the moment is the amount of unsolicited emails you’re receiving as a result of GDPR, “consent” and the regulations that became effective as of 25th May 2018. But, the new General Data Protection Regulation (GDPR) is a piece of EU legislation that has thrown forward infinite questions about specific processes, particularly those in the recruitment industry. Among these questions is: Are recruiters liable for data breaches when sending CVs via email?

After all, they hold a ton of personally identifiable information (PII) in the form of CVs, application forms and the submissions through their website. But, how much of this are recruiters responsible for and if you’re communicating via email, are you responsible for this data if there is a breach, even when you’ve gotten consent?

We’re looking at the facts from the ICO as well as our take on protecting PII sent via email to limit your chances of a breach.

Liability under GDPR

In short, recruiters are liable for any data breaches resulting from the sending of CVs via email, but to understand why, we must delve a little deeper.

Under GDPR, the data controller holds ultimate responsibility for all personal information collected by their organisation. The data controller must be highly trained to pre-empt and effectively address any potential breaches and it is down to the controller to ensure that the all held data is collected, processed, and stored properly.

The data controller is ultimately responsible for their organisation, but all individuals within it must act in compliance with GDPR. Under this legislation, anyone handling personal data is referred to as a data processor. A data processor acts on behalf of the data controller, and must adhere to the rules of GDPR.

In this instance, recruiters are the data processors when they are working with sensitive data, such as that contained within CVs.

Liability for Recruiters

Recruiters, as data processors, have accountability over the information they collect, handle, and send elsewhere. This includes CVs.

They need to ensure that the CVs and the data within them are:

#1 Sent only to the intended recipients

#2 Are used solely for a specific purpose

#3 Are removed correctly when no longer required.

A recruiter must know exactly where the CV is going and how it is being used by the recipient. This is because, under the rules of GDPR, any EU citizen has the right to erasure, otherwise known as the right to be forgotten. If such a request is received, the recruiter (and their organisation’s data controller) are duty bound to honour and complete the request.

But, if they aren’t keeping records or control of the transmissions of personal data they send, this task becomes more difficult, if not, impossible.

In order to protect themselves and their organisations, recruiters are likely to be encouraged to seek a disclaimer with each individual before they receive any of their personal data. The language of the disclaimer will vary between each organisation, but most will contain an acknowledgment that the individual will surrender some control of their data whilst it is being processed.

Note that whilst individuals may give their consent to allow the data processor and data controller access and processing of their personal information, they are still protected by GDPR and retain custodianship of their own data, including the right of erasure.

Tools such as Data Subject Access Requests (DSARs) provide individuals with the authority to obtain all of the data held about them by another individual or organisation. These are commonly used during employment-related disputes.

Whilst UK legislation dictates that any DSAR is fulfilled within 40 days of receipt, GDPR goes further. If a DSAR is not honoured, it could incur a fine of up to 4% of an organisation’s annual global turnover, or a fine of €20 million, whichever is greater. Although the maximum is unlikely to be enforced, except in extreme cases, the potential severity of punishment in response to breaches clearly demonstrates the importance placed on the rights of individuals to retain authority over their data. Plus, that’s not the only cost a business can incur in the event of a data breach.

What steps can recruiters take to protect themselves from GDPR-related penalties?

Now that we’ve explored GDPR legislation and potential penalties that can be incurred as a result of non-compliance, we’ll take a look at five steps recruiters specifically can take to prevent a breach and protect themselves.

  1. Encrypt emails and Attachments

In order to avert unauthorised access to CVs and other personal data, a simple and effective solution is to encrypt emails and attachments. Encryption prevents data from being intercepted with malicious intent, and it ensures that only the intended recipient has access.

Encryption is easily managed through settings within some existing email client, or via third-party specialist services such as My Protected Mail. For large organisations, or smaller companies that routinely deal with a bulk of highly-sensitive data, the third-party approach is encouraged.

It is also worthwhile to ensure that all data processors (and controllers) are trained in the optimal use of encryption. After all, there’s no point in having a tool if it is not being used correctly.

  1. Only send CVs to the intended recipient (and prevent forwarding)

When sending a CV by email, recruiters should select only the essential recipients. If the CV is not directly relevant to a recipient, it should not be sent to them. By keeping the pool of recipients as small as possible, it helps to prevent potential breaches.

It’s also worth clarifying, within the body of the email, that the CV should not be forwarded to any other recipient without the permission of the recruiter. Forwarding of attachments, particularly without the knowledge of the original sender, makes it almost impossible to track where the data has gone. Keep in mind that the individual to whom the CV belongs may make a right to erasure request at any time. Failure to keep track of their data can jeopardise an organisation’s ability to do this.

  1. Provide extra information in your disclaimer

Make it clear to candidates, and all other individuals, precisely how their data will be collected, processed, and removed. Transparency at this stage helps to prevent issues further down the line. Use your disclaimer to present all possible scenarios, and ensure that consent is obtained before a CV is collected.

  1. Keep sensitive data secure within internal systems

We’ve discussed the procedure for sending CVs to external recipients, but what about internal record-keeping? This is equally critical, and organisations must ensure that their internal systems are secure enough to manage and protect stored data.

  1. Ensure that third parties are also compliant

Before a recruiter sends any information to a third party, it is worthwhile to sign an agreement regarding their respective data responsibilities. An organisation must ensure that all third parties are also compliant with GDPR, and will honour any future erasure or DSAR requests. This helps to prevent any potential problems in the future.

In Summary

As we have seen, recruiters and their organisations do have a responsibility to protect all data sent electronically. Recruiters are liable for data breaches since as data processors, they act on behalf of their organisation’s data controller, and are bound by the rules of GDPR.

It is crucial, therefore, that they are trained and equipped with the resources to keep client data safe.