Unless you have been hiding under a rock for the last 6 months, I’m sure by now you will have heard about the imminent GDPR that comes into effect on 25 May 2018 – and hopefully you are on the way to preparing for it.
So, in a nutshell what is it and why should I care?
The introduction of GDPR will replace the current EU Directive 95/46/EC (the ‘Data Protection Directive’). It will extend the reach of EU data protection law, and as recruiters work with candidates personal data on a day to day basis, this affects you!
Don’t be afraid
Much has been written about how GDPR means changing your whole business model. The reality is, yes GDPR brings significant changes to existing data protection regulations and introduces new requirements, but existing legislation gives you a good platform on which to start.
Some of the big changes introduced by GDPR that you need to be preparing for are detailed below.
If you are processing the personal data of EU citizens then you are obliged to comply with GDPR and having a lawful basis for using personal data is a must. Consent by the individual is a lawful basis for storing and processing data – another lawful basis is for the fulfilment of a contractual obligation. It is advisable to adopt a ‘belt and braces’ approach with a multiple legal basis, however individual consents for the specific reason on what a candidate is consenting to should be made clear.
Here is a summary of the new strict rules for obtaining consent from individuals.
Consent is king
As a recruiter you should know there are multiple levels of consent. Just because you have consent from a potential candidate regarding a specific job where the purpose is to enter into a contractual obligation – this is not free rein to use their data for promoting other roles or adding to your mailing list.
Be aware that you are required to provide greater transparency to individuals about the data you are collecting—at the time of collection—and how that data will be used.
Be clear on the particular purpose the candidate is consenting to and how it will be used and retained i.e. consent for application, consent to be sent job alerts, consent to receive newsletters, consent to join talent pools etc. The ‘legal basis’ for capturing and processing a candidates information must be clearly distinguishable. No more ‘If you would not like to receive our messages, please confirm your acceptance of not agreeing with our terms by unchecking the box”.
Consent is also time limited and candidates should be able to withdraw consent as easily as it was given.
Getting the explicit, affirmative consent of your candidates, either active or passive, is essential to demonstrate your commitment to GDPR compliance.
Personal / Sensitive Data
In recruitment, we collect lots of data about our candidates – but which of it is deemed ‘personal’ or ‘sensitive’? The GDPR specifically identifies new categories of data beyond names, addresses etc (such as cookie id’s, IP addresses) that will be subject to the regulation, and expands the definition of sensitive personal data.
In addition to candidates having additional rights with regard to how you store and process their individual data; such as the right to be informed and transparency over how you use personal data, you should only keep data for as long as necessary for the purposes for which it is processed. No longer can you capture data once and keep it indefinitely. This is a good factsheet and action plan from CIPD
The security of the personal data you work with needs to be ‘appropriate to the risk’. You need to ensure you have the appropriate security measures in place i.e. if you use a cloud based ATS/CRM do you have the option for Data Encryption at Rest? Does your ATS/CRM provider have a security management system in place? Ask to see how your data is backed up.
Don’t leave it to chance
These are just a few of the changes to existing data protection regulations and you have the responsibility to demonstrate you are compliant. Don’t leave it to chance. The GDPR will introduce significant changes to existing data protection regulation and it is recommended all organisations seek legal advice to ensure that your recruitment processes are compliant and ready for the introduction of GDPR in May 2018.
A good place to start in preparing for GDPR is to document/review all of your existing recruitment data processes to evaluate how they fit against the new legal requirements. Build in the process of reporting any data breach – any significant breach must be reported to the relevant authority within 72 hours! This report from the ICO is a good reference point.
And if you ignore GDPR? Be prepared for heavy penalties for failure to comply with the regulations; penalty fines of up to €20M – something I guess none of us want to experience!
You can find out more about Eploy’s complete cloud based recruitment platform and check out a whole host of free resources here including our latest e-book ‘The Recruiters Guide to GDPR and your candidates’ rights!’
If you have any useful points to share with other readers on GDPR then please share and comment.