How the GDPR will affect recruitment
A FREE GUIDE FOR RECRUITERS
How the GDPR will affect recruitment
A trendy topic, also in the world of recruitment.
I think you would agree with me that the uncertainty as to how to prepare yourself for the GDPR is nerve-wrecking. And you’re not alone. I dare to say that every recruitment agency nowadays has data stored in their database and are now prone to the new Regulation that will take effect on the 25th of May 2018.
If you could choose what’s best for your organisation what would you rather do? Pay 2% of your annual global revenue or €10,000,000? If your answer is ‘neither’ then I suggest you keep reading, because you might end up paying either, whichever is higher.
And why’s that you’re asking?
Because you probably didn’t take the precautionary measures to cope with the new Regulation.
That’s right. Sitting and waiting until the new Regulation takes effect only to decide afterwards what you’re going to do with your data is too late.
I guarantee it. Especially when you’re a large organisation where the process of implementing the changes are likely to consume a lot of time.
For those that are still not sure what the GDPR is, I’ll briefly explain.
The overall goal of the GDPR is to give individuals more control of their personal data by strengthening their right as to how their data is obtained and used for both commercial and noncommercial purposes. The rules that are included in the new Regulation cover facets such as data breach notifications, a more coordinated way how the new Regulation will be enforced, penalties, actions to promote more privacy for data subjects.
In other words, now more than ever, you have to be able to justify why you obtain data you are now obligated to justify what data you obtain from data subjects, and what you do with it which should be disclosed to the data subjects in question. Transparency is what’s key here.
10 steps you should take now to prepare yourself for the implementation of GDPR
1. Are the key decision makers in each department aware of the change in law?
The ones that lead the department needs to be aware of the GDPR. It affects everyone and it’s the decision maker’s obligation to spread the message to it’s team members. Aside from that, if you are a large organisation you may find that complying with the GDPR is quite complex, which is why you might want to start sooner rather than later with the preparations.
2. Document everything related to the process of collecting and handling data.
How do you obtain the data, from where did it derive, and whom do you share it with. These are the key questions that you need to get answered during your information audit. The GDPR requires every organisation to be able to create documentation. This also means that upon review you might discover that some of the data you have shared with other parties is incorrect. If this is the case you have the obligation to inform the receiving party of the information’s discrepancies so that they can correct their own records as well, which in turn benefits you both as you then are able to comply with the accountability principle of the GDPR.
3. Review your privacy notices and map out changes that need to be applied in preparation of the GDPR.
Whenever you collect data you need to ascertain that the data subject is aware of who you are and what exactly you are doing with the information. As mentioned before it is all about transparency. In addition to the old DPA, additional notifications need to be added to the privacy notices in order to comply. Check the privacy notices code of practice from the ICO fur further information on the requirements of the GDPR.
4. Be wary of the rights of the individuals
Time to review the procedures you have in place to safeguard the the rights of the individuals. Aside from many of the rights individuals have under the old regulation, make sure you pay special attention to the following:
- The right to access all the personal data that is collected from the data subject;
- The right to request data to be rectified;
- The right to be erased from databases / be forgotten;
- The right to obtain the data and transfer it to another organisation;
- The right to object that the individual’s data is being processed;
- The right to be informed that personal data is being used;
- The right to be informed
- Lastly, the right of the individual not to be a subject to automated decision-making
5. Refresh your consents
You should prepare for opt-ins instead of opt-outs. When the new GDPR is enacted you need to make sure that all of your existing consents have opted in as well. However, the new GDPR also prescribes that ‘subscribe’ boxes can not be pre-ticked as this will be prohibited from the 25th of May. Consent cannot be derived from silence. To comply with GDPR you need to ensure that your data subjects have been confronted with consent is clear, specific, and certainly not least, easy to withdraw.
The ICO provides a more detailed guideline on how to comply with new rules regarding consent here.
6. Take the age of the data subjects into account.
Depending on the industry you’re in, you might want to to consider if parental consent is required for storing personal data. This is the first time that a data protection law specifically focuses on the protection of data belonging to children. Ranging from the age of 16 and above, people are able to give their own consent. Anyone who is below that age is not eligible to give their consent. This is where a person holding ‘parental responsibility’ need to give to their consent.
7. Ensure that you have all the procedures in place to cope with data breach.
Most companies already have some system in place to cope with the breach of data, but now more than ever, safeguarding the safety of data has been more important than ever. Therefore, procedures to detect and investigate a data breach are vital.
In the unfortunate event a data breach occurs, failing to comply with these rules will almost certainly result in a fine.
8. Being able to map out potential risks.
Which is done by conducting so-called Data Protection Impact Assessments, or, DPIAs. A DPIA is particularly important in cases where a new kind of technology is introduced for processing personal data.
9. Assign a dedicated DPO
There are a few particular cases when assigning a data protection officer is actually a must. cases where you should assign a Data Protection Officer. If your organisation is a public authority and / or when you process large amounts of data that relate to individuals on a large scale.
10. You have an international presence?
Then you should decide on a lead data protection authority in order to cope with the differences in data protection and privacy legislation between countries overseas and the European location(s) where your business operates.
BONUS: Develop an encryption strategy
When personal data is breached, you can bet on it that you will face a lost in revenues, credibility, fines, and other liabilities to the detriment of your business. You can avoid this by including an encryption strategy into your plan to deal with the new GDPR. Irish Tech News did a great job in describing why every organisation needs an encryption strategy and I
strongly encourage you to give it a read to be even better prepared for the 25th of May 2018 by safeguarding your candidates’ data.
Of course, the actual impact of the new Regulation has yet to be determined, but you can be sure that companies, more than ever, will be held accountable for the data they store and their reasoning behind having that data. Wait no longer and avoid penalties.
Linda founded Next Generation in 2007 with a clear vision in mind of providing a superior service to both clients and candidates.
As a CEO she has an innate talent for grasping advancing recruitment and IT systems, Marketing initiatives, Business and Commercial strategies which keeps the company in a strategic and competitive position.