Recently you might have heard a buzz around data protection in Europe. This is because data protection regulations are about to change fundamentally and compliance is not a ‘nice-to-have’. Starting 25th of May 2018, the General Data Protection Regulation (GDPR) will be in effect and if you are working in recruitment, you know you are handling more private data than most of the other businesses around.
What does complying with GDPR mean for recruiting companies and departments?
As reassuring as EU-wide protection sounds for users, the implementation at the company level is a whole other story. Especially if you are handling personal data like recruitment agencies; almost all areas of a business fall under this regulation. There are some steps that you can take to have a systematic transition to GDPR and we have summarized them for you below!
TO-DO LIST:
1- Educate yourself and your office
Meaning make sure that everyone in your company knows the changes that are about to come and can adapt. Two solid advices are in order here and the first is to disseminate the material for your team to inform themselves. Not your employees but your company will be held accountable for breaches in data privacy!
Second is that you probably need an outsourced or dedicated person to watch over the company-wide compliance. These people are called Data Protection Officers. They replace the old system as they will be your PoC with the relevant authorities.
2- Do system diagnostics
Although not in the technical sense; you need to specify the ways you fall under the scope of the GDPR. May it be data collection, data storage or the use of the data, you will need to specify where you interact with private information and see to it that these areas of business are covered by the right processes.
Under the GDPR the accountability falls on the companies – meaning you will need to prove that you are compliant with the new regulations. The effectiveness of your actions will signal to your success in upholding the GDPR principles. – EDPS, Accountability
3- Fix vulnerabilities
After the diagnostics are done, you need to have a hard look on your company. When you compare what you do to what you should do, you will be able to see where you go rogue. Of course, you need to address each problem but the general advice here would be to unify and simplify your processes.
Imagine you have 5 teams of recruiters and each team has their ways of working and storing candidate data; this means you need to check compliance 5 different times. However, if you have a unified system then you don’t need to worry about the fortune of each team. Moreover, if you manage to simplify your processes by cutting out unnecessary steps, the room for mistakes will be smaller.
4- Inform your public
It is not only enough to transition to the new ways of doing business. GDPR also demands that you communicate these changes to any party involved. If you are having changes to your data policy, privacy and/or security policy, you need to announce this and provide public sources for the affected parties to inform themselves. – EUGDPR, GDPR Key Changes
Informing your public has more facets though; under GDPR you need to ask the consent of your candidates for each case where you will use their information. Do not forget to document the candidates’ consent on the matter as well!
5- Think about international coverage
“If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.” – ICO, GDPR: 12 Steps to take now
All things considered, once you have set up and automated the right measures to make sure you are compliant at all times, the day-to-day business of recruitment agencies and departments will not change too dramatically. Especially if you have a Data Protector watching over your activity and making sure you get on track if you derail, the rest is just adhering to a high standard of respect for personal information!