Come May, global privacy law is going to experience a disruption like never before in the form of a new law soon to be implemented by the European Union — General Data Protection Regulation (GDPR).
What is General Data Protection Regulation (GDPR)?
General Data Protection Regulation, or GDPR, is a privacy and data handling law that has been passed by the European Union to protect data of all EU residents and to make it easier for organizations to better understand and comply with data protection rules. Although officially adopted in 2016 (Read - History of GDPR), GDPR is set to be implemented only by May 25, 2018, giving member states time to prepare themselves for the compliance.
Organisations across the world are preparing their data handling processes to comply with these new rules and regulations, and so must you. Even if you do not have a location in the EU, if you handle the personal data of any EU citizen, then you will need to comply with GDPR or risk getting penalized with hefty fines — up to 4% of your company's annual revenue or up to €20 million, whichever is higher!
With a fine as substantial as that, companies are scurrying around to incorporate certain changes in the way data has been handled in the past. Data is the most significant asset of recruitment agencies. Based on this valuable data, recruiters arrive at strategic decisions while appointing important hires. Effectual strategies based on the successful collection, analysis, and management of data is what makes recruitment agencies prosper. With the GDPR in effect, this data handling, which is crucial to all recruitment agencies, will suffer. However, agencies that keep abreast of these new developments by adopting policies and practices that are GDPR compliant and implementing them effectively will eventually be one of the key differentiators.
One of the most significant changes a recruiter or recruitment agency will need to adopt is transparency with the candidate about how personal data is collected, stored, and used.
Here are a few points to keep in mind:
Explicit and clear consent
Consent, clear and explicit, forms the basis of GDPR. If in the past you have not been transparent with your candidates about how you collect, store, and handle their personal data, you may want to change your ways. Under the GDPR guidelines, you are required to ask for explicit consent from the candidate before you use their personal data while ensuring its safety and security.
Implied consent, not enough
Job boards that typically rely on implied consent in the form of those lengthy and arduous terms and conditions, which hardly anyone reads, are going to have to find an alternative way to get consent. Personal data received cannot be shared on that basis anymore. (Also Read - Unravelling GDPR for Job boards)
Proof of compliance in the form of paper trails needs to be filed for future reference safely and securely. Since there is such a sizeable fine at stake, it is entirely the organization’s responsibility to keep these records accessible.
How GDPR impacts HR and talent acquisition
The increasingly digital landscape that now dominates recruitment processes has necessitated the need for laws to be in place that would protect the personal information of employees from the European Union. Some of the effects this new regulation would have on how organizations collect, store, and use data are as follows:
Data only on need-basis
Under the norms of GDPR, an organization is legally bound to delete data of a candidate if he/she doesn’t get selected unless under the explicit consent of the candidate. Hence, organizations can only request the data of potential employees if necessary. This requires a critical and thorough scrutiny of a candidate’s application so that the recruiter can decide whether or not to shortlist the candidate. Even the current employees’ data can be saved only with the explicit consent and with very good reason. So storing personal data that is not relevant to the individual’s role in the company such as driver’s license, marital status, etc. will not be easily available to the organization. This regulation has a significant impact on the offboarding process of employees also as the organization is legally bound to delete the former employee’s data within a short span of time.
Data only for the intended purpose
An organization’s ability to maintain a talent pool is greatly impacted by the implementation of GDPR because according to one of its rules and regulations, data can be collected and stored with explicit consent only for a pre-stated purpose. Thus, if an organization is accepting applications for a particular role in its team, the candidates who share their personal information with the team can only be considered for that particular role. Their profiles cannot be, for instance, shared in a talent pool to be considered for another role that they may be more suitable for. If the recruiter realizes that the candidate would be a better fit for a different role, then he/she needs to take explicit permission from the candidate to share the profile for the other role.
Data protection is critical
The most crucial aspect of this law is data protection. For this, data must be safely and securely stored in a well-organized manner with limited and conditional access. This would mean close collaboration with the IT team in ensuring that the data is securely stored and can be retrieved only by those with official access. Make sure that whoever handles candidate data or employee data is aware of all the rules and regulations that fall under the purview of GDPR. If the data needs to be externally shared (with explicit permission, of course), then a detailed contract needs to be drawn up and signed that explicitly states the terms covering all aspects of data handling by a third party; at the end of the contract, the data needs to be deleted to comply with all rules of GDPR. For this purpose, it is of utmost importance to ensure the service provider who is entrusted with this valuable data is also GDPR compliant.
GDPR impact on HR, a boon or a bane?
While all this talk of security measures and hefty fines surrounding GDPR may not sound too positive, this article sheds some light on how the future of recruitment may not be as bleak as most believe.
According to market research, an alarming percentage (almost 50%) of security breaches are at the hands of a careless employee! These mistakes can cost the company financially, and its reputation could suffer irreparable damage. To mitigate the occurrences of data privacy breaches, companies would be required to educate their employees about handling data safely and securely and also adopt technology that can help safeguard data by restricting access. To avoid the risk of sensitive data falling into the hands of unauthorized service providers or data thieves, organizations are adopting data encryptions while storing data.
The centralized format of data storage that is a requirement of GDPR also ensures that sensitive data is not stored on local drives or applications, thus minimizing the chances of unauthorized access or misuse. Companies that have experienced a change in management more times than they would like also highly advocate the importance of having a centralized system of data storage and access. This mitigates the risk of data duplication or unauthorized access by creating a unified platform to manage it.
Data portability is another key feature of GDPR. According to this, data subjects (be it candidates or employees) have the right and complete power to obtain and reuse their data for their own purposes across service providers. This is to prevent a lock-in situation with a particular service provider and to empower data subjects to switch service providers if they want to.
Fortune favors the brave
With the implementation of GDPR, businesses are having to move to a more data-driven model of doing business, thereby making it more customer-centric. Smaller recruitment establishments who don’t handle highly complex data would find this transition fairly smooth. On the other hand, The bigger agencies will find this transition arduous as they handle extensive data in myriad complex ways. To ease into this transition, these firms will need to start making the necessary changes to ensure that all their processes are GDPR-compliant. While there are plenty of reasons to feel overwhelmed with all the GDPR-related developments, recruiters who are up to date with these new developments and adapt their processes to be compliant with the new norms are sure to rise above their competition.
Subscribe to our blog now for early access to our upcoming eBook - The role of HR in Managing cybersecurity and keeping update with GDPR