Unless you’ve been living in a bunker for the last few months you will now be fully aware that the General Data Protection Regulation (GDPR) becomes enforceable law in less than a week on 25th May 2018. Panic is now well and truly beginning to set in and there are still many organisations that are unsure about their obligations. There is no ‘one size fits all’ approach so it is important to consider the specifics of your own organisation and industry and prepare accordingly.
This article is going to focus on the recruitment industry. Recruitment agencies deal with personal data at the very heart of their operations – think candidates, CVs et al! However, it’s a useful checklist for any organisation that is still “feeling their way” with the new data protection laws in the UK and Europe.
The golden rules with GDPR are as follows:
1) Anything you do with personal data is processing.
2) Personal data is anything that identifies a living person
3) Assume that any processing is unlawful in the first instance
4) Work backwards and figure out your lawful pathway to processing the personal data.
When GDPR is enforced, job seekers registering with an agency will have to either provide specific, opt in consent or agencies will have to prove a legitimate interest for the collection, use and storage of personal data. Candidates will have stronger rights because they are ‘data subjects’ which means that they can:
- Object to the processing of their data for profiling purposes
- Ask for their data to be corrected
- Ask for their data to be erased.
It is your responsibility to ensure that your business is adhering to the GDPR rules and the ICO has the power to fine any organisation in breach up to ?20 million or 4% of global turnover – whichever is higher. The ICO always emphasises ‘accountability’ and ‘transparency’ in relation to GDPR. What this means is that you need to be able to demonstrate the steps that you’ve taken to comply with the rules and you need to be honest and fair in all your dealings with data subjects to ensure that they understand the type of personal data that you are collecting about them and how you are using it and keeping it safe.
If you’re not prepared, don’t panic – follow a logical approach and focus on the most important elements first.
Step One: Understand the basics
Read a good quality GDPR guide! You need to make sure that you, and your agency colleagues all understand your obligations under GDPR. Next, appoint one person to become your responsible person for data protection. This person should start to compile an action plan to set your agency on the path to compliance.
Step Two: Data Mappings
Think about the candidates’ journey through your agency. You need to think about how they initially provide their information (email in a CV for example). Think about how your existing systems store that information. This includes shared folders like OneDrives, Excel lists, databases, website registrations, event lists, timesheets, and billing and invoicing information.
Detail all the personal data that you store, record where it came from, and whom you intend to share it with. You need to name these organisations specifically. You can’t just be vague and say ‘third parties’. One of the key principles of GDPR is accountability, meaning you must show how your agency complies with the updated data protection principles. So, you’ll be assessed on how effective your policies and procedures are in upholding GDPR requirements.
It’s important to note that there isn’t a simple tick box or a specific system that you can purchase to get a ‘GDPR compliant’ badge. GDPR is all about proving good practice and doing everything you can to provide transparency around how you handle and process personal data.
Once you’ve mapped out your data processes, and identified any areas you need to focus on improving, you’ll be on the right track. The next step is to develop this into a coherent GDPR friendly set of candidate facing terms and conditions which detail how you intend to process their personal data. Make sure this includes:
- The data that you store about your candidates
- How you store the information, where you store it and why you store it
- How long intend to keep it for
- The rights that your candidates have to access their personal information
- The candidates right to erasure
GDPR requires you to write this updated privacy document clearly, concisely and in simple terms that are easy to understand. It must be readily available at any point where you collect personal data.
Step Four: Data Protection Policy
If you’re currently compliant with the old Data Protection Act, then you shouldn’t have much to worry about here. But, you should still review your data policies with the new GDPR /DPA 2018 requirements in mind because GDPR has strengthened the rights of data subjects and is a Regulation which means that it is more powerful in legal terms that the old Directive. Often, Regulations are introduced by the EU where Directives have previously failed.
Step Five: Stepping into the Breach!
A data breach occurs when you compromise personal data which leads to the unfortunate situation whereby a candidate is likely to suffer damage. If the worst happens, you’ll need to notify ICO within 72 hours. If a data breach does occur, you need to ensure that you have the right processes in place to detect, report and investigate it. The ICO will look more favourably on organisations that admit their mistakes, are honest and report them. They will not be in the least bit lenient with organisations that attempt to cover their mistakes up.
In summary, you need to be prepared for a dramatic shift in the way you engage with candidates, develop some rigorous new GDPR policies and procedures and place the safeguarding of your candidates data at the heart of your organsiation.
There are many elements to think about with regard to GDPR. The good news is that organisations that comply will reap the benefits in terms of enhanced respect and reputation and better quality data. This article can only scratch the surface and give some key highlights so if you’re really unprepared for GDPR you’d best hire in some specialist consultative or legal advice.