The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, but the question is, is your organisation ready for it? The aim of the GDPR is to give EU citizens more control over their personal information when it is in the hands of an organisation. It is highly likely that your organisation will be affected as the GDPR applies to any organisation that offers goods or services (even free ones) or observes the behaviour of EU citizens. If you want your recruiting to carry on as normal from May 2018, you need to take steps now to ensure that your organisation is compliant.
How can you ensure that your organisation is compliant?
It would be easy to panic about the GDPR, but as long as you have processes in place to comply with the existing Data Protection Act, you will be well set up to be compliant in May 2018. It is important to note that organisations will not only have to be compliant come May 2018, but will also have to demonstrate continuous compliance. A failure to comply could mean, at worst, a fine of up to 4% of annual turnover or 20 million Euros. To be compliant with the GDPR, your organisation will need to have:
- Governance practices in place
- Communication processes
- Risk controls for maintaining compliance
Will this impact your recruiting?
· Data management – In order to monitor how data is being collected, stored and used, you will need to store all candidate and client data in one place. You will also need to be able to provide an audit trail for the GDPR. From initial candidate contact, you will have to show how their data was collected, what form of consent given for use of that data and ultimately how it was used.
· Process – It would be helpful to map out your current processes for data collection and processing, as this will give you a clear idea of what needs to change to be GDPR compliant. Under GDPR it will be less appropriate to speculatively contact a job seeker who has posted their CV on a job board, so you should wait for the candidate’s permission before using details from their CV.
· Documentation – All documentation must be clear, for example any documents used in the induction of candidates must seek consent and specify how their data will be used. Giving consent for your data to be collected and processed should be unbundled from other terms and conditions, as under the GDPR people should be able to withdraw consent without detriment.
· Right to withdraw – GDPR states that a person should have the right to withdraw consent at any time. It should be as easy to withdraw it as it was for the data subject to give it. The person giving the data must be informed of their right prior to giving consent. You need to act on withdrawal requests immediately.
Is GDPR the end of recruiting as we know it?
No, definitely not if your organisation reviews their current processes and puts the relevant process in place with individuals in roles, such as Data Protection Officer, to oversee. It may seem like a lot of extra work now but it will be worth it to ensure that you are GDPR compliant, therefore avoiding a hefty fine! Take action now and early next year you’ll be watching others scrabble around to put processes in place, whilst those perfect candidates roll through your doors.
To speak to an expert in recruitment marketing:
Please email email@example.com or call us on 01483 719020.