On 25th May 2018, businesses in all sectors will have to abide by the General Data Protection Regulation. Fail to do so, and you could face a fine of up to 2% of your global annual turnover; or €20 million – whichever is higher.
Non-compliance is simply not worth the risk.
GDPR: What Is It?
GDPR is a new regulatory framework that gives individuals more control over how organisations collect and process their personal data. It provides a uniform template for EU businesses to follow requiring the full consent of individuals for the data they share.
The Effect on Your Data
Recruiters review and collate a raft of data to profile candidates. From May 2018, candidates will have the right to object to any personal data being processed by recruiters, as well as the right to be forgotten—meaning recruiters will have to delete the personal history of candidates who exercise this right.
Auditing Your Data
A full data audit is the critical first step in GDPR compliance, for which most organisations have appointed a Data Protection Officer. This is the single point of contact to identify ‘at-risk’ areas in your business while creating a company-wide plan of action to become GDPR-compliant.
Not only must you review the data you currently store, but you must also audit how you collect the information. Explicit consent is the underlying driver of GDPR, so you must have an actual ‘yes’ from the candidate for any data you hold, as well as any data you plan to collect or process in the future.
GDPR requires not only best-practice data collection but also accurate records of how you store data, as well as who you share it with. If you share candidate or reference information with a client, for example, you will need signed consent from the individual before sending personal details to the prospective employer.
Moreover, if you’ve previously shared inaccurate information with a client or third-party, you also have the responsibility to alert them to that fact.
The GDPR 5-Point Plan
1. Review your current data collection methods, the data you have on file, as well as your data-sharing practices. Identify where you must have explicit consent to hold or share data.
2. Centralise your data management policies so both your recruiters and GDPR auditors can clearly understand how your business adheres to GDPR requirements; transparency is key to compliance.
4. Establish a forward-looking data management plan to ensure ongoing compliance. Your Data Protection Officer should take responsibility for all future checks and balances.
5. Coordinate security checks and have policies in place should a data breach occur. Under GDPR, if data is compromised, you have a responsibility to alert the ICO. Plan ahead, so that you can uncover and rectify any breach in the shortest possible timeframe.
GDPR is about proving you have taken all the necessary steps to protect the public’s privacy. Map out your processes, keep detailed records of data collection methods, and be sure you can prove your due diligence should an auditor come knocking.