You’ve seen a recent flurry of emails advertising webinars related to GDPR. You’ve seen sessions popping up at HR conferences discussing GDPR and its implications. And chances are you’ve had more than one vendor reach out offering some sort of GDPR readiness assessment, training, or services.
So what is all this GDPR stuff about anyway? And what is this about a May 2018 deadline? Do you need to worry about it?
Truth is, it depends. It depends on your talent marketing strategy. It depends on your target candidate audience. It depends on your business. And it depends on your talent acquisition systems.
Let’s start with an overview of GDPR, then we’ll dive into the implications in our GDPR Part 2 blog.
So What is GDPR?
The General Data Protection Regulation (GDPR) is a vast new set of European Union (EU) data privacy rules designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations approach data privacy for EU citizens. It intends to put more control in the hands of EU citizens and how their data is collected, stored, processed and transferred to third parties.
In many ways GDPR builds upon the same foundational principles from previous EU regulations. If you’re familiar with these regulations and have controls and capabilities in place to support things like EU-US Privacy Shield they can be a good starting point towards GDPR compliance. GDPR is an evolutionary step toward better defining controls, offering data subjects more control, and putting in place stiffer penalties for non-compliance.
The regulations are often generic in nature and are still currently being interpreted. There is no black and white guide to compliance. Currently in the EU many “working groups” are hard at work trying to interpret the numerous GDPR regulations, clarify any ambiguity, and distill them into actions and controls that should be put in place in order to become compliant.
What are some of the Key Concepts of GDPR?
The GDPR regulations are all developed to safeguard the privacy and data rights of EU citizens, with specific controls put in place to provide data subjects with a high level of transparency, consent, and control as to how their personal data is handled. Recruiting and Talent Acquisition teams should be aware of the following concepts:
- Consent - Data subjects must be presented clear, specific, and concise descriptions of how their data will be used. Emphasis is put on use of clear and plain English. Think of a smartphone app with simple, specific bulleted permissions being granted vs. a traditional software license agreement full of legal verbiage and ambiguity.
- Right to Access - Under GDPR data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
- Right to be Forgotten (i.e., Data Erasure) - Data subjects have the right to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability - Data subjects have the right to receive the personal data concerning them in electronic format for the purpose of transferring to another provider.
- Privacy by Design - Requires data handling systems to incorporate data protection & privacy controls from the onset, rather than as an addition later. It also deals with limiting the access to personal data to only those individuals needing to act out the processing of such data.
- Penalties - The most highly publicized focal point of GDPR is the creation of substantial black and white penalties for non-compliance. Whereas former regulations outlined paths towards litigation and enforcement - GDPR makes such penalties and consequences far more direct and serious.
Does GDPR Apply to Me?
The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Previous data privacy regulations in Europe were more vague and open to interpretation for companies located outside of Europe.
With GDPR, any company is in scope who:
- Handles personally identifiable data on an EU citizen (collected while the citizen is in the EU) regardless of whether or not you are an EU based company.
- Targets EU citizens with marketing campaigns and media (i.e., job or employer marketing campaigns) with the intention of collecting data.
- Provides services / websites localized to target EU citizens (i.e., career site with language localization, content localization, or a site that offers payment options in local currency).
No financial transaction must occur in order for GDPR to be applicable to your business. Consider this carefully when targeting passive candidates with email marketing campaigns, collecting active candidates in your talent pool, or connecting with candidates at your next virtual recruiting event.
Why should I care?
- Fines. Serious fines. Non-compliance can cost you up to 4% of revenue or €20 million (whichever is higher).
- Additional liability due to data protection claims from data subjects.
- Possible reputational damage due to non-compliance.
With GDPR data privacy now becomes tables stakes, not just a nice-to-have. For many businesses, the threat of insolvency or even closure as a result of GDPR penalties will soon be very real, due to the significant size of fines and the increased frequency and clarity upon which fines can be levied. This makes reviewing your recruitment marketing and talent acquisition processes for GDPR compliance essential.
How much time do I have?
The GDPR was approved by the EU Parliament on 14 April 2016. It was entered into record around a month later, with a two year grace period given before enforcement goes into effect. This makes the enforcement date May 25, 2018 - at which time those organizations in non-compliance can begin to face penalties and fines.
Yep. May 25, 2018. Less than 6 months out!
But all is not lost. Check back here for our GDPR Part 2 blog post where we’ll break down some actionable items and next steps you can take to start moving towards GDPR compliance.