GDPR goes into effect May 25. Will you be ready?
GDPR is right around the corner, but It’s still not too late to get a jump on things! Here’s a recap of what you need to know and what you should be doing to ensure your TA team’s in compliance.
GDPR – A Brief Overview
The General Data Protection Regulation (GDPR) is a new set of European Union (EU) data privacy rules designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations approach data privacy. It intends to put more control into the hands of EU citizens and how their data is collected, stored, processed and transferred to third parties.
What should I be paying attention to?
The GDPR regulations are all about protecting how an individual’s data is being used. Therefore, recruiting and Talent Acquisition teams should pay close attention to the following:
- Consent - Data subjects must be presented clear, specific, and concise descriptions of how their data will be used.
- Right to Access - Data subjects have the right to obtain confirmation about whether personal data concerning them is being processed, where and for what purpose.
- Right to be Forgotten - Data subjects have the right to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability - Data subjects have the right to receive the personal data concerning them in electronic format, so they can transfer it to another provider.
- Privacy by Design - Data handling systems must incorporate data protection and privacy controls from the onset. Access to data is limited to only those individuals needing to act out the processing of the data.
- Penalties – There are substantial penalties for non-compliance: up to 4% of revenue or €20 million (whichever is higher).
Under GDPR, unless you have a lawful basis you are not permitted to collect or process personal information at all. In the recruitment space this means you need either Legitimate Interest or Direct Consent. But even sending an opt-in email requires processing, therefore you need a lawful basis such as Legitimate Interest to contact a candidate.
Is it too late? Where do I start?
It’s not too late to start developing and implementing your GDPR compliance strategy. While the regulations can seem daunting, they’re essentially a set of fairly straightforward guidelines around disclosure, consent, transparency, secure handling, and end user choice. That being said, you don’t want to be caught off guard. Here are a few things you should do to protect your TA team and your company:
- Assume you’re impacted. If you work for a global company, handle recruiting of EU citizens, or even have EU localized content as part of your recruitment marketing strategy you probably are.
- Read the regulations. Overlay your recruitment and talent acquisition processes against the GDPR regulations. Look at candidate data and targeted countries. Educate your teams. Look at sites and content. If you have a Data Protection Office or Individual, reach out for guidance.
- Review Disclosure and Consent Mechanisms. Be clear about what you will use candidate’s data for and whether you will share it with any 3rd parties. Remember, consent must be “freely given, specific, informed, and unambiguous.”
- Review Candidate Touchpoints. Consider all your touchpoints for candidate engagement and how you are disclosing intent to market / engage / use their data.
- Data Scrubbing. Make sure your targeting and candidate databases are current, and campaigns are accurately targeted. Consider initiatives to re-engage with your talent pool ahead of GDPR to nurture the relationship giving candidates opportunities to opt-in to new and future content (and GDPR compliant consent statements).
- Vet Your Third Parties & Vendors for GDPR Compliance. Under GDPR, you’re not only liable for your direct data processing and handling, but also that of your third party service providers and vendors.
- Data Protection. Encrypt the data, restrict access, protect your machines and data centers, etc. If you already have PCI, ISO 27001, NIST, etc., controls in place you are likely in compliance but verify
- Professional Assessment. Start with an internal assessment and work on tackling all the foundational items and obvious changes that need to be made. Then call in the experts for a final review / assessment.
It’s a lot to wrap your head around, but the above guidelines will get you started in the right direction. And remember, it’s always better to consult with an expert if you have any questions or concerns!