Whilst the message surrounding the General Data Protection Regulation (GDPR) has been associated with legal compliance and risk mitigation, we believe that, viewed through a slightly more positive lens, employers can use the change to create competitive advantage in their quest to attract and retain the very best and inclusive talent.
These are the thoughts and takeaways from a Resourcing Think Tank held on Thursday 26th April, co-hosted by Nicky Bizzell (Interim Head of Recruitment at Dentons) and Hugh Fordham (CEO at Hollaroo). This Think Tank sought to discuss the topic of “GDPR as a Candidate Opportunity”, whilst covering off:
- Leveraging the regulation to increase your function’s investment
- Key areas for consideration to ensure your compliant
- The dreaded deadline of 25th May and what lies beyond.
The Background on GDPR
As the deadline for GDPR fast approaches, and what feels like two years of having the acronym thrust into our inboxes and splashed across our industry publications, the first draft of the regulation was actually published back in 2012. Whilst GDPR is noted as being the most heavily lobbied piece of legislation to go through Europe, a lot of the core principles aren’t actually that far removed from the existing data regulations we are all currently expected to adhere to (with regards data retention, notice, data hygiene etc.).
GDPR sets out to introduce a new level of sophistication to data protection. Put simply, when it comes to protecting data, yesterday’s ‘gold star best practice’ will be tomorrow’s ‘minimum standard of legal requirement’ come 25th May.
We’ve all experienced a degree of scaremongering around the consequences of not complying with the regulation, and whilst the regulators are standing firm when it comes to issuing penalties for breaching the GDPR, we are predicting a level of pragmatism from the ICO when it comes to enforcement.
We would expect top-level fines to be reserved for business that have blatantly ignored the regulation and dramatically gone against its key principles. Whilst there’s no formal grace period once the regulation is live, we would urge people not to panic! It’s important to remember that the 25th May is a starting date, not a finish date.
However, it is critical to get key building blocks in place to understand your ‘GDPR road map’ moving forward, and how you will demonstrate compliance from an accountability standpoint.
Seeking out Positive Opportunities
GDPR shouldn’t simply be viewed as a new piece of legislation. It should be viewed as a business process or change programme that is understood and accepted by the business as the right and only thing to do. It provides us with a unique opportunity to get our ‘house in order’ and use some of the legislation’s requirements as a point of differentiation. Additionally, it provides us with the ideal opportunity to lobby senior business stakeholders to take Recruitment and HR seriously and support funding requests for technology – process design and learning.
The key thing to try and focus on is that GDPR is a good thing!
In simplistic terms, it’s asking us to be transparent with our candidates; giving them insight into what we do with their data, how we do it, when we do it and why we do it.
It requires us to tailor the candidate’s experience so it’s more relevant and timely for them; the candidate should be driving the level of engagement, not the recruiter. Viewing the recruitment process through two separate lenses will ensure you choose the best approach for determining and gaining consent. There is no ‘one size fits all’ as many of your providers appear to be telling you!
It helps us hold our suppliers to account and reduce unsolicited sharing of candidate data / CVs. It also provides Resourcing with a business case to increase investment into our functions by communicating the risk of failing to comply. GDPR should be viewed as a great way to encourage high standards and compliance from our suppliers, and provides an opportunity to raise our industry’s standards once and for all.
What must we have done by 25th May 2018?
GDPR is a lengthy piece of legislation with many components requiring attention and action.
However, if you’re unsure about what needs to be done ahead of the enforcement deadline, Hollaroo would recommend addressing the three items below:
- Make sure your Privacy Policies are up to date on your website and are GDPR compliant
- Ensure internal stakeholders are aware and bought into the importance of GDPR and if possible source a senior internal champion to help ‘land’ your message with the wider employee population
- Start telling people (data subjects) if you’re holding their data and what you are doing with it!
Areas for Consideration
Data Subject Rights – What is our approach for responding to a request from a data subject? We need to be clear on what our policies entail and who takes responsibility for documenting and responding to requests.
Privacy by Default – Unless an individual is making an active choice to share data with us, then by default personal data should not be stored or shared without the individual’s consent! It’s important to remember that just because information is publically available it doesn’t mean it’s free for us to store and process – a potential stumbling block for organisations that undertake a lot of market mapping.
Data Retention – Typically most businesses agree on a period of data retention of 6-12 months for candidate data (such as CVs). However, specific timelines aren’t definitive under GDPR so you must be able to evidence your rationale around why you’re storing data for your specified timeline. What’s key is to inform the candidate that you will be retaining their data and for what purposes upon their registration or job application. It’s also highly advisable to store CVs and candidate data in one central place (outside of ‘shared drives’ and inboxes) where retention strategies can be managed and enforced effectively. It’s also worth noting that where there is limited interaction with a candidate, they might not be aware that their data is in your control, so refreshing their consent is advisable.
Obtaining Consent – Whilst the updated regulations around e-marketing aren’t expected to come into force until the end of 2018. It’s still important to adhere to an ‘opt in’ approach for ensuring you’re GDPR compliant when it comes to contacting individuals whose data you hold. What’s more, a data subject’s consent isn’t finite and should be refreshed to ensure they are happy for you to continue to process their data and send them marketing related communication (such as job alerts). The end of the ‘relationship’ between you and the candidate should be controlled by them; whereby it’s as easy for them to withdraw their consent, as it was to give it in the first place (freely given and freely taken away).
Internal Training – Training relevant employees on the importance of GDPR and your expectations of them from a compliance perspective is paramount. Employees need to be aware of the implications of breaching GDPR and understand how they should respond to inbound candidate queries, even if it’s simply a question of alerting a DPO.
Employee Data – Processing employee data is a totally separate beast to processing and storing candidate data. A business’s relationship with this type of data will generally fall under the basis of an employment contract meaning there’s a legitimate reason to process the data because of a legal obligation; as such making you GDPR compliant (in theory!).
Steps for the Future
GDPR compliance will be an evolving concept that needs to be reviewed regularly. As previously mentioned, the 25th May is a starting point, not the finish line.
Following the steps below will help ensure you’re compliant:
- Launch an internal communications campaign, with senior buy-in, to ensure hiring managers understand the risks and their responsibilities
- Focus on public touch-points, keep the message simple by just dealing with active applicants rather than passive candidates.
- Sort out your biggest risks; typically where you are processing people’s data without their knowledge (employee referrals, market maps, speculative agency submissions.)
Going forward it’s important to consider the concept of ‘Privacy by Design’ in all decisions involving individual’s data, such as purchasing new software or developing processes around candidate selection. The final point to remember is that GDPR doesn’t trump other legislation; it’s to be used in conjunction with other laws and regulations with its primary objective centered around protecting an individual’s data and giving them more control over what’s done with it.
Image source – Created by Macrovector – Freepik.com