Are you tired of GDPR?
Well with only 30 days to go it’s coming soon so what actually needs to be done to be GDPR compliant when it comes to recruitment?
I asked Dan Kirkland, Director of ATS supplier Tribepad to write a guest blog for us explaining what actually needs to be done.
GDPR, what needs to be done when it comes to Recruitment?
Seriously, why are so many people worried about GDPR (the General Data Protection Regulation)? Here’s a tip, only people who weren’t compliant with existing Data Protection Act (DPA) regulations should be really concerned. If you are compliant with the DPA then you’re nearly over the line already so this doesn’t need to be a too painful exercise!
Yes, there are a few new things that you may need to implement and review but you are definitely not starting from zero.
If you haven’t yet got your head around GDPR then you still have time – but you don’t have long so start now. GDPR comes into force on May 25th 2018 – just over a month’s time, so read on and get a good overview to get yourself on track.
In the context of candidate data and recruitment, the main GDPR tenets are that your candidates have the right to:
- be informed that their details are stored on your system, and for how long;
- consent for their data to be stored and/or processed by your system;
- know why you are requesting, storing, and/or processing their information;
- know who will have access to their data (staff, countries, and third-parties);
- access the information that is stored on your system;
- have any incorrect information about them on your system corrected;
- have their data removed from your system;
- restrict the processing that you do with their data on your system;
- download their information in a standard format (e.g. a CV);
- be informed of any automated decision making and profiling that your system may do with regards the candidate’s information
I) Data we are going to collect from you
2) Why we need to collect this data
3) How long are we going to keep the data for
4) How can you see any data we hold
5) How you can change and correct any data we hold
6) How you can delete any data we hold
7) Who will have access to your data
8) What countries will my data be available in
9) What third parties will we share the data with
10) What automated decision making we will do based on your data
11) Other things we may do with your data
Gaining Explicit Opt-In
Taking ‘reasonable’ care
You also need to take “reasonable” care of the data you are collecting. Especially if you are collecting sensitive data, like name, address, telephone number, email address (normally contained in a CV), national insurance details, equal ops / diversity stuff, bank details, card details (you should already be PCI compliant if you collect card data), and potentially even their IP address. Where possible, make sure the data is encrypted, and if you are sharing with any third-parties then make sure they are also GDPR compliant and the candidate knows that their data can be shared with a 3rd party and for what purpose – If a 3rd party breaches GDPR then you may still be liable so only share with parties you are confident will be compliant.
That’s about it, see it’s simple really.
To summarise, what 4 things should you do in the next month to get on top of GDPR?
- If you do share data make sure it’s only with trusted 3rd parties and for a purpose the candidate has agreed to explicitly.
GDPR doesn’t need to be such a headache, these 4 simple steps will be enough to at least cover you until the law is defined further through case law and you will certainly be acting within the spirit of the law by doing your best to protect candidates’ personal data and only using it for what they have agreed you use it for. This is what these regulations are all about.
Feel free to contact me if you have any further questions about GDPR or how Tribepad is helping its customers with compliance or the guys at staff-finda who are also working to help make In-House Recruiter’s lives easier when it comes to GDPR.