Are you tired of GDPR?

Well with only 30 days to go it’s coming soon so what actually needs to be done to be GDPR compliant when it comes to recruitment?

I asked Dan Kirkland, Director of ATS supplier Tribepad to write a guest blog for us explaining what actually needs to be done.

GDPR, what needs to be done when it comes to Recruitment?

Seriously, why are so many people worried about GDPR (the General Data Protection Regulation)? Here’s a tip, only people who weren’t compliant with existing Data Protection Act (DPA) regulations should be really concerned. If you are compliant with the DPA then you’re nearly over the line already so this doesn’t need to be a too painful exercise!

Yes, there are a few new things that you may need to implement and review but you are definitely not starting from zero.

If you haven’t yet got your head around GDPR then you still have time – but you don’t have long so start now. GDPR comes into force on May 25th 2018 – just over a month’s time, so read on and get a good overview to get yourself on track.

In the context of candidate data and recruitment, the main GDPR tenets are that your candidates have the right to:

  • be informed that their details are stored on your system, and for how long;
  • consent for their data to be stored and/or processed by your system;
  • know why you are requesting, storing, and/or processing their information;
  • know who will have access to their data (staff, countries, and third-parties);
  • access the information that is stored on your system;
  • have any incorrect information about them on your system corrected;
  • have their data removed from your system;
  • restrict the processing that you do with their data on your system;
  • download their information in a standard format (e.g. a CV);
  • be informed of any automated decision making and profiling that your system may do with regards the candidate’s information

Most of this can be covered in your privacy policy! It’s about informing the candidate and providing full transparency, so they are fully aware of what you are going to do with their data, and why, before they give you their life details!

11 Headings to consider for your Privacy Policy

I) Data we are going to collect from you

2) Why we need to collect this data

3) How long are we going to keep the data for

4) How can you see any data we hold

5) How you can change and correct any data we hold

6) How you can delete any data we hold

7) Who will have access to your data

8) What countries will my data be available in

9) What third parties will we share the data with

10) What automated decision making we will do based on your data

11) Other things we may do with your data

See! The privacy policy wasn’t all that hard, was it?

Gaining Explicit Opt-In

Another key element of GDPR is gaining an explicit opt-in from a candidate – not automatically opting in users for stuff you want them opted-in for – like newsletters, future job opportunities or any other marketing activity for example. You can’t have a tick box pre-ticked to opt someone in to something; the tick box must be unticked and allow the candidate to make the conscious choice. This will need candidates applying for jobs through your careers page for example to have a tick box available or some form of acknowledgment that they are aware of how data etc will be stored and used when applying for a role and to acknowledge the new privacy policy and T&C’s.

Taking ‘reasonable’ care

You also need to take “reasonable” care of the data you are collecting. Especially if you are collecting sensitive data, like name, address, telephone number, email address (normally contained in a CV), national insurance details, equal ops / diversity stuff, bank details, card details (you should already be PCI compliant if you collect card data), and potentially even their IP address. Where possible, make sure the data is encrypted, and if you are sharing with any third-parties then make sure they are also GDPR compliant and the candidate knows that their data can be shared with a 3rd party and for what purpose – If a 3rd party breaches GDPR then you may still be liable so only share with parties you are confident will be compliant.

That’s about it, see it’s simple really.

To summarise, what 4 things should you do in the next month to get on top of GDPR?

  1. Review your current Privacy Policy and any T&C’s for candidates
  2. Set up a method for candidates to acknowledge your privacy policy and T&C’s. This must be a manual exercise without pre-population.
  3. Store candidate information securely and don’t share this for any reasons other than those highlighted in your privacy policy or T&C’s.
  4. If you do share data make sure it’s only with trusted 3rd parties and for a purpose the candidate has agreed to explicitly.

GDPR doesn’t need to be such a headache, these 4 simple steps will be enough to at least cover you until the law is defined further through case law and you will certainly be acting within the spirit of the law by doing your best to protect candidates’ personal data and only using it for what they have agreed you use it for. This is what these regulations are all about.

Feel free to contact me if you have any further questions about GDPR or how Tribepad is helping its customers with compliance or the guys at staff-finda who are also working to help make In-House Recruiter’s lives easier when it comes to GDPR.