If you haven’t been keeping yourself updated on the latest news, you should know that the GDPR (General Data Protection Regulations) is a set of data compliance regulations that is applicable to all organisations that deal with and handle data owned by residents in the European Union.
This will not just affect EU businesses, but also any organisation from across the world that processes data from the EU.
In other words, this regulation applies to you if you recruit people from the European Union.
The next couple of years are going to be messy for organisations based in the UK.
While the GDPR is expected to be activated on May 25, 2018, the UK is expected to break away from the EU sometime in 2019.
So, while it is still unclear how GDPR will be impacted by Brexit, organisations are still expected to comply with these new regulations when they go live next year.
What do you need to know?
1. Controllers and Processors
The GDPR regulations specifically apply to two separate categories of businesses – controllers and processors.
The Controller is the organization, individual or any other authority that determines the purposes and means of processing of data.
The Processor, on the other hand, is the individual or agency or authority that actually processes this data.
If you are a business that invites job applications on your website and then makes use of a third party agency to process these applications, then you are a controller while the recruitment agency that processes these applications is the processor.
GDPR is applicable to both you, the organization that is hiring candidates and the recruitment agency.
2. Protecting personal data.
What constitutes ‘personal data’ when it comes to GDPR?
While the term itself is subjective, the OECD considers personal details like name, address, unique identification numbers, and demographic details (age, sex, income) as personal data.
While this should be obvious, you must also know that any other information that can be tied down to an individual is deemed ‘personal data.’
This includes behavioural information (like your browsing history), social data (your Facebook friends, your Gmail contacts, etc.), user generated data (videos, photos and Facebook comments) as well as biometrics details, personal health history, etc.
Anonymized data is still permissible although the moment any such information is used to infer information about an individual, it falls into the ‘personal data’ category whose proliferation is prohibited by GDPR regulations.
As a recruiter, you are bound to deal extensively with data that is deemed ‘personal’ according to the GDPR guidelines.
It is hence extremely important that prospective applicants provide their explicit approval to be contacted by you in relation to any job openings.
3. Impact on cloud.
Given how widely the cloud has been adopted in recent times, GDPR poses a challenge to organisations that are significantly invested in cloud based tools and processes.
The European Data Protection Board is expected to come up with a certification mechanism that will assist businesses with identifying processor partners that are GDPR compliant.
While this is expected to take some time, it is a good idea in the meantime to move your candidate database to a secure cloud application like Microsoft Office 365 that is hosted within the European Union.
This way, you can ensure data security with partner businesses are likely to be as ready for GDPR as your organisation is.
4. Gathering data.
From a marketing perspective, the most important piece of regulation comes with recipient consent to solicitation.
GDPR prohibits any sort of marketing communication made to prospects that have not actively consented to receiving these messages.
In other words, it is no longer enough to merely mention in your job opening that candidates that express interest shall receive communication from the recruiters.
Instead, edit your application to include a checkbox that the candidate must physically click to opt in to receive communication from the recruiters via email or phone.
And double optin after that too!
In short, becoming GDPR compliant is essentially taking care of a few things – ensuring military grade encryption and security of the data that applicants provide to you in their application, picking a processor who is equally compliant with respect to data protection and finally only reaching out to EU residents who have consented to receiving your messages.
What other steps are you taking to be GDPR compliant?
Share your views in the comments below or via Twitter.
A quick word from us.
Firstly, we’d like to say thanks to Ben for giving us a great overview of the new GDPR rules.
We know, it’s not the most exciting of topics, but it is absolutely crucial that you know what you need to do to get yourself prepared. Here are some more resources to help you out with that:
If you’d like to receive regular (weekly) updates on recruitment, HR and business in general, you can subscribe to our blog here.