The EU’s newest data privacy law, the General Data Protection Regulation (GDPR) will be enforced as of May 25th, 2018, leaving many recruiters and HR leaders with a sense of dread.
This is the most comprehensive regulation since the Data Protection Act of 1998 and non-compliance can result in fees of up to €20 million or 4% of global annual turnover. Ouch! 😱
Any business holding personal data on prospects, customers or employees based within the EU must comply with the GDPR. So yes, you need to be ready. But you don’t need to panic.
At Breezy, we like to geek out on data security regs (so you don’t have to). Here are some practical tips to help you protect your business and get GDPR-ready.
The GDPR breaks down into five key principles. Let’s start at the top with ‘Principle 1: Fair and Lawful, With Transparency’.
In other words, regulators expect employers to keep it 💯 with respect to data privacy.
Gone are the days of burying data privacy clauses deep within jargon-filled employment contracts. Regulators want to see that you’re only collecting the data you need in order to hire properly and that you’re clearly informing applicants and candidates about how you’ll use their info. Finally, they want to see that you have received the applicant’s express consent to collect and process their data.
Be Specific about How Applicant Data will be Used
The GDPR aims to encourage (read: require) you to be totally direct about what recruiting data you need, and why you need it. ‘Principle 2: Explicitly Specified’ requires businesses to only use personal data for the express purpose you (or your recruiting system) collected it for.
Of course, you already know you should never send marketing emails to past job applicants, but what about keeping or recycling candidate information for future openings? Unfortunately, under the GDPR, that IS a violation. But never fear!
Only Collect the Must-Have Data
Principle 3 of the GDPR compels employers to collect ‘Only What’s Necessary’. Granted, that can be pretty objective.
Our advice? Be mindful about the amount and nature of the data you’re collecting. Ask yourself: If there’s ever an allegation of a GDPR violation, how difficult would it be to prove that this data is necessary to your hiring process? If in doubt, strike it out. 🚫
Keep Your Talent Database Fresh
Old crusty data is 👎 in the eyes of EU regulators. Hence, GDPR ‘Principle 4: Current and Accurate’ and ‘Principle 5: Limited Retention’.
These GDPR principles might seem like a pain in the proverbial, but they’re actually great for the quality of your hiring database. While it’s still not clear how much data you can hang on to, or for how long, an outdated talent database can definitely put you at risk.
Does that mean you have to go through and purge all your old data? Not necessarily. But if you really want to make sure you don’t get burned by GDPR, you do need to go back to past applicants you want to keep and get them to update their info and opt back into letting you use their data for “future opportunities”.
A great recruitment management system will make this dead easy. For example, in Breezy you can easily revisit and refresh candidates in your Talent Pools to help stay ahead of these key GDPR rules.
Are you ready for GDPR?