“GDPR - it’s not until next May - I can start thinking about the GDPR over the next few months, surely?”
Any recruitment business thinking they can comfortably park the issue of GDPR for the next six or so months, hand it over to legal to come up with a miracle solution or - even worse - assume it won’t affect them needs to think again. Fast.
One thing is certain: the General Data Protection Regulation (GDPR) will become law on 25 May 2018 and will affect every business that processes people’s data.
The question every recruitment firm should be asking right now is, ‘How will the GDPR legislation affect me?”
Let’s be very clear. Unless you take action, you will be forbidden by law from May 2018 to process any data you hold on an individual without their opted-in consent.
So what are the main changes?
GDPR represents a power shift. It places control in the individual’s hands to a far greater degree than under the current Data Protection Act.
Simply put, every business that either processes or controls personal data must now
Gain each individual’s consent to collect and process their data.
Allow every individual the right to access, modify or erase their data (the right to be forgotten) and the right to request portability.
Be able to prove they have the necessary consent and report on any modifications by providing fully auditable records of every stage of the data journey.
Have data breach protocols in place to notify the correct authorities - and the candidate - of any data breach, which could be as harmless-sounding as a careless email, a stray hard copy CV left on a desk or unauthorised personnel accessing personal data. These protocols must be fully auditable.
And this is just a snapshot - a full set of GDPR principles defines all the legal requirements which will unfold over the coming weeks.
What does this mean for me as a recruitment business?
GDPR represents operational reform on a major scale and will require a fundamental change in the way every piece of a subject’s personal data is handled, protected and stored.
Personal data held by recruiters goes wider than you might think - far beyond just names, addresses and contact details. If you’re collecting information in cookies, or using IP addresses, for example, then that’s personal data. Implied consent to use that data is no longer enough. An individual must actively and unambiguously opt-in to agree for their data to be used and shared with a known end-destination. Ticking ‘I agree’ in the Terms and Conditions box, for example, doesn’t cut it.
Where should I start?
At Volcanic, we are rolling out a GDPR-ready platform - starting now. Because of our extensive research into the GDPR principles, roles, responsibilities and requirements, we are well placed to help the recruitment sector navigate this legislation.
What to do first? We recommend that you don’t tackle GDPR all in one go. Start by carrying out a full assessment of your business in terms of data handling:
Scope out how you receive, use and store data. Think in terms of security, accessibility (who has access to data, who can download it, who might share it), back up policy, archive policy. Our checklist will set you on the right track.
Check now that all your vendors are fit for GDPR too. Vendor due diligence is key here: if your vendor isn’t GDPR ready then you’re not GDPR ready.
Hoping GDPR doesn’t apply to you is not a strategy - it’s not even an option. Check back in to read our next blog post that explores our candidate-first approach to help you navigate the key GDPR requirement of Subject Access Requests.