First of all, thank you to Macildowie for inviting me to speak at their sell-out GDPR educational event this morning, hosted by James Taylor, managing director of Macildowie (pictured) at Shoosmiths Solicitors in Nottingham and with guest speaker David Miller from Flint Bishop Solicitors.
It was great to speak with such an active and engaged audience, and what today’s event highlighted to me comes as good news: that general awareness around the GDPR in the HR and recruitment sector has shifted dramatically. People are now very aware of what’s coming and of the potential implications but, in contrast, there is still huge confusion around what the recruitment industry and in-house HR departments should actually do next.
The Volcanic position hasn’t changed since we first started creating our compliance area and candidate dashboard in line with the terms of the GDPR regulations nearly a year ago - namely, all roads lead to consent.
Life after the GDPR
Judging by this morning’s session, I believe that just around 3-5% of recruitment businesses and in-house HR departments have started to train their teams in life after the GDPR.
What I’d advise all businesses to do now is to first of all identify all data risk areas within their business and - critically - train all their staff in new behaviours that will be necessary within the new GDPR climate. Holding candidate data on disk or exporting candidate information to spreadsheets, for example, are no longer acceptable practices.
One weak link is all it takes
And just one weak link within your business is all it takes to breach data security. We’d recommend all staff are not only trained in best GDPR practice, but also that every recruitment agency holds a disaster recovery (DR) training session - a dummy run that takes the whole team through what to do in case of a suspected or reported data breach. This will not only help prevent data breach, it also demonstrates clearly to the ICO that you are taking the GDPR seriously and are taking action to support its principles.
A DR data breach session should include a comprehensive run through of:
Key personnel: who within the business takes responsibility in the event of data breach, including designating a spokesperson for contact with legal representatives, the media and the data subject themselves.
Notification protocols: who to contact in the event of breach, how to get in touch with them, approved statements and timelines.
Data breach response: what happens next in terms of security lockdown to prevent future incidents.
Post-mortem: a full investigation into what happened and why as well as creating an incident log.
Procedures: writing up outcomes and key learnings to produce formal data breach recovery protocols that form part of your business’ disaster recovery plan.
One thing is certain - any recruitment business or in-house HR department that has not yet started to plan for the GDPR really needs to get their house in order. With just five months to go until the terms become law, the countdown is on.
Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadine. Download your free guide to GDPR for recruitment agencies.