15 Sep RTT – Getting to Grips with GDPR in Recruitment and HR
In light of the increasingly digital landscape that dominates the world of today, a new General Data Protection Regulation (GDPR) will be coming into force next May to help protect personal data. These regulations will undoubtedly have huge implications for businesses who possess or control data, therefore it’s crucial our policies and procedures help ensure we’re compliant.
As a sector, we are responsible for enormous quantities of HR and recruitment data which makes it all the more important to act now and implement the appropriate organisational measures. With fines for breaching the regulation understood to be around €20m, we as recruitment professionals cannot afford to delay with getting to grips with what GDPR entails.
These are the thoughts and takeaways from a Resourcing Think Tank held on Thursday 5th September, hosted by FTI Consulting’s Jane Harely (Director Talent Acquisition – EMEA). The following summary reflects discussions held amongst senior Resourcing and HR professionals and is informed by a presentation delivered by FTI Consulting’s, Paul Prior (Managing Director).
Key facts concerning GDPR:
- GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
- Organisations must provide notification to authorities within 72 hours if a security breach is detected
- Individuals will have the right to request access to their personal data and, as such, companies must be able to provide electronic copies of this data and inform individual where the data is stored and for what reason
- Consent must be obtained by any individual whose data you are storing
- Companies will be legally required to prove that their data is securely stored and processed
- The appointment of a DPO (Data Protection Officer) will become mandatory for certain organisations
- Individuals will have the right to move their data from one ‘controller’ to another, therefore all information has to be stored in a commonly used and consistent format
- EU citizens have the right to request for their data to be deleted.
Areas for priority:
In FTI Consulting’s experience, there are eight priority areas that need to be addressed in order to achieve pragmatic GDPR compliance:
Leveraging GDPR for our competitive advantage: Key questions
- Do we understand how our recruitment and HR data is utilised across the business?
- Are we able to clearly and easily identify recruitment and HR data usage and delete it without impact?
- Do we have a process in place which allows employees and candidates to request data storage and usage?
- In what aspect are we covered by ‘legitimate interest’, and where must we be explicit in consent?
- Do we have robust processes and policies in place to audit and monitor 3rd Party liability and governance?
- Where we undertake profiling, are we utilising any sensitive employee or candidate data, and does it require consent?
- Are we in a position to identify, establish root cause of, and notify relevant authorities of a security breach?
- How do we organise ourselves for robust organisational control?
Prioritising GDPR impacts:
Tips for a successful implementation:
- Conduct a full assessment to understand all areas of risk
- Communicate with those affected early and often
- Bucket affected areas and prioritise accordingly – all parts of your organisation are not equal with regards GDPR (marketing, sales, recruitment, HR)
- Monitor policies and processes through accurate reporting
- Establish a ‘working council’ or committee to represent GDPR across the whole business – create a joined up approach with consistent messaging
- Drive more ownership from a HR / TA perspective in terms of risk vs. ROI (cost of not doing something vs. the cost of mitigating that risk)
- Explore ‘pseudonymization’ of candidate data to reduce the risk of data processing, whilst maintaining the data’s utility
- Hire an internal auditor or an external consultant to give weight to findings (an objective report)
- Identify a ‘process flow’ for all data journeys in your business (i.e. receiving a candidate’s CV through to the offer and onboarding process) to ensure that individual’s expectations are in line with internal intentions / usage for data
- Ensure that 3rd parties, with whom you share data, are GDPR compliant (e.g. recruitment agencies, MSPs, reference checking agencies etc.)
- Create a GDPR handbook and checklist for internal use, alongside an external mission statement presented externally
- FTI Consulting’s GDPR Presentation >> View
- APSCo – What does GDPR Mean for Recruitment? >> View
- Fieldfisher – What you think you know about the GDPR… and why you may be wrong >> View
- ICO – Overview of the General Data Protection Regulation (GDPR) >> View
- ICO – GDPR Breach Notification >> View
- Osborne Clarke – Helping recruiters to be GDPR-ready: 12 months to go >> View