The EU’s newest data privacy law, the General Data Protection Regulation (GDPR) will be enforced as of May 25th, 2018, leaving many recruiters and HR leaders with a sense of dread.
This is the most comprehensive regulation since the Data Protection Act of 1998 and non-compliance can result in fees of up to €20 million or 4% of global annual turnover. Ouch! 😱
Any business holding personal data on prospects, customers or employees based within the EU must comply with the GDPR. So yes, you need to be ready. But you don’t need to panic.
At Breezy, we like to geek out on data security regs (so you don’t have to). Here are some practical tips to help you protect your business and get GDPR-ready.
Use an Airtight Privacy Policy
The GDPR breaks down into five key principles. Let’s start at the top with ‘Principle 1: Fair and Lawful, With Transparency’.
In other words, regulators expect employers to keep it 💯 with respect to data privacy.
Gone are the days of burying data privacy clauses deep within jargon-filled employment contracts. Regulators want to see that you’re only collecting the data you need in order to hire properly and that you’re clearly informing applicants and candidates about how you’ll use their info. Finally, they want to see that you have received the applicant’s express consent to collect and process their data.
Share a clear and comprehensive Privacy Policy with your applicants asking for their consent. A simple recorded action such as a checkbox stating they agree is all it takes. ✅
Be Specific about How Applicant Data will be Used
The GDPR aims to encourage (read: require) you to be totally direct about what recruiting data you need, and why you need it. ‘Principle 2: Explicitly Specified’ requires businesses to only use personal data for the express purpose you (or your recruiting system) collected it for.
Of course, you already know you should never send marketing emails to past job applicants, but what about keeping or recycling candidate information for future openings? Unfortunately, under the GDPR, that IS a violation. But never fear!
All you need to do is address this directly in your Privacy Policy/request for consent, i.e., “personal data will be used for communications about this position and for future openings.”
Only Collect the Must-Have Data
Principle 3 of the GDPR compels employers to collect ‘Only What’s Necessary’. Granted, that can be pretty objective.
Our advice? Be mindful about the amount and nature of the data you’re collecting. Ask yourself: If there’s ever an allegation of a GDPR violation, how difficult would it be to prove that this data is necessary to your hiring process? If in doubt, strike it out. 🚫
Pro Tip: For a second line of defense, include a statement in your Privacy Policy and/or internal documentation about why you’re collecting the applicant’s personal data. For example, “Our business relies on this data to hire qualified employees and meet growth objectives”.
Keep Your Talent Database Fresh
Old crusty data is 👎 in the eyes of EU regulators. Hence, GDPR ‘Principle 4: Current and Accurate’ and ‘Principle 5: Limited Retention’.
These GDPR principles might seem like a pain in the proverbial, but they’re actually great for the quality of your hiring database. While it’s still not clear how much data you can hang on to, or for how long, an outdated talent database can definitely put you at risk.
Does that mean you have to go through and purge all your old data? Not necessarily. But if you really want to make sure you don’t get burned by GDPR, you do need to go back to past applicants you want to keep and get them to update their info and opt back into letting you use their data for “future opportunities”.
A great recruitment management system will make this dead easy. For example, in Breezy you can easily revisit and refresh candidates in your Talent Pools to help stay ahead of these key GDPR rules.
Are you ready for GDPR?