An Introduction To The General Data Protection Regulation (GDPR)
The thing that jumps out when anyone mentions the General Data Protection Regulation is that monstrous twenty million euro fine (or 4% of your global turnover) if you get caught breaching them, its a head turner thats for sure!
If you are like me and your eyes glaze over whenever somebody mentions data protection regulations, that is the headline grabber and the single biggest reason that you must start to take GDPR seriously, if you do not take immediate action on the incoming GDPR legislation, you leave yourself vulnerable to a very nasty fine should you get caught in breach of the act in any way.
If you thought that Brexit would provide some respite from GDPR and those regulations driven Eurocrats, you are absolutely wrong. The GDPR directive is set to become part of UK (and US/EU) law on the 25th of May 2018 and your company is legally bound by it, there is simply no getting away from it short of relocating to Panama and even then you would still be bound if you dealt with UK/US/EU data.
The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive. Although many companies have already adopted privacy processes and procedures consistent with the existing Data Protection Directive, the GDPR contains a number of new protections for data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
For a complete and detailed explanation on the General Data Protection Regulation (GDPR), head over to the Information Commissioners website at Ico.org.uk where they explain the GDPR in plain English. Consider the Information Commissioners website your primary source for all of your GDPR information, its where we get our facts, straight from the horses mouth as they are updated.
This subject is of such great importance that I sat down with Guy Deterding, the Managing Director of Nasstar For Recruitment and had a good conversation with him about GDPR and specifically how it affects our customers. Guy manages our recruitment customers and for them, GDPR has some very serious repercussions indeed.
In our short video below, we cover all of the GDPR basics, let you know how it will affect the recruitment space and offer some practical tips from a recruitment industry perspective, but that being said you this article and video are suitable to anyone who wants to get a handle on GDPR and how it will affect their business or organisation.
What Does The New General Data Protection Law Require?
With GDPR come some very strict regulations surrounding how you handle data, the key being explicit consent from the subject.
Any personal data whatsoever that you may happen to be holding on a customer, employee or candidate falls within the remit of GDPR and you must have the explicit consent from the subject of the data to legally hold that data. This means that you need to make sure every last piece of data in your CRM has an explicit consent attached to it before you can use it, or you have to delete the record.
You must delete records when asked to by candidates, employees or customers under the "right to be forgotten" and you have seven days to delete the data when asked, or you at at risk of being fined for non-compliance, something that also exposes your organisation to further GDPR scrutiny and potentially data audits, nobody wants that so delete records when asked.
Any data you hold on anyone has to be freely given, meaning you cannot make customers, employees or candidates give you any data 'under duress'. This means that any personal data that you are given has to be freely given and specifically relevant to the particular service you are offering, asked for in a standalone fashion. This is meant to stop organisations freely sharing data amongst themselves or selling your data to third party data brokers, something that puts the power back in the hands of the consumer.
When asked you must allow candidates, employees or customers to see a copy of the data record your hold on them in a commonly readable format and this includes any notes that your employees may have attached to records.
GDPR Means Data Security Changes
GDPR means big changes to the way you build software, hardware or even design your CRM systems. All of your systems, processes and technology must be demonstrably designed with security built in at blueprint level, meaning that you must be able to demonstrate that you took steps to implement effective security when designing your platform, web panel, CRM or internal processes. If you are unable to demonstrate that you took security into consideration from day one, you will be in breach of the GDPR regulations and this is meant to improve security standards nationally in the face of increasingly serious cyber attacks on businesses globally.
If you are breached by a cyber attack, you must notify the Information Commissioner of any breach within 72 hours and notify all of the affected individuals by law, or face a very steep fine, so no more sitting on your hands when a breach occurs and keeping it quiet from your customers, you are now under a firm legal obligation to notify affected parties almost immediately.
GDPR also requires you to employ a Data Protection Officer, but it is still unclear if this means you must hire a full time specialist, or train one of your staff to internally regulate the way your organisation uses data, effectively acting as a Data Compliance Officer for your business.
Practical Steps To Dealing With GDPR For Recruiters
GDPR comes into effect on the 25th of May 2018 and you absolutely have to be ready for it, so what practical steps should you immediately take to make sure that your organisation will be in compliance when the new law takes hold in early 2018?
Gather Consent & Delete Records - You need to immediately gather consent for all of the operational records that you have on file at the moment, go about contacting the parties concerned to ask for their explicit consent to hold their data. If you have a web portal that lets your customers, employees and candidates register with you, this needs to be updated so it explicitly asks for their consent when they register with your service. Finally you need to delete the records of anybody who has not done this by May 25th 2018 in order to be compliant. A seriously inconvenient process by any measure, but a necessary one if you are to remain in compliance with GDPR.
Ensure Data Can Be Deleted/Viewed/Transferred On Request - You need to make sure that all of your records are easy to view, delete and transfer upon request by any party, so that its as easy to withdraw consent as it is to give it. This means that your systems, your web portals and your CRM systems need to take this into account and make it easy for candidates, customers and your employees to view their records and manage their consent around those records.
Ensure You Have Best Practice Security Measures In Place - If you do happen to suffer a breach, its going to already be bad, but you will make it even worse if you cannot demonstrate that you have taken steps at every level to ensure that adequate security measure have been put in place. If you get breached and you have taken all of the reasonable steps you can take as far as your security was concerned, you will not get fined. But if it is revealed that you spend more money on flowers and the staff canteen than you do on cybersecurity, a hefty fine awaits.
For the recruitment industry, GDPR means an end to hoarding vast amounts of data on candidates past and present, it means an end to holding any kind of data without the explicit consent of the subject and forces you to update your systems, technology and processes to put security first, at the penalty of a very serious fine for non-compliance. GDPR is enough to send the shivers down the spine of any business not prepared to deal with it.
Consolation can be found in the fact that come May 25th 2018, you as an individual consumer will suddenly have many more rights and much more privacy than you previously had thought imaginable, GDPR puts control over data and the law underpinning the way your data is handled firmly on your side and that can only be a good thing for all of us.
If you have any further questions on GDPR, you can head over to the Information Commissioners (UK) website, where they explain the new General Data Protection Regulations in plain English, covering every part of it. The International Association Of Privacy Professionals also has an excellent resource on their website covering GDPR and detailing the top ten operational impacts of GDPR, it makes for a deeply interesting and fascinating read. If you need any help getting through GDPR and into compliance, please do get in touch with us. We are currently helping a number of our customers get to grip with GDPR and our professional services team at experts on the details of the GDPR fine print.