The GDPR, short for General Data Protection Regulation, is set to take effect in just a matter of weeks. Come May 25, recruiters around the world will need to take into account a new set of rules regarding the storage of EU-citizens’ personal data in ways not everyone is excited about. When it comes to compliance, especially the topics and who and why there is a lot of info out there.
As a result, it can be confusing to understand who needs to comply and why compliance, in general, is important.
Working with any identifiable data from EU citizens makes you susceptible to the GDPR
Regardless of your stance on the subject, GDPR is here to stay, making compliance with it essential for the recruiters it involves.
While not every recruiter will be affected by the GDPR (namely, those that work exclusively with personal data from non-EU citizens), those that are should prepare themselves ahead of time in order to avoid the headaches and potentially costly consequences of non-compliance later on.
Compliance is an ongoing process, not just an updated ToS
In a recent study by Lever, 73% of those polled stated that their company hired legal advisors to help create new internal guidelines and policies in order to meet the requirements of the GDPR. Chances are, you’ve seen one of the byproducts of this legal work in the form of updated Terms of Services and blog posts confirming the company’s compliance.
While updating your ToS is definitely a necessary step in the process, being GDPR-compliant means adapting to a more intentional and minimalist form of data collection (a practice aptly-named data minimization). Knowing what kind of personal data you need to complete a task and safely deleting data when it is no longer relevant are arguably the key points of the GDPR. Additionally, compliance is about keeping your candidates and applicants in the loop, making sure they are aware of what personal information you currently have and what you’re using it for. For ongoing projects, such as email marketing campaigns, it is important to periodically re-obtain consent from recipients.
Non-compliance can be costly and potentially business-ending
Chapter 8 of the official GDPR document describes the conditions and penalties of non-compliance, including:
- Fines up to 20,000,000 EUR, or 4% of a company’s worldwide annual revenue
- Potential payments for damages to the victims of any data breach resulting from non-compliance
- Reprimands and other official reputation-damaging statements
- Additional penalties from the specific nation in which non-compliance occurred
Penalties for non-compliance will be determined by a supervisory authority and will reflect the circumstances in which non-compliance occurred, with intentional offenses being more harshly penalized than accidental incidences.
Though it is unlikely that accidental non-compliance would result in the maximum fine, the best way to avoid penalties is to be proactive and vigilant with regards to compliance. The GDPR is retroactive, meaning that on May 25, companies and organizations are liable for compliance with all of the private data they have on EU citizens, regardless of when it was acquired. CATS Software recently released an infographic, covering four best practices to implement ahead of the GDPR.
Infographic courtesy of CATS Software, Inc.
The GDPR isn’t just a law, it’s a response.
GDPR brings about an inconvenient but necessary change in the way we store personal data. According to the Breach Level Index, there were more than 1,700 known data breaches worldwide in 2017, the vast majority of which (92%) being the result of a “malicious outsider.” The GDPR was created as a response to the continuous problem of data security. It is an attempt to learn from the Equifax, eBay, Target, and countless other data breaches and prevent similar incidents from occurring in the EU.
For recruiters, it is important to embrace and adapt to the guidelines put forth by the GDPR not just out of necessity but to instill confidence and trust in candidates and applicants in your dedication to the safety of their data.