The General Data Protection Regulation (GDPR) is set to come into force in May 2018 and it is up to businesses to ensure that they are compliant with the new rules. The regulation is being brought in to ensure that companies better protect the personal data of their customers, staff, and other individuals.
It is important for recruitment departments to understand their role in the business becoming compliant, so here we look at five things you can do to prepare for the GDPR.
1. Understand how the GDPR applies to recruitment
The first thing that your recruitment department needs to do to prepare for the GDPR is to understand the details – you cannot prepare for something without knowing how it applies to you. For example, the GDPR is designed to protect the ‘personal data’ of individuals – but what counts as personal data in this context?
Personal data covers names, contact details, online identifiers, identification numbers and anything related to physical, physiological, social, economic or cultural identity. In a recruitment department such data could include a job applicant’s:
- Employment history
- Educational history
- Evidence of the right to work
- Pay details
Any time that you collect, hold, use, and share this kind of information relating to candidates for roles or current staff, your recruitment department is subject to the rules of the GDPR.
2. Establish what data you and hold and how it is stored
Once you are clear about your department’s compliance obligations, you need to begin to take practical steps. The first thing you need to do is conduct a review and audit of your current systems to understand what data your business currently processes. See this helpful GDPR guide to help verify your preparedness.
It is essential to building an understanding of how you collect data, where it is stored, how it is accessed and how long it is retained. With this information, you can start to understand how data flows through your business and identify areas of risk. For instance, does your organization have a process for permanently erasing the personal information of all unsuccessful job applicants?
3. Assign budget and resources to achieve compliance
The GDPR is a big deal and you cannot simply assume that you can carry on as normal For a large majority of businesses, changes will be necessary to achieve compliance. For example, you may need to introduce new systems and processes.
This means that the business as a whole will need to make resources and budget available to allow the changes to be implemented. As the recruiting department is one of the many that will be affected by the GDPR, this may involve sacrificing a portion of the budget.
4. Review contracts with third-party suppliers
Does your recruiting department work with any third parties such as external agencies and HR services? If it does, it is vital that you closely review the terms of new and existing contracts and look carefully at how these providers use and store your data. See GDPR Checklist for Third Party Agreements for more information.
5. Train staff properly
Some businesses consider that the GDPR is an issue to be dealt with by the IT team, but it is actually the case that everyone in the business has a responsibility. This is especially true of the recruitment department where employees will be regularly party to highly sensitive information.
Training staff about what is expected of them in order to comply with the GDPR rules is highly recommended. Something as simple as a member of staff clicking a malicious link in an email can provide cybercriminals with a way into your organization’s systems. Providing full training to the recruitment department, and all other areas of the business will help to reduce data security.
About the author: Mike James is an experienced business writer specializing in HR, tech, and cybersecurity. On the latter, he has contributed to many of the leading publications both online and in print – such as StaySafeOnline, GlobalSign, TechLondon and more.