The impact of GDPR on HR & Recruitment

The General Data Protection Regulations (GDPR) is a new set of European regulations that will overhaul exisiting Data Protection laws and come into force on 25th May 2018. The regulations effectively standardise rules across the EU and the UK has committed to observing GDPR even after Brexit. It’s going to have far reaching consequences for how business look after their personal data, and to enforce these new regulations GDPR will also allow for significant fines for companies who breach these new rules.

As Joanna from Taylor Wells explains: “”Failure to prepare for the GDPR is likely to have serious consequences in terms of an organisation’s profitability, customer and employee relationships, and their brand image and reputation. Organisations must take action now, and allocate budget and resources to build and implement a robust governance framework. Identifying the right tools and people will also give businesses a head-start on driving the compliance agenda.

“Most managers know that poor quality data waste time, increases costs and limits decisions. Businesses should use GDPR as an opportunity to improve how they process and manage data. This is because the GDPR is not just an event; it’s an ongoing process.”

Information security management company, ISMS.online is just one of the organisations who have started to consider the impact of GDPR. Sarah James says: “Due to the type of work our organisation does, we come at cloud computing, for example, from a data security point of view. With the impending General Data Protection Regulations (GDPR), personal data and its security are at the forefront of people’s minds.”

“When it comes to IT security, and researching a cloud solution for your organisation to use, it’s important to check out their terms and conditions and privacy policies so that you understand where the data is stored, what they do to protect it, and what will happen in the event of a breach. For example, the ISMS.online cloud software undergoes regular penetration test and uses encryption to protect data from being exposed.”

For many companies, their IT, legal, and compliance departments will be tasked with picking up the preparations for GDPR. However, there are still some important areas which will impact the Human Resources department, and it’s important that you’re prepared to ensure the impact to HR and recruiting is minimal. Additionally, almost every company must appoint a Data Protection Officer, so make sure you’re aware of who yours is and engage with them early.

Many of your suppliers will be reviewing their terms and conditions of use to ensure they’re compliant. This may mean that you need to have your legal teams review new contracts, and potentially consent to new terms (such as destruction of data after a fixed period).

Of the new GDPR, Ian Hughes, CEO of Consumer Intelligence Ltd, says of the new regulations: “GDPR is as much a part of a consumer’s property as the contents of their house. You wouldn’t go into their house and take their property without their permission, and you can’t take their data without their permission. That means you need to give people a reason to want to share their information with you. Companies that focus on what is the benefit for the customer, and are trusted by the customer not to abuse the property they are giving, are more likely to get consent than those who don’t. You have to see GDPR through a customer lens in order to succeed in being compliant.”

Erin Gilliam, Content Marketer at Mopinion, adds: “There is talk of companies being potentially subject to fines issued by data protection authorities should they fail to adhere to protocols. These are said to be fines that are proportionate with the size and/or revenue of the company, meaning that they’re likely to go after the larger companies first. However this doesn’t necessarily mean smaller businesses are in the clear as many of these larger corporates happen to work with smaller, niche SaaS providers (third party software).

“What’s also interesting is that many businesses, despite the upcoming changes in legislation, still have a lax attitude towards the whole affair, which is perhaps a bit unwise. It’s likely that businesses won’t feel pushed to take action until they witness a few large incidents among other businesses.”

To make things simpler to understand, we have split our guide into two parts; firstly, for recruitment, and secondly, for existing employees.

 

Recruitment considerations

 

When sourcing CVs

 When asking candidates to send in CVs, you’re asking for personal information. Whether this is via a job board, an employment website, or directly via an email, you need to provide information on how the data will be processed (or used), how long it will be retained for, and if the data they shared with you will be transferred overseas (if, for example, you have multiple offices).

 

You will also be required to provide more information around how an individual can determine if you hold data on them, how they can check what this, how they can rectify the data it if is incomplete or wrong, and how they can enact their ‘right to be forgotten’.

 

Supplier tip: One of the key changes is that whoever collects the data is then responsible for how it is treated (even by other companies). If you get CVs from recruitment agencies or job boards, they’ll be looking to ensure they’re covered for any access requests from candidates. Because of this, they may ask you to sign new terms and conditions such as destroying the data after a fixed period, so make sure you understand any new T&Cs!

 

Security for CVs

Once you have received the CV, there are some important considerations from both a technology and people perspective.

 

Your IT department will need to ensure you have a secure process that covers the storage of electronic documents with personal information. This may be in the form of recruitment or HR software, or in password protected files. You will also want to review who is able to access these, and for how long they are kept.

 

You should also be reviewing your document management systems. Suppliers may make you agree to destroy copies of CVs or personal data, but the individual who sent in the CV may also make requests to find out what data you hold on them and amend or remove their data from your system. To prevent future issues, you should focus on the process now.

 

It’s also important to revisit your people policies. One of the biggest changes to data breaches is that they need to be communicated to both the regulator and the individual(s) effected within 72 hours. This means that any oversight could have a negative impact on your company’s public perception. One of the key fears for any business is a staff member leaving with access to private company data. This would apply to employee data, as well as customer data from your core business activity.

 

Advice

Fabio Grech, Partner and Head of Employment and HR at Cardiff law firm, Berry Smith LLP says that “many have criticised our existing Data Protection laws as being somewhat toothless. But under GDPR, workers will have extended rights so, in addition to a right to inspect personal data held about them, workers may be able to insist their data is erased, rectified, restricted or not processed at all. Combined with a much tougher enforcement and penalty regime for non-compliance, businesses who ignore GDPR tread a very thin line. We might find that asserted GDPR breaches are one of the first (and easiest) lines of attack in any employment dispute.”

 

If you think GDPR is scary, you’re not alone. Many businesses are going to be trying to understand their requirements to protect themselves, their employees, and their customers. With this panic, there will be many late in the day requests for new ways of working, or different terms and conditions.

 

By understanding more about how GDPR will impact your business, you can negate any negative impact, and help us all reap the benefits of feeling more secure when we give our personal data our to your company.

 

Checklist  

  1. Identify your Data Protection Officer
  2. Ensure you website terms and conditions are compliant
  3. Proactively engage with your suppliers to ensure you are aware of any changes
  4. Revisit your People policies. Retrain if required.
  5. Review document management processes and software

 

Erik Severinghaus, SpringCM‘s Chief Strategy Officer & Global Head of Alliances, also advises: “The basis of this requirement is the idea that no EU citizen should have a potentially significant decision with a negative impact made without human eyes on it. This extends to many areas such as judging work performance and financial situations.

 

“In terms of how business approach it, they must establish best practices that are in keeping with and guided by concepts like Privacy By Design like:

 

  • Minimizing the amount of unnecessary data kept on-hand – i.e., not retaining identifying user data infinitely just for the sake of having it.
  • Creating an internal culture built around understanding and appreciating data privacy, monitoring processes and being aware of how user data is treated in the day-to-day.
  • Building out systems that make it difficult to violate data privacy regulations (e.g., workflows that make individualized user data easy to manage and fully delete on a record-by-record basis).”

Still interested? Read part 2  about What Human Resources Need To Know About GDPR