Now that the EU General Data Protection Regulation (GDPR) is in effect (as of May 25, 2018) the time to be proactive has passed. Companies must now focus on compliance with the regulation, particularly in HR and recruiting, which rely heavily on candidate data.
GDPR Recruiting & Hiring Recap
To recap, the GDPR was designed as a replacement for the Data Protection Directive 95/46/EC with the purpose of reconciling country-specific and sometimes conflicting European data privacy laws. Most importantly, it aims at changing the way organizations operating in the EU, or those collecting personal data from EU residents, approach data privacy. It also provides a harmonization of the data protection regulations throughout the EU, in theory making it easier for American companies to comply. However, the new regulations mean it is now unlawful to use an EU resident’s data without his or her explicit consent.
It’s important to note that the GDPR isn’t just about companies who hire in the EU. It’s also about employers who are employing EU residents wherever they may live. The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents. Recruiters are going to need to restructure candidate engagement, sourcing and recruiting programs that focus on candidate data, recruiting and HR technology, and refocus on building compliant candidate and employee relationships.
How GDPR Impacts You and Your Recruitment Vendors and Technologies
From the application process to background screening, companies recruiting or employing EU residents must adhere to strict regulations with regards to data. Under GDPR, you are required to ask for explicit consent, clarify how you will use individual candidate’s data, and make sure that the data remains secure. This involves more than simply adding a clarification and a checkbox to data collection forms. Your vendors – such as your ATS, payroll, and recruiting software, must also be GDPR compliant.
GDPR introduces direct obligations for data processors for the first time. Processors will also now be subject to penalties and civil claims by data subjects. This means that, if you haven’t already, it’s imperative that HR and recruiting leaders speak with and understand if their vendors and partners are taking steps to be compliant with GDPR.
Below is a short list of questions that you should ask your vendors and partners in relation to GDPR compliance. It’s imperative that your HR technology vendor is compliant with the new regulations, as well as liability for violations and noncompliance.
- Have their contract terms changed with GDPR?
- What level of consent do you seek when applicants submit their data?
- Process for storing, collecting, & deleting data
- Timeline for auto deletion – circumstances & data type
- What is documented timeline for keeping data?
- What processes exist to keep data up to date?
- Have they appointed a data protection officer?
Do You Need a Data Protection Officer?
In relation to the last question above, Section 4 of GDPR outlines the requirement for applicable entities to appoint a data protection officer (DPO). According to Article 37(1), data controllers and processors shall designate a DPO where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Most firms required to appoint a DPO would fall under sub paragraphs (b) and (c). Article 39 outlines five minimum tasks that the DPO must perform:
- Inform and advise firms and employees who carry out data processing on applicable data protection provisions
- Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
- Advise on data protection impact assessment (DPIA)
- Cooperate with the supervisory authority
- Serve as main contact for the supervisory authority
A word of caution: In many cases the business can be both data controller and data processor. However, because the GDPR makes the distinction, we’d like to consider the shared responsibility of both parties.
Companies that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a recruiter (controller) collects the data of its clients when they apply for a job, but your recruiting technology (processor) stores, digitizes, and catalogs all the information. These companies can be ATSs or full-suite recruiting software companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.
Recruiting Strategy Changes Post-GDPR
Because short-term recruiting programs, or what we refer to as “reactive recruiting,” will come at a price due to the GDPR, HR teams must focus on building candidate relationships and providing value for the long term. The value of building relationships, sharing information, and providing resources will be more important than ever in order to engage and recruit candidates.
If you’ve already begun adapting your recruiting model to GDPR compliance, you’re probably ahead of other companies when it comes to compliance and hiring. The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.
If you’re in the half that is not yet compliant with the GDPR, consider it an opportunity to revamp your current practices and candidate outreach.
HR is already tasked with a lot of compliance responsibilities, many of which are not of its own making. It can be process-driven and this might be a great time to consider splitting the department into two areas: compliance (the processes) and HR (the human side), or clearly defining when to use technology, and when to put people back into the mix. With the right balance, HR teams can be more productive, more engaged, and use the human element to attract and retain top talent.
And yes, the GDPR is primarily about data. But it’s also timely to note that at the heart of appealing to candidates is that humans don’t want to BE data; but they do want more control over how their data is used. A phone call or personalized response can mean the difference between considering a role at your company or moving on for a candidate.
The solution to adapting your recruiting and hiring processes isn’t more technology; it’s better technology that has data compliance and support in mind. When it comes to GDPR in recruiting and hiring, your tech should not only comply with new regulations, but also support the broader mission of the recruiting and hiring side of your organization. This gives you the peace of mind on the compliance side allowing you to focus on improving your hiring processes and candidate quality.
When it comes to pre-employment and post-employment background screening, Cisive GDPR compliant. If you are an existing Cisive client and have questions concerning GDPR compliance in your background screening program, please contact your Cisive Customer Service Representative. For those of you who have not yet experienced the benefits of Cisive and are interested in learning more, please call us at 1.866.557.5984.
VP and General Manager
Global Executive Intelligence Division