We’re in the final stretch – GDPR becomes enforceable on May 25. In less than 30 days, GDPR will no longer be a future event for talent acquisition teams, but a reality. Are you prepared?
GDPR is the European Union’s General Data Protection Regulation, and it gives residents of the EU more control over their personal data. But it comes with implications for organizations everywhere; even if you do not physically operate in the EU, if you collect information from an EU resident, you need to comply with GDPR.
GDPR is a huge piece of legislation – It’s not an easy topic to swallow – or prepare for – but it’s essential to improving data privacy and the digital experience for consumers and talent (not to mention, it is a legal requirement). Let’s build a GDPR education foundation by diving into four key components you should understand.
Think of GDPR as an opportunity to clean up your database, store candidate information more efficiently, and create a more tailored candidate experience.Click to tweet
1. Information Transparency and Consent
Prior to GDPR, there was not a firm definition of “personal data.” The new legislation changes this, defining it as “any information relating to an identifiable person,” which greatly expands the universe of applicable information. GDPR also mandates that any person living in the EU has the right to consent or object to personal data collection, the right to update his or her data, and the right to be removed from your database. Essentially, GDPR is giving your candidates more control over what information they do (and don’t) give you and holds you accountable for how you use, store and access that information moving forward.
2. Data Inventory and Mapping
A fundamental part of GDPR is knowing where all your candidate data is stored. If you have data from talent network forms going one place, and data from your ATS going somewhere else, it may be a good time to consider consolidating your data for easier access, organization and analysis. In addition to keeping tabs on data storage, under GDPR, if you don’t have a current business purpose for keeping personal data, you are required to delete that information from your database.
3. Data Accuracy, Retention and Destruction
Data accountability doesn’t stop with understanding where candidate data is stored. You also need to understand how personal information flows between technologies. Remember that under GDPR, EU residents have the right to have their data expunged at any time. This means if their information is stored in your ATS, CRM and/or Recruitment Marketing Platform, it’s your responsibility to make sure that data is cleared from all such systems at the candidate’s request. Keep in mind that removing data from one system may not remove it from all..
4. Data Protection Impact Analyses (DPIA) and Security
GDPR also covers security and data breaches (which seem to be occurring more and more frequently, even across major corporations). Part of GDPR, the Data Protection Impact Analysis (DPIA) provision requires organizations to assess their data processing practices and address privacy risks. To be compliant, you should analyze your data collection and storage practices, as well as the practices of any third parties that will have access to your contact data. GDPR does not mandate a standard method of risk analysis, so you do have control over how you identify these risks. The last thing to keep in mind is that should you experience a breach, GDPR requires you to notify all candidates within 72 hours. Time to start drafting your data breach communication plan!
Did you get all that?
Yes, there is a LOT to GDPR. Although it may seem daunting at first, at its core, it’s really an effort to keep companies accountable when it comes to people’s personal information. Depending on your current data practices (and where you’re attracting candidates and applicants from), getting up to speed with GDPR compliance may or may not be a major challenge for your team.
Think of it as an opportunity to clean up your database, store candidate information more efficiently, and create a more tailored candidate experience by only using candidate data for relevant purposes. After all, isn’t that what a transparent candidate experience and proactive recruitment marketing are all about?