In May 2016, following four years of debate and preparations, the European Parliament announced the adoption of the General Data Protection Regulation, coming into force within two years. By late Spring 2018, all organisations handling the data of EU residents will be required to comply with a single, harmonised set of rules in relation to data governance and protection.
The introduction of the GDPR will materially impact the way in which data is captured, stored, shared and moved. The legislation is universally applicable to all industries and professions, and businesses should devise a clear plan to ensure their working practices meet the heightened requirements of the GDPR.
The GDPR promises stricter rules on the reporting of data breaches, with penalties of up to €20 million or 4% of the organisation’s worldwide turnover. However it is unlikely that come 25 May, all organisations that fail to comply will wake up with the Information Commissioner’s Office on their doorstep with a €20 million fine in their hand.
“The GDPR is not meant to be perceived as a money-making scheme. It’s about understanding and protecting people’s privacy,” Andy Warren, Chief Information Security Officer and CFO at Invenias explains. “Think about it as you would your personal data and apply the same level of respect and security you would expect.”
Below are 6 key challenges facing in-house teams as they prepare to comply with the heightened requirements of the new legislation.
While the legislation may be the same for every profession, recruiters’ use of personal data may be radically different from the rest of the organisation. Your legal and compliance department may not understand the implication of the GDPR for handling candidate data, so they may not agree with the processes you set out for your department. Heads of Talent may have to learn how to mitigate these risks and work together with their legal team to apply these regulations to in-house recruitment.
When mapping talent, recruiters need to take a risk-based approach to third party websites, as the data obtained might be based on subjective insights. Again, recruiters will need to demonstrate a lawful basis for processing the data.
If the candidate information provided by an external search firm was not gathered in a lawful way, an in-house team does not have the right to hold on to it. Recruiters must make sure they confirm GDPR compliance with partnered search firms before any candidate data is passed on to them.
With the rise of remote working, many recruiters are choosing to screen candidates from their personal laptops. However, when dealing with such sensitive data, it is highly advised that recruiters use encrypted company devices, to avoid potential data breach in the event of a hack or loss of equipment. Failure to notify the ICO and data subjects within 72 hours of becoming aware of the breach can result in financial and reputation damages.
There has been some confusion around the meaning of the word consent in the context of the GDPR. While traditionally it may be synonymous with permission, GDPR consent is the specific conditional action of requesting and obtaining consent that fully complies with the legislation. It must be freely given, unambiguous, specific, informed and very distinguishable, in the form of a written statement or a clear affirmative action (recorded).
For practical advice and guidance on how to prepare for the GDPR, download '9 Steps to Prepare for the GDPR'. Or visit www.invenias.com/gdpr for further information on the GDPR and the Invenias solution.