4 steps that ensure your recruitment process is GDPR compliant
Europe is now covered by the world’s strongest data protection rules, the General Data Protection Regulation (GDPR) which came into force back in May in 2018. The regulation was implemented in order to modernise laws that protect the personal information of individuals.
Before GDPR started to be enforced, the previous data protection rules across Europe were first created during the 1990s and had struggled to keep pace with the rapid technological changes we have witnessed today. GDPR alters how businesses and public sector organisations can handle the information of their customers.
So, what should you have in place to ensure your business is operating compliantly under GDPR?
Download Full Guide
When GDPR came effectively into place back in May 2018, the regulation included a requirement for companies to implement privacy policies that were concise, clearly worded and transparent in how they would collect and store personally identifiable information.
(download our Guide for more)
- How you will be storing and managing personal data
- How you will be using their data and for how long
- The types of information about a candidate that reside in your company’s files
- Who you will share the data with
- The portability and access Applicants have to their data
- How Applicants have the right to be forgotten
Do you save your Applicants data in folders on your computer desktop?
Under GDPR, it is absolutely critical that you have robust data management. If you have inconsistencies with the way folders containing personal data are named and structured, you are breaching the GDPR and it is essential that any files containing personal data, are managed in such a way as to be compliant.
GDPR applies to ALL personal data about EU citizens, wherever that data is held and wherever the organisation holding it resides. So, if an Applicant asks you to remove their details from your software and you cannot locate it, you’re going to be in a spot of bother.
The penalties for non-compliance are up to 4% of your annual Turnover (up to 20 million Euros), and in some cases prison!
- Keep any relevant files together – they will be easier to archive or delete as a group
- Update (or put in place) GDPR compliant procedures (an ATS) for managing consent, storage and breaches
- Identify your data ‘processors’ and ‘data ‘controllers’ and make sure they understand the new rules
- Clearly define the responsibilities and accountabilities for processing and controlling data, especially where there is a deadline for responding
- Be consistent and don’t allow exceptions
How do you store data?
If you have been saving and sharing data without thinking about the GDPR, it’s crucial that you prioritise getting effective data management protection in place – and fast.
Remember, not everyone needs the same access to all personal information that has been gathered overtime. If you have been saving personal data that can be accessed by anyone and everyone, think about what is necessary to share and with who. Managing the accessibility of your shared files is a great place to start, so take the time to organise your files and know exactly how much personal data you store.
Using an Applicant Tracking System to store data ensures compliancy as personal information is never being used for longer periods than legally necessary. Having an ATS in place and ensuring only the relevant Account Managers are able to access any elements of personal data means no information is being shared or used carelessly.
- Know how much personal data about individuals you hold and how to access it quickly by individual
- Have a defined process for retrieving personal data, and for changing/deleting it
- Manage the accessibility of your files
- Choose a file sharing solution that stores data in the EU and encrypts your data securely
Do you keep track of when Applicants’ data is received?
Keeping documents of data is a common problem when using online systems. Documents should not be retained for longer than they should be and under GDPR it is important know not only what is in your archived files, but how long you have retained all data.
When someone’s personal information is no longer relevant to you and your organisation no longer has a legitimate need for retaining someone’s data, you must delete it.
- Implement an ATS to monitor when data is received and for how long it can be retained
- Delete, or move to an encrypted and managed archive