Unless you’ve been hiding under a rock, you will have heard the acronym GDPR banded around quite a lot recently.
Despite being around in draft form for a few years now, it has taken until now for people to realise this is happening in May, and it’s going to take some work to get compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). – Wikipedia
These regulations impact you if you are within a member state of the European Union, or you process personal data that was created in a member country.
In the UK, Brexit is not going to provide a get out. It is recognised that the UK will be adopting the same regulations even after the exit. There is no getting away from it.
As with any new legislation, despite the many expert opinions offered, white papers available to download or webinars to watch, no one knows exactly what this is going to mean.
Law is always open to interpretation until someone challenges it and sets a precedent for future rulings.
We’ve spent time working through the regulations, in an attempt to interpret what this means to Meet & Engage as a product, and the wider talent acquisition market in general.
These are our 5 recommendations to get ready for the change. We have tried to keep them simple, and reiterate that they should in no way be considered legal advice. This is for guidance only.
1. Read the regulations
We know that you don’t want to hear it, but it is perhaps the most important recommendation that we have.
Before you do anything read the regulations in full and consider how they apply to you and before you listen to any of the experts or amateurs offering opinions, arm yourself with the most important info – the regulations themselves. Allow a bit (a lot) of time for a few read throughs.
2. Understand Personal Data
GDPR is designed to protect personal data. Protection covers security, privacy, storage, use and the transfer of data. Here’s the definition on Personal Data.
In the talent acquisition world this is going to apply to data such as resumes/CV’s, application records, notes, profiles etc.
Anything that relates to the individual whether this has been submitted, for example during a chat or application process, or is collected and recorded against the individuals profile manually or through the use of automation.
3. Keep Data Up To Date And Only Use It For Its Original Intended Purpose
The Act does not set out any specific minimum or maximum periods for retaining personal data.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. – ICO
Whilst there is no fixed time, we take this to relate to the purpose for which it was submitted, for example, data relating an application for a job can only be retained for measuring against the job requirement whilst the job is live. This does not mean, that the data needs to be removed immediately.
The legislation allows for retention of the data:
- For legal purposes. For example, to record interview progress for reporting or investigation for a fixed period, whilst this data would need to be disabled for search purposes, or where the candidate opts in to be notified of future opportunities, such as in a talent network. This is considered a business purpose provided the continued contact is specifically requested by opt in and the notifications are relevant to the individual
- Data retained has to be up to date and current. This draws particular questions around the retention and use of CV’s in a CRM or ATS. Our thoughts are that these will need to be time served, probably six months, with the candidate being notified and given an easy opportunity to update when the data is used. It is worth noting that whilst the body of the CV may require updating or removal, it would be permissible to retain headlines such as e-mail, job title etc for a relevant purpose such as a talent network
- The individual must be able to access and disable (or transfer) their data at any time. This means any technology used must be capable of anonymising data and transferring data files, whilst being accessible on request. This is going to be particular relevant where target candidates might be identified by sourcers and added to a target list without giving consent, or profiles collected by data scraping without opt in.
4. Ensure That You Get Explicit Consent
Explicit consent can be thought of in much the same way as the GDPR’s standard requirements for obtaining consent. The difference is that it must be obtained in a way that leaves no room for misinterpretation. This means it must be provided in a clear statement – IT Governance
The days of don’t tick to opt out then you’re in are over.
The instruction on explicit consent requires you to be clear on the data you need, how long you are holding it for and what you will use it for.
That means if you are joining a chat, or submitting a CV, and we want to keep your personal data such as your e-mail address and job title to notify you of future chats, then we are going to have to ask you to let us do that.
We also need to make it simple for you to tell us to remove your data, and we need to comply. We can only use the data for the purpose you gave us permission by opt in.
Where this gets interesting when addressing data we might hold now is that unless previous permissions gained match the new requirements i:e: they are explicit, clear and given, you are going to have to get opt in if you want to keep the data accessible, you also need to make sure it is current.
Think about how many dated CV’s you might be holding. It’s a good time to start working in batches and reconnecting.
5. Keep Data Secure And Notify Any Breaches
We have all read the headlines, cybercrime, particularly data theft is on the increase.
These regulations require organisations to take extra measures to secure the data, and to notify people immediately of any breaches.
It’s worth having a conversation with your security team over what needs to change. It might sound like a lot of work, and it will be. Our view is that where we will end up is with smaller collections of data, with a greater need to maintain on-going relationships with people, because we want to keep them opted in.
Interesting chats once a quarter provide a good opportunity to do this, and you can keep the experience personal. The regulations stipulate that you will still be able to retain data (such as that collected by cookies), to personalise the digital experience of users.
The future is definitely going to be dependent on keeping data live, the experience personal, and to review information regularly to keep it current.