The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.
Although the GDPR guidelines are still becoming more clearly defined and with 6 months to go, some commentators have suggested that organisations that have failed to take any action have left it to late, while others say 6 months may be just enough time. Recruitive Software guarantees that all of our Saas products will fully comply with the new regulations from 25th May 2018. So gives you peace of mind.
The majority of the data that recruiters hold will be personal data. Whether you use databases, CRM’s, job boards, cold-calling, cloud storage or stacks of CV’s lying around your office; you will have to review your approach to data protection.
Below are the commonly discussed changes that you need to be aware of:
The GDPR rules only apply to personal data which means any information relating to an identifiable natural person (candidate) as the data subject i.e. firstname.lastname@example.org. Therefore, if the email address you hold isn’t related to a person i.e. info@ then you can process it.
DATA COLLECTION / CONSENT
Every candidate will have to give explicit consent through easily accessible/readable forms which clearly contain the purpose of how you will use the data and where it will be stored. You must be able to prove consent. Automated decision making should be communicated.
There must be a justifiable business need for holding data and you must not keep the data longer than necessary.
You must provide the personal data in a structured, commonly used and machine readable form i.e. Excel file. The information must be provided free of charge and you must respond without delay and within one month (2 months if complex or multiple requests).
THE RIGHT TO BE FORGOTTEN
Personal data records must be kept as up to date as possible and allow a candidate to request that you update their personal information to maintain data accuracy.
You must allow the candidate to request that their data be erased, unless required for a specific purpose.
DATA MAINTENANCE / OLD RECORDS
Although no strict instruction has been given about what you do with existing data, the onus is on you to ensure that you have the correct information and also consent to store/use the data. It is recommended that you delete any old candidates if they have not been used for a period of time.
You will still be allowed to send service, maintenance and transactional emails.
GDPR is making companies be more responsible for security and you have a duty to implement measures to ensure a level of security that is appropriate to the risk, which may include encryption of personal data with the ability to restore data in a timely manner.
With 6 months to go, are you and your team ready for GDPR? Contact your Account Manager for more information, on how Recruitve can help you comply.
By Sarah Tipton 28/11/17