Putting off thinking about the GDPR? Think again.
Putting off thinking about the GDPR? We really recommend you start now. Whether you like it or not, the GDPR is well on its way and if your business operates in the EU, you have clients that operate in the EU, or process data of EU citizens then you will need to comply with the new regulations by 25 May 2018.
Statistics from a recent survey conducted by Invenias show that 85% of recruitment agencies are not yet actively planning for the General Data Protection Regulation (GDPR). In addition, the survey illustrates that:
-
30% of agencies have not yet taken steps to prepare for the GDPR.
-
55% have started to think about how they might prepare for the GDPR
-
Only 15% are actively planning for the GDPR
The changes that are coming will have a massive effect on recruitment agencies, and those who demonstrate an effort of making changes and making their agency compliant will be a lot better off than those who do not do anything.
Don’t forget, if you breach the new regulations then it could result in fines of up to 4% of global annual turnover or €20million (whichever is greater).
How to comply with the GDPR?
To start with, you will need to complete a data audit. What data do you currently hold? Where of you hold it? Why? You will also need to assess how often you review your data for accuracy, how long you keep it, and whether you can easily and efficiently react to requests from your candidates. An example of this is that individuals will have “the right to be forgotten” and the “right to object”, allowing them to object from their details being used, shared or held.
You are obligated to only contact using the channel they have opted in to. Therefore, you must ensure that you are only using the contact details that your clients and candidates provided you with.
If a candidate has requested to unsubscribe, you cannot contact them again.
Make sure GDPR is understood across your agency, especially those who have access to your data. If you do not do this, you will be held directly responsible if your employees are still emailing or phoning candidates when they should not.
Review your relationship with your clients and any suppliers or jobs boards you use. They will also be affected by the GDPR and it may affect how you work with them.
Ask candidates if they would like to remain on your database. You can also use this as an opportunity to ask if they would like to be kept up to date with other forms of communication.
You must appoint a Data Protection Officer (DPOs) if you:
- are a public authority
- carry out large-scale systematic monitoring of individuals
- carry out large-scale processing of special categories
If you are not required to appoint a DPO you should document and keep records of everything you do to prepare for the GDPR.
• As data protection is getting stricter, your internal processes should follow suit. Be extra cautious to ensure that data is safeguarded, and make sure regular tests take place. We also suggest that you have a breach response plan in place.
• Establish retention periods. Over the course of time, some users will become inactive or unresponsive. Establish retention periods so you can keep candidate information accurate and your database responsive.
• Put in place privacy notices. Once you have assessed all of the above, make sure you clearly communicate to your clients and candidates what data you are capturing and why.
At Certes, we advise that by May 2018 you ensure your agency can demonstrate that you are abiding by the new regulations and can show a process/ plan you have put in place to make your agency compliant.