How HR Teams Can Ensure Full Compliance to GDPR Regulations

The GDPR (General Data Protection Regulation) is a replacement to the existing Data Protection Directive that empowers EU citizens to have better control on the way both EU and non-EU based organizations collect, process and track their personal data. The law applies to organizations across the world, whether a part of EU or not, as long as they collect or use data pertaining to EU residents. In other words, your business might be operating in a geography outside EU such as India or Australia; however, must adhere to GDPR rules and regulations if any of your business process directly or indirectly collects personally identifiable information of EU citizens.

The GDPR regulations comes into force on 25th May’2018 and organizations must ensure full-compliance to avoid hefty penalties and related consequences. For that to happen, organizations must communicate the changes to key pages on their website such as Terms of Service, Privacy Policy, forms or surveys in place that directly or indirectly ask for user information for legit/verifiable purposes.

HR professionals must pay attention to internal or third party pages that require candidates to upload their CVs or fill-out personally identifiable information.

Any prompt on your website or communication channel that demands user’s personal data must clarify the exact purpose that the data will cater to. Using the data for a purpose other than what a candidate initially agreed to while furnishing the data can invite hefty penalties. Personal data includes name, photographs, signatures, billing information, email addresses and medical records.

Depending on the nature of violation and business damage reported, GDPR non-compliance can invite penalties in the order of €20 million or 4 percent of global annual revenue, whichever is greater. HR teams must ensure that the changes to their policies get a sign-off from the data protection officer or the team in-charge of data security. If a breach happens despite all measures, the Data Protection officer or the SPOC must notify to the concerned person(s) within 72 hours of the first information of the breach. Going forward, a mitigation plan and a documented record of the breach must also be in place to minimize the damage resulting from the snag.

Before you even think about GDPR compliance, you must understand the hierarchy that plays a pivotal role in outlining the guidelines. A total of 3 elements form the backbone of the entire GDPR compliance process. Here’s how these elements apply to recruitment teams:

• Data Controller– Organizations or employers that collect EU candidates’ information for recruitment

• Data Subject- EU residents considered for a requisition or those who apply with a consent to provide personal information

• Data Processor- Any third party source or recruitment software such as Applicant Tracking System that interacts or manipulates the information provided by the candidates

So, you are the top of the hierarchy, having the onus of collecting and processing candidate information while protecting the integrity of their personal data shared directly with you or third party sources.

HR and recruitment teams are under a legal obligation to disclose details about the use of candidate data in hiring decisions. Under GDPR regulations, candidates have the right to be informed about:

1. Purpose: Recruiters must clearly mention the purpose for collecting candidate data. Is it for an interview? A survey? Or to create a talent pool to source from later?
2. Exclusive Consent: Candidates can raise a question if recruiters collect data that plays little or no role in the hiring process. Sample fields may include religion, ethnic background, genetic disorders or disability information.
   
   
3. Request to Modify: As a recruiter, you must explicitly mention the sources and channels that candidates can reach out to, in case they wish to modify, delete or revoke access to previously shared personal information.
4. Accountability and Transparency: Candidates have the right to ensure that your data is rightfully shared only with authentic bodies or other GDPR compliant organizations to protect integrity.

The GDPR Action Plan: Pulling Up Your Socks

Complying with the latest GDPR guidelines might sound overwhelming and intimidating, but it’s definitely not impossible. Here’s what HR and recruitment teams must start doing without fail:

Analyze Recruitment Data

HR teams get bombarded with an exorbitant amount of data during the entire recruitment lifecycle. New resumes, exit interview data, onboarding data and what not; all such data can quickly snowball to give recruitment teams chills down the spine when asked to analyze. To streamline the process, try to limit your scope to questions such as:

• The sources in place to collect candidate data and the place it’s stored
• List of people who have access to recruitment data along with valid and authentic reasons
• The mode of data sharing- Emails, physical drives, data drives
• The standard timelines to keep or erase data
• The request process and channels if a candidate or employee wants to remove their personal data from your records

Create a Recruitment Centric Privacy Policy

Data usage rights is the core of GDPR and therefore, we encourage you to create an exclusive “Privacy Policy for Recruitment” that clearly outlines the procedures in place to collect, transfer or modify candidate data and a mention about what all rights candidates have to protect the integrity of their personal data. Sample items to  include in the Privacy Policy include:

• A clear declaration that your organization will use candidates’ personal data ONLY for recruitment
• Declaration that your organization doesn’t sell or distribute data to unauthorized sources that might threaten integrity
• List of stakeholders with whom candidate data can be shared with viable reasons
• The duration that you intend to store candidate data
• The measures that your organization takes to protect personal data- encryption, password protection, secure data centers etc
• Details about your Organization: Registered Address, Geographical Location, Key Contact Persons etc
• Create a standard process to notify candidates whenever you receive, transfer or process their personal data

Revamp Your Rejection Process

If you collect candidate data to create a talent pool, the GDPR guidelines don’t encourage the practice. When your organization decides to reject a candidate or refuses to consider them for any future job roles; their data must be securely deleted from your database. Moreover, you must also float an auto generated email to notify the candidates to inform that their data has been deleted. In case you want to keep their data for a time period, this also needs to be communicated to the candidates with timelines to delete and the driving purpose. When doing this, mention clearly that the candidate has the right to decline the request for keeping their data.

Recheck Your Talent Pipeline

Most organizations deploy recruitment software such as Applicant Tracking System containing truckloads of candidate data that goes unnoticed and unattended. If you are to create a talent pool out of this data, make sure to communicate the candidates so that it doesn’t come as a surprise later. This way, your organization will be able to maintain complete transparency and on the side, full comply to the GDPR guidelines. If a third party vendor manages your ATS or other recruitment software, sign off an agreement to ensure that definite measures are in place to arrest data leakages. Apart from that, you must also set-up separate meetings or discussions with vendors to check their preparedness on the GDPR guidelines

Mettl has charted out a detailed plan to ensure full-compliance with the GDPR guidelines. Apart from appointing a data protection officer, we have a global compliance team in place to ensure that nothing slips through the cracks and we seal any points that might pose a data threat both internally and externally. Here’s what Tonmoy Singhal, Co-Founder and COO at Mettl says about GDPR preparedness:

Truly said, Mettl sees GDPR as an opportunity to strengthen data protection initiatives to ensure not even a single instance of data breach threatens an individual’s identity or cause an emotional turmoil. You can also access our detailed plan on GDPR readiness. To have a glimpse of the system changes, click here. We hope that GDPR will allow Mettl, our partners and global customers to scale up their efforts in data protection and create a secure identity in the online space.