The GDPR (General Data Protection Regulation) is a replacement to the existing Data Protection Directive that empowers EU citizens to have better control on the way both EU and non-EU based organizations collect, process and track their personal data. The law applies to organizations across the world, whether a part of EU or not, as long as they collect or use data pertaining to EU residents. In other words, your business might be operating in a geography outside EU such as India or Australia; however, must adhere to GDPR rules and regulations if any of your business process directly or indirectly collects personally identifiable information of EU citizens.
The GDPR regulations comes into force on 25th May’2018 and organizations must ensure full-compliance to avoid hefty penalties and related consequences. For that to happen, organizations must communicate the changes to key pages on their website such as Terms of Service, Privacy Policy, forms or surveys in place that directly or indirectly ask for user information for legit/verifiable purposes.
HR professionals must pay attention to internal or third party pages that require candidates to upload their CVs or fill-out personally identifiable information.
Any prompt on your website or communication channel that demands user’s personal data must clarify the exact purpose that the data will cater to. Using the data for a purpose other than what a candidate initially agreed to while furnishing the data can invite hefty penalties. Personal data includes name, photographs, signatures, billing information, email addresses and medical records.
Depending on the nature of violation and business damage reported, GDPR non-compliance can invite penalties in the order of €20 million or 4 percent of global annual revenue, whichever is greater. HR teams must ensure that the changes to their policies get a sign-off from the data protection officer or the team in-charge of data security. If a breach happens despite all measures, the Data Protection officer or the SPOC must notify to the concerned person(s) within 72 hours of the first information of the breach. Going forward, a mitigation plan and a documented record of the breach must also be in place to minimize the damage resulting from the snag.
Before you even think about GDPR compliance, you must understand the hierarchy that plays a pivotal role in outlining the guidelines. A total of 3 elements form the backbone of the entire GDPR compliance process. Here’s how these elements apply to recruitment teams:
So, you are the top of the hierarchy, having the onus of collecting and processing candidate information while protecting the integrity of their personal data shared directly with you or third party sources.
HR and recruitment teams are under a legal obligation to disclose details about the use of candidate data in hiring decisions. Under GDPR regulations, candidates have the right to be informed about:
Complying with the latest GDPR guidelines might sound overwhelming and intimidating, but it’s definitely not impossible. Here’s what HR and recruitment teams must start doing without fail:
HR teams get bombarded with an exorbitant amount of data during the entire recruitment lifecycle. New resumes, exit interview data, onboarding data and what not; all such data can quickly snowball to give recruitment teams chills down the spine when asked to analyze. To streamline the process, try to limit your scope to questions such as:
Data usage rights is the core of GDPR and therefore, we encourage you to create an exclusive “Privacy Policy for Recruitment” that clearly outlines the procedures in place to collect, transfer or modify candidate data and a mention about what all rights candidates have to protect the integrity of their personal data. Sample items to include in the Privacy Policy include:
If you collect candidate data to create a talent pool, the GDPR guidelines don’t encourage the practice. When your organization decides to reject a candidate or refuses to consider them for any future job roles; their data must be securely deleted from your database. Moreover, you must also float an auto generated email to notify the candidates to inform that their data has been deleted. In case you want to keep their data for a time period, this also needs to be communicated to the candidates with timelines to delete and the driving purpose. When doing this, mention clearly that the candidate has the right to decline the request for keeping their data.
Most organizations deploy recruitment software such as Applicant Tracking System containing truckloads of candidate data that goes unnoticed and unattended. If you are to create a talent pool out of this data, make sure to communicate the candidates so that it doesn’t come as a surprise later. This way, your organization will be able to maintain complete transparency and on the side, full comply to the GDPR guidelines. If a third party vendor manages your ATS or other recruitment software, sign off an agreement to ensure that definite measures are in place to arrest data leakages. Apart from that, you must also set-up separate meetings or discussions with vendors to check their preparedness on the GDPR guidelines
Mettl has charted out a detailed plan to ensure full-compliance with the GDPR guidelines. Apart from appointing a data protection officer, we have a global compliance team in place to ensure that nothing slips through the cracks and we seal any points that might pose a data threat both internally and externally. Here’s what Tonmoy Singhal, Co-Founder and COO at Mettl says about GDPR preparedness:
Truly said, Mettl sees GDPR as an opportunity to strengthen data protection initiatives to ensure not even a single instance of data breach threatens an individual’s identity or cause an emotional turmoil. You can also access our detailed plan on GDPR readiness. To have a glimpse of the system changes, click here. We hope that GDPR will allow Mettl, our partners and global customers to scale up their efforts in data protection and create a secure identity in the online space.
Originally published May 23 2018, Updated December 16 2020
Human Resource Management, also known as HRM, is the function that manages employees, starting from their recruitment and induction to development, appraisals and promotions, with the aim of maximizing their performance in-line with organizational objectives.
Thanks for submitting the comment. We’ll post the comment once its verified.
Would you like to comment?