Ensuring you have consent to hold CVs, making certain that staff have adequate awareness on privacy, conducting a data audit, regular data purging and safeguarding data storage standards with a reliable system supplier are the pillars of GDPR diligence for recruiters. Read on. You’ve got this!
You’re responsible for scaling a team in a successful organisation. The people you hire continue the success and grow the revenue.
But now you have an extra remit – to protect that revenue by ensuring the personal data you handle doesn’t bring added liability.
Recruiters and HR, even in small businesses, collect significant amounts of personal data.
So what constitutes personal data?
- Contact details and individual identifiers (phone numbers, yes, even company mobile phones are personal identifiers – and email addresses, next of kin details etc. All you need to carry out an identity theft for example.)
- Physical, cultural and social identities
- Rights to work details
- Remuneration and bank details
You get the picture …
Consent is critical
Did you expressly request, in writing, consent to hold this information from job applicants?
Do you have a system that provides options to give consent – and link to your policies? Using an Applicant Tracking System (ATS) with relevant functionality from a suitable supplier can help you meet these obligations.
Your application forms need an option to give consent. You can’t just assume because they applied for a job or got through a couple of rounds of interviews that they are willing for you to hold their sensitive information forever.
You must give options for not giving consent, removal – and details of what you store, for how long and why?
Your job postings ads on job boards and/or automated response emails to applicants will need to link to your policies and give options to request that information is removed by applicants.
Those policies need to clearly state what you keep, why you keep it and how long for, as well as provide information for a data subject request (Ireland and UK) and how they should identify themselves.
Making sure you delete job applicants’ information at the end of the reasonable retention period you define and request that applicants consent to is also vital.
Your system should facilitate this easily and be from a reputable supplier with adequate Information Security Standards.
You can see in this example that applicants from before May 25th 2017 have been filtered and marked for deletion. (Just in time for GDPR 2018!)
These processes must also apply to any legacy and/or physical records you either still use or have in storage.
Even if you largely work alone, you have to take the lead and demonstrate that you’ve made efforts to educate your colleagues on what constitutes a data breach, what situations can those arise from and how to both avoid and report them – and to who.
Taking responsibility for Data Integrity is not just down to IT. Being proactive and on-the-ball with who you keep records on, what detail you choose to retain (and for how long), where and who you store data with – and why – is vital in any top-level discussions on the subject. (Some pointers for UK and Ireland.)
You may well need to adjust your budget or request an increase in resources to ensure you have your area of responsibility covered and are not posing undue risk to the rest of the organisation.
- How to Calculate ROI from HR Software
- Storing Physical and Digital HR Records with GDPR In Mind
- GDPR & Staff Awareness – FREE Wallchart
- Reflections on the big GDPR Readiness Hysteria
Conducting a Data Audit
What data do you currently hold? And where? Should you have it? You also need to check your obligations outside of GDPR as well for what records you are required to keep on past employees.
This can vary by location and sector. Almost certainly you will need a system that can allow you to easily store and trim down the level of detail to the bare amount necessary and reasonable.
Having this information to hand, even if you can confidently identify all the locations and systems it’s stored in, is critical and key to minimising data breaches.
Therefore having everything in one locker can deliver great peace of mind and mitigate risk.
Regular Data Purging
Having all your records in one place allows you to easily run reports, audit the level of detail you have and cull unnecessary information in one fell swoop.
Setting yourself and your relevant staff with appropriate permission levels regular recurring reminders to purge expired data approaching the end of it’s specified retention period is recommended.
Data Storage Standards
Your system supplier will need to be able to demonstrate strong Information Security Standards.
It goes without saying that these days cloud systems are preferable as they involve much less physical security infrastructure at your premises.
To be GDPR Compliant, an ATS or HR software provider should use European-based Data Centres to store your information. They should also be using suppliers that provide their own cloud infrastructure with EU-based facilities.
Check what documentation they can provide you with about their physical and digital security standards and suppliers.
Your cloud HR / Recruitment application provider will be acting as both a Data Controller and Data Processor. So vigilance and caution is required when appointing who you will trust with your data.
Be aware though that the reduced security risks of cloud application providers put more pressure on your own organisation to reduce risk in house. (‘Through 2022, at least 95% of cloud security failures will be the customer’s fault‘.)
Similarly, no system will make you GDPR compliant – only your policies will. And only you can ensure they are fit for purpose.
We would be happy to hear about your specific recruitment and people management challenges and give you our opinion without any obligation to buy. We also offer a 14-day free trial during which we will offer to carry out a system demo to you and your team. Thanks for reading. Now carry on being a superhero with confidence!
Share this Post