What does the GDPR mean for recruitment?

Transcription

1 What does the GDPR mean for recruitment?

2 Contents 04 What is GDPR? In May 2018, Europe s new data protection rules will come into effect. 04 Who is responsible? 05 What are the penalties? 06 What are the key requirements when it comes to GDPR and recruitment? 10 Individual rights and the GDPR 12 Essential steps to prepare for GDPR 14 How can recruitment software help? These new data laws will have a profound impact on recruitment processes and how HR departments and businesses process data. It is therefore crucial that in-house recruitment teams and businesses familiarise themselves with the new obligations and rights for individuals. 03

3 What is GDPR? A publication of the GDPR was initially published in the EU official journal in May 2016 and the regulation will come into force on 25th May The EU general data protection regulation (GDPR) was designed to synchronise data privacy laws across Europe and bring data protection legislation into line with new and previously unforeseen ways that the data is now used. There are a few reasons why GDPR has been introduced. One is to give people more control over how their personal data is being used and secondly, to give businesses simpler and clearer guidelines on how to process personal data across the EU. What are the penalties? Given that HR departments deal with personal data on a daily basis, they will need to comply with new obligation thoroughly. There are increased penalties if you re not working to the GDPR s practices. Any data breach, which poses a risk to the rights and freedoms of individuals, (including cyber attacks) must be reported within 72 hours and failure to do so could result in a penalty of up to 2% of your annual worldwide revenue or 10 million, whichever is the highest amount. If an organisation does not follow the basic principle for processing data, their fines could be even higher. Fines could be enforced if an organisation fails to get consent from candidates to process their data or they fail to provide candidates with the option to opt out. If HR departments or companies fail to comply, the data authority can issue penalties of 20 million or 4% of your global annual turnover, whichever amount Is greater. Who is responsible? The regulation applies if the data controller, processor or data subject is based in the EU. Both personal data and sensitive data are covered by the GDPR, therefore in-house recruitment teams need to understand exactly where they stand when it comes to the data laws and how to comply. The controller says how and why personal data is processed and the processor acts on the controller s behalf. The ICO states, if you are currently subject to the DPA as a Controller or Processor, it is likely that you will also be subject to the GDPR. If you are a Processor, GDPR will place specific legal obligations on you, one of them being the requirement to maintain records of personal data and processing activities. Under the GDPR, the Processor will have significantly more legal liability if you are responsible for a breach. The GDPR also places further obligations on the Controller to ensure the contracts with the Processor completely comply with the GPDR. Both Data Processors and Data Controllers will have increased responsibilities

4 What are the key requirements when it comes to GDPR and recruitment? Companies should act now to ensure they comply with the GDPR guidelines. If you store data as an in-house recruitment team, then you are responsible for the safekeeping and security of this data, as well as ensuring that people have access if requested. When it comes to personal data, here is what article 5 of GDPR requires that information should be. 1 Processed lawfully, fairly and in a transparent manner in relation to individuals The GDPR changes the current legal basis which are used for collecting and processing personal data. This law requires additional transparency when it comes to an individual s data, i.e. when and why their data is collected, processed and transferred. As an HR department, your responsibility would be to update your Privacy Policy to include your legal basis for processing the data, how long you will keep the data and how you will use it. You must also inform your candidates about their right to complain to the ICO if they are unhappy with the way the data has been handled. With the new GDPR laws, there are stricter requirements when it comes to consent. If a candidate has applied for a role, then the candidate has given his/her consent to their data being used for that particular job, however, HR departments must clearly advise how the data is being used. Consent must also be given if details are further being used for separate activities than what they were originally given. For example, if a candidate has put his or her details forward for a vacancy, the candidate must give further consent if their details are being used for an unrelated purpose. When it comes to recruitment, if you use auto declines or external services such as online testing providers or video interview tools, you will have to notify the candidates regarding who you will be sharing their data at this stage to abide by the GDPR data rules. Most businesses may need to revisit and revise their current data collection in order to comply with the new regulations, however here are a few things to note when it comes to the candidates you have already registered: Previously registered candidates You will need to ensure that all candidates held in your talent pool have given consent for their data to be held and stored for recruitment purposes. If you do not have consent to store a candidates data you will need to contact them and ask them to re-register. Any candidate information held without consent will need to be deleted before 25th May Agency candidates Agencies will be responsible for obtaining and recording consent from the candidate to have their details processed by the software provider and controlled by you. Organisations need to ensure the agency has signed an agreement to this effect. If an agency submits a candidate they have not obtained consent from, then the agency will be liable. Manually added candidates Organisations need to be extremely careful when manually adding an application on behalf of a candidate, or creating a candidate account. Consent must be obtained from the candidate and recorded. 2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Under the GDPR, data that is collected for specified, explicit and legitimate purposes, cannot be further processed in a manner that is incompatible with the original purpose. Sharing of data is to be more heavily regulated under GDPR, ensuring that if personal data is shared with third parties that there is a compliant data sharing agreement in place. As part of your recruitment process, it is your responsibility to ensure your Privacy Policy states how the candidates personal data will be used, how long it will be stored for and what rights candidates have to their data. HR departments should, therefore, review and possibly amend contracted relationships with who their data is shared with to ensure they meet the new requirements under GDPR. It is also important if you use recruitment software that those who have access to the data should be aware that they should not export or transfer the candidates data from the system for any reasons other than recruitment. 3 Necessary adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; In order to understand the current level of data compliance across your organisation, the ICO states you may need to organise an information audit across the organisation or within particular business areas. Under GDPR, you will have direct responsibility for your own compliance with the GDPR and key contracts may need to be addressed and reviewed because of that. The GDPR also requires you to maintain records of processing activities and demonstrate compliance on your records

5 4 Accurate and, where necessary, kept up to date; Building on the existing rights of individuals, data should be accurate and kept up-to-date. Under the GDPR, there are numerous new rights, however, the basis is, if any personal data is inaccurate, then this should be erased or rectified without a delay. Individuals will, therefore, have increased rights to their data. If you use recruitment software the chances are you can alleviate these potential issues by giving candidates access to the data themselves and full control of their account and preferences online. However, if not, it might be important to look at the processes and systems that are in place and redefine them to harmonise with the GDPR. 5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; 6 Processed in a manner that ensures appropriate security of the personal data; Under the GDPR, you will have a duty to implement the appropriate security measures when it comes to personal data. This includes the protection against unauthorised or unlawful processing and against accidental loss or damage. Recruitment software may have to endure regular testing, assessing and evaluation to ensure that security measures are effective when it comes to personal data. The ICO, also advises that you should make sure that your staff understands what constitutes as a data breach and that this is more than a loss of personal data. To keep in line with GDPR and avoid the costly penalties, businesses should ensure that they have an internal breach reporting procedure in place. Due to the tight reporting guidelines, the right processes must be in place to detect, report and investigate any security risks. Personal data shouldn t be kept for longer than necessary for which is it collected. Personal data can be stored for a longer period under certain circumstances, but the measures must abide by the GDPR guidelines once again. This means if recruitment software is being used HR departments must ensure the data purge settings within the system are configured or alternatively internal processes are changed to abide with the GDPR. Personal data shouldn t be kept for longer than necessary for which is it collected. 08

6 Individual rights and the GDPR In addition to the key requirements of the GDPR that all recruiters and businesses need to abide by, there are also a number of individual rights regarding personal data that recruiters need to be aware of. As part of being GDPR compliant, you will need to define your organisation s legal basis for processing candidates information. Here is what to be aware of when it comes to GDPR and personal data: 1 The right of rectification 4 The right to data portability If the information is inaccurate or incomplete, then candidates have the right to have their details rectified. If you have disclosed personal data to a third party, you must also inform them of the rectification where possible. For example, if you ve shared inaccurate candidate data with another agency, client or payroll company, then you are obliged to let them know. Within a candidate account, details should be able to be rectified by candidates, however, if not, the request must be responded to within a month. Briefly, the right of data portability allows candidates to obtain and reuse their personal data for their own purposes across different services. Candidates will be able to move, copy or transfer personal data easily from one IT environment to another, in a safe and secure way without a hindrance of usability. You must provide all personal data held in a structured, commonly used and readable format. Data should be able to be extracted, allowing other companies, if requested by the individual, to use the data. 2 The right to erasure In addition to their right of rectification, candidates are able to request their personal data to be removed from the system altogether, where there is no compelling reason for its continued processing. Candidates can request this under a range of circumstances, including where personal data is no longer necessary in relation to the purpose it was originally collected. It can also be removed when the individual withdraws consent or the data was unlawful processed. As with the right of rectification, if data has been shared with a third party, the request of deletion should also be shared. 3 The right to object 5 The right to restrict processing Individuals have the right to block or suppress processing of personal data under the GDPR. When processing is restricted, data can be retained to a certain extent to ensure that restriction is respected in the future. You will be required to restrict the processing of personal data in certain circumstances such as, when the processing is unlawful, where an individual contests the accuracy of the personal data or where a candidate has objected to its processing. To abide by these guidelines, candidates must have the ability to immediately withdraw an application at any point of the process and prevent any further processing of their data. Candidates must also have the option of opting out of job alerts and deactivating their accounts with little hindrance. Under the GDPR guidelines and the right to object, candidates will have the right to object to data being processed. You must inform candidates of their rights to object under the new GDPR guidelines in your privacy notice. For example, declined candidates will be allowed to appeal that decision and HR departments must advise candidates on their right to do so

7 Essential steps to prepare for GDPR If you work within the recruitment sector, there are a few essential steps that you should undertake as soon as possible to ensure you comply with GDPR. 1 Map your data As a business, it s important to identify what data you store, where it comes from and how it is being processed. You need to pinpoint every way that a candidate provides their information and ensure the necessary consent is given to process that data list the existing systems that stores and collects candidate data. Make a note of where it comes from and the journey it takes through your business. The new GDPR legislation also means you ll be required to maintain records of how you process information within recruitment, therefore it s important to make a note of the data journey. Mapping data will allow recruitment departments to define the legal basis for processing candidates information. 2 Review data policies Your Privacy Policy will need to abide by the new GDPR regulations, therefore it s best to review this as soon as possible. A transparent Privacy Policy will give candidates more control over their personal data and highlight your business s data collection policy. Not only should this be easily accessible to candidates, but it should also clearly state what personal data you will collect, why it will be stored and how it will be processed, as well as how candidates can opt out, and when it will be removed. 3 Put procedures in place In case of a data breach, there needs to be certain procedures in place. A data breach can mean that a candidate may suffer from identity theft, therefore it s crucial the ICO is notified within a certain period to avoid a penalty. It is likely that you ll need to update these procedures before the new GDPR laws come into place May It is also imperative that any one who has access to candidate data is aware of what constitutes as a data breach and how to minimise the risk. You need to pinpoint every way that a candidate provides their information and state how it is used and who it is shared with. 12

8 How can recruitment software help? Recruitment software can help your HR department in numerous of ways when it comes to GDPR. If you already use a recruitment software, then many of the processes in place will come underneath the guidelines of GDPR and help you abide by the data protection rules. If you don t use recruitment software, here are a few ways that it can help. Candidate registration process A simple candidate registration process will help to obtain the necessary consent from all candidates before any data is stored. The registration process should provide candidates with access to your GDPR compliant Privacy Policy and request they manually tick a box to say that they are providing consent to have their data processed by the software provider and controlled by you. Controlled access to information In order to minimise the potential of unauthorised access to information, your recruitment software should help you address any potential compliance issues through workflow, structure levels, user group security settings, etc. Your recruitment software should also maintain a record of all processing activities. Secure candidate account Your software should provide candidates with the ability to manage the data you store about them. They should also be able to update this information, make amendments, control their job alert preferences (including the option to opt out completely) and deactivate their account at any time. It is also important that your software stores the date the candidate account was last updated, and the date applications are submitted to ensure you know how current the data is. Security measures As a data processor, it is the responsibility of the software provider to deliver a secure solution to store and manage candidate data. Here are some examples of security measures that will help keep data you hold safe and secure. Constant monitoring of network activity to highlight any suspicious activity. Controlled access to information using user groups and structure levels to control what each user can see and do. Prevent users from logging in after a set number of unsuccessful attempts to login. Control the ability to export or transmit candidate data externally. Automatically logging users out of the system after a set period of inactivity. Access to a full audit trail to identify who did what and when Anonymisation of all equal opportunities monitoring information and the ability to store this data separately from the candidate account. Rigorous security tests from external penetration testing companies. Create support verification codes for candidates and users to allow you to verify who you are speaking with before disclosing any information. Data purge settings Data purge settings and automated notifications will allow you to control the length of time data is retained in the system, help facilitate the process of removing inactive candidate accounts on your system and ensure that data is removed in line with your Privacy Policy

9 Why choose networx? networx support hundreds of HR departments to recruit every day! Our cloud based recruitment software is a modular solution that can be configured to support the specific needs of each organisation and provide the level of functionality required to manage and control the entire recruitment process online. Our comprehensive and fully managed candidate attraction and management services draw upon the expertise of skilled recruiters to help organisations reach top talent and fill vacancies in a time and cost efficient manner every time. The ability to combine our recruitment software with our highly successful recruitment services ensures we can support every stage of the recruitment process and deliver an unrivalled end to end solution. Assistance and advice regarding how recruitment software can support your compliance with GDPR Call or visit our website for more information