Simply explained, what is GDPR?
The GDPR is the acronym of General Data Protection Regulation, a new European law which aims to unify and strengthen data protection within the European Union, for all individuals. This new regulation was established by the European Commission to overhaul the current Data Protection Act 1998. Put simply, they search more awareness, transparency and consent with stricter criteria.
These data protection regulations will undoubtedly have huge implications for businesses and, as a result, it is time for your company to prepare for its implementation that will take place on 25th of May 2018; especially if you do not want to be fined up to €20 million or 4% of your global turnover.
What should I change in my company? key facts and checklist
According to the Commissioner’s Office (ICO)’s free guide, here are 9 relevant points that you should pay attention for (not exhaustive list):
- You should inform the decisions makers and your employees that the law is changing to GDPR. It implies that you also should notify them about the impact of the new regulation.
- You should identify how you collect, store and use candidates’ data and who you share it with, as part of the recruitment process.
For example, when you are asking a candidate to send in his CV, you are collecting personal information about him. In this situation, the candidate has to be contacted by the recruiter and has been given the details about the vacant job before the CV is sent. As a result, you need to provide information on:
– how long the data will be retained for
– how it will be used or processed
– if the data will be shared or transferred and for which reason
– how the candidate can determine if you hold data on him
– how the candidate can rectify the data if there is a change or a mistake
– how he can enact the right “to be forgotten” and make a delete request
The GDPR requires companies to be able to show how they comply with the data protection principles and so, you should document all those points.
- You should update your procedures and plan how you will handle requests. The new delay is one month instead of 40 days.
- You should identify the lawful basis for your processing activity in the GDPR, update your privacy notice and document it. The reason is that some individuals’ rights will be modified depending on your lawful basis for processing their personal data.
- You should review how you seek, record and manage consent and whether you need to make any changes. Consent must be freely given, specific, informed and unambiguous. It can impact some recruitment process because the implied consent is no more available and, to become GDPR compliant, you should always wait for the explicit candidate’s permission or acceptation.
- You should make sure you have the right procedures to detect, report and investigate a personal data breach. Your company will have the direct responsibility and the incident should be notified within 72 hours, followed by a notification procedure which has to be previously defined and documented.
On the other hand, your security process have to ensure that it covers the storage of electronic documents and the access to datas. The CVs or legal documents should for instance be retained in a secure place or in a secure database for a limited period.
- You should make “privacy by design” an express legal requirement, under the term ‘data protection by design and by default’ and, in certain circumstances, carry out a “Data Protection Impact Assessment”, if data processing is likely to result in high risk to individuals.
“Data protection by design” means that companies are encouraged to secure de datas from the beginning of the process, by implementing technical and organisational measures. For example, it is recommended to use pseudonymisation and encryption for data storage.
“By default”, companies should ensure that personal data is collected and processed with maximal privacy protection.
- You should designate a Data Protection Officer who would take the responsibility for data protection compliance.
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
- It exists many toolkits to help you to become GDPR compliant. Those companies propose templates of GDPR documents. Those are really complete but quite expensive.
- You also can engage a internal or external consultant or seek professional advice.
- You could explore ‘pseudonymization’ of candidate data to reduce the risk of data processing.
- Make use of external “plug&play” services that are already GDPR compliant for your everyday tasks involved with private data about your employees.
- Automation of recruitment/hiring process and storage of legal documents are technologies that are rising. Take a look at our article about “Automation in HR process”.