The General Data Protection Regulation (GDPR) is a new set of regulations that will start to be enforced on May 25, 2018. The GDPR gives EU residents more control over their personal data. Non-compliance with the GDPR can result in fees of up to €20 million or 4% of global annual revenue - so your company needs to be ready!
We’ve separately published a detailed article for lawyers and compliance folks that explains how JobScore is preparing to help employers with GDPR Compliance.
This article is a checklist for recruiters and HR professionals to who want to know exactly what needs to happen before the deadline. While we’ve consulted with a number of knowledgeable folks about this checklist and how to configure JobScore to help with GDPR compliance - what’s included here is not legal advice. We strongly recommend that you get your own independent legal advice about GDPR and your company’s data policies.
Does my company have to comply with GDPR?
The GDPR applies to any company that does business in the EU and collects personal data from prospects, employees and candidates who reside in the EU.
So, in short, probably. If your company does business in the EU (has paying customers there) and/or you have employees who reside in the EU, you need to comply.
Even if that’s not true, some of your customers and partners may require that you be GDPR compliant. If in doubt, comply. The consequences for non-compliance are steep. Better safe than sorry.
1. Complete a data audit
GDPR is about more than recruiting data, it’s about how you handle personal information across your entire business. To successfully comply, your organization will have to conduct and audit all of it’s systems and practices for handling personally identifiable information. As an HR or recruiting professional, we strongly recommend that you ask for help doing this and not try to lead an audit yourself.
Your first step to get help is to raise awareness of the need to be compliant. We recommend starting your communications with the potential penalties of €20 million or 4% of global annual revenue. Chances are folks on your leadership team will find some time and budget to help out when you share this.
2. Author your recruitment data privacy statement
Once you’ve completed your audit and made some decisions about your data policies, it’s time to draft your recruitment data privacy statement. This needs to be written in plain english (not legalese) and will be shown to job seekers when they apply to your jobs and emailed to candidates you source through other means.
While you definitely need to enlist the help of professionals to draft this statement, it's important that you thoroughly understand what it says and means as every job seeker is going to see it … and they’ll likely have questions.
This statement is effectively part of your company's candidate experience… so try to keep it helpful, simple and clear.
You can learn more about individual privacy rights and your company’s obligations in our GDPR summary article here >>
3. Ensure you notify job applicants about what you are doing
To ensure compliance, you’ll need to make sure that job applicants are shown your recruitment data privacy statement. The easiest way to do this in JobScore is to turn on our click through agreement feature and include the statement here:
We also recommend that you publish you recruitment data privacy statement on your own company’s website. An alternative approach to the click through agreement is to include a link to this statement in all of your job descriptions. Make sure to include the full URL (not linked text) as not all job boards we work with support hyperlinks.
4. Update your sourcing practices to be GDPR compliant
The GDPR also requires that you notify people who don’t apply (everyone you source otherwise) about your data practices. To do this in JobScore create an email template that includes information about your data practices and a link to the public recruitment data privacy statement on your website. Then, send this email to everyone who doesn’t directly apply to one of your jobs.
We recommend that you work with an attorney to draft this email. You are likely going to send it a lot.
5. Update your job application forms
Your recruitment data privacy statement will need to explicitly cover what data you are collecting from job applicants and why. Once this is set, go through the job application forms you use in JobScore, including your custom questions, to make sure you are only asking for data that you need and is covered by your recruitment data privacy statement.
6. Follow your own data retention policy
As part of your recruiting data privacy statement you will need to define your data retention policy - or, how long you intend to keep recruiting data. If you choose to set a policy of deleting data, make sure you set up procedures to ensure you do what your recruitment data privacy statement says you are going to do.
7. Create procedures to handle individual privacy requests
GDPR gives individuals the right to ask for copies of their data, request changes to it or delete their personal information. Make sure your company sets up a place where individuals can make these requests, and procedures to review and execute them.
Many of these requests will require accessing JobScore and many other systems at your company - ensure that the person in charge knows what to do, where to get what they need, and and how to keep data in JobScore up to date.