Recently, discussions with my clients have been increasingly drawn to the subject of “GDPR”.
What is it? How is it going to affect us? What do we need to do to deal with it? Do we need to do anything at all?
Despite the fact that it has received significant media coverage across niche technology and data focused online news sources, it is still a relatively unknown phenomenon across some of the less data-led industries, recruitment being one of those.
Those of my clients (recruitment agencies) who have heard of GDPR have tended to react in a number of differing ways ranging from nonchalance and denial through to full-blown panic - not least due to the eye-watering fines associated for non-compliance! As May 2018 approaches and the deadline for compliance draws nearer it seems a good time to try and answer some of the basic questions around this newly imposed regulation.
It’s worth noting that every business affected by GDPR will require a different set of preventative actions in order to become compliant so this post is meant as a guide, not a set of rules.
So, in a nutshell, what is it?
Essentially, GDPR (General Data Protection Regulation) is a significant change in the law around the use of individuals' personal data. It will affect every business in Europe who manage, store or transfer personal data, which is defined as any kind of information which allows you to identify a person and so covers many forms including databases, contact lists, CRM/ATS information etc.
OK, so how does it affect me?
GDPR will affect every business differently and will have a dramatic effect on the way personal data will be used. The new regulation will see a marked clamp down on the freedom of use of personal data and will see a significant tip the balance in favour of the consumer, allowing the them to have far more control about how their personal data is used, who will have access to it and what content they will receive. The resulting effect is that marketing (in whichever form this comes) will become far more targeted and you (as a consumer) will only ever be contacted by organisations for specific opportunities and products that have been personally vetted and agreed by you.
So for a recruitment agency, what's does this mean?
As an agency, you will need to make changes to become complaint across several areas of the business including (but not restricted to):
Contracts - with a clearly defined and updated data policy outlined, this should include Data Security
Processes - with any gaps in data security accounted for
Organised databases - with any loose files/profiles cleared
OK, anything else?
Yep! The primary aim of the upcoming changes is focused on giving the consumer what they ask for, and minimising the level of irrelevant content/offers/spam they receive. As such it will become the business's responsibility to gain the permission from the individual to contact them about specific content. As far as recruiters are concerned it means you would need to get the OK from a candidate if you were looking to contact them about any other (different) opportunities than the one they originally applied for.
Another significant change to come along with GDPR is centred on the consumer's right to "be forgotten" by businesses. This means that if there isn't any justifiable reason for you to be holding personal details for any person then these records will need to be deleted, in line with your data policy. For the recruitment industry this would apply to historical CV’s or profiles you may have floating around on your CRM which have not been contacted or acted on for a significant period of time or which are not correct.
And what if I don’t comply?
The ramifications of non-compliance are likely to reflect the severity and scale of the breach but the fines suggested by the ICO equal 4% or your annual turnover as a business or up to €20m. Clearly, these levels of fine are not to be sniffed at and it remains to be seen how these will be applied practically come May next year, but it is important to remember that the organisation is looking to change the way data is used to protect consumers – not just here to collect cash from every unsuspecting business it can. That said, the stance that has been taken is one designed to ensure the change is taken up across the board and not ignored by any businesses which falls within the catchment area.
With 70% of all job board (UK) advertising running through Broadbean, we have just as much, if not more responsibility to become compliant by May 2018 and we have been taking significant steps to ensure that we are by 25/5/18 and our clients are not put under any risk through using our services.
It should be of paramount concern to any other “data processors” to take action for GDPR and so you should be asking the question of any 3rd party supplier to see how they are planning to tackle the issue.