Is your company ready for the new GDPR legislation?
It’s happening. It’s happening now. Not on the 25th May 2018 as, by then it’s already too late.
GDPR, or the General Data Protection Regulation as it’s more formally known, is coming and every day that goes by between now and its launch date is a day lost in preparation.
There is definitely noise about it, there is hype and there are the usual suspects who are looking to capitalise on it (think Y2K) and, they probably will. In this case, it is very real and, GDPR is a substantial piece of legislation and is a significant advance on the 1995 EU directive (95/46/c) that is going to change how every organisation (across 28 member states) that utilises personal data operates and how they approach data protection.
All walks of business life are affected from your humble recruitment partner to your GP and even your supermarket loyalty card. In fact any organisation processing personal data that falls under the legislation will need to review how they operate.
The key areas of focus seem to be around the following:
- New rules around user consent
- Mandatory security notifications
- Data breach fines (the big numbers quoted below)
- Clearer definition of what is classed as Personal Data
- The rights for people wishing to access or delete their personal data held by organisations
There are a few scare stories currently floating around based upon “explicit consent” to hold data and what denotes “explicit”. Data breach fines of 4% of annual turnover or €20million are also of concern to most, as is the appointing of a GDPR specific data controller within your organisation but these aren’t revolutionary to data protection. More so an evolution of what we already have in the 1995 directive. They are not hard and fast either which is adding to the confusion surrounding GDPR.
The reality is that most of the key points in GDPR are similar to those of existing regulations. The likes of transparency, limitations of use and data security all remain, just with a little more clarity and expectation. What GDPR does do is highlight where many organisations can be found wanting in their current data protection compliance.
For Data Subjects
For consumers (or candidates and clients in my world) GDPR offers a number of rights. There is the right to easily access your personal information and even the right to port your data across to other providers which is an interesting aspect and one that will be hugely open to interpretation and maybe even contest. Any data breach will have to be notified within a 72 hour period and the right to be forgotten will be clarified and enforced. It’s all about transparency and the knowledge that your data is being used for its intended purpose and nothing beyond.
What it means for recruitment
This is a tough call and not one that I have the answers for right now. We are on our own journey to ensure that we remain compliant and that we are best representing our clients and candidates whilst protecting their data.
Recruitment revolves around personal data and recruitment companies require certain amounts of it to be able to match the best candidates with the best opportunities and vice versa. Deleting entire databases (as some are reportedly in fear of) is simply not viable although retaining masses of data on large swathes of candidates and clients who are largely out of regular contact is equally not an option. Our challenge is to identify what information can, and should, be stored and to clarify it, and its purpose, with the data subjects. This will have to be done regularly and finding the ideal way to engage is probably on the priority list of most recruitment companies.
What we should see off the back of GDPR (in recruitment at least) are better relationships being developed between candidate and recruiter and/or client and recruiter. More focussed, narrower and therefore more manageable data groups should bring about better customer loyalty and could actually drive the recruitment industry back to a time when recruiters intimately knew their market, their core candidates and their clients. This needs to be seen as an opportunity to be better.
One thing is for sure, six months is not a long time in business and if we want to ensure that we meet the deadline, we need to be acting now.