As of 25 May 2018, companies who collect personal data of EU residents have to become compliant with the GDPR (the General Data Protection Regulation). The 2018 GDPR recruitment implications are manifold and they involve giving individuals more control over their personal data, as well as simplifying the data protection environment.
HR and recruitment professionals rely heavily on personal data which they collect and store. In fact, decisions made throughout the recruitment process are based on personal information such as education or professional experience. What is more, the EU GDPR places the burden of compliance on the organization collecting and/or storing the data. For that reason, it’s in their hands to ensure compliance before the deadline arrives.
We’ve put together data on the effect the 2018 GDPR will have on recruitment and presented it in a handy infographic you can find below. Let’s get started!
GDPR recruitment implications: what you need to know
The GDPR applies globally to entities anywhere who control or process EU citizen data, including non-EU companies processing personal data of individuals in the EU.
The GDPR affects the recruitment process in a number of ways. This includes:
- Giving candidates enhanced rights, including “the right to be forgotten” (erased from records), the right to get a copy of their records, and the right to withdraw consent at any time
- Treating personal data more broadly, which means the personal data pool is now deeper and includes names, locations, biometric data, as well as behavioral patterns and sexual orientation
- Making data processing policies transparent, with a clear and concise language used to avoid any confusion
- Collecting personal data from candidates is only permitted if you’re legitimately interested in their application
- Eliminating any method of default consent, such as pre-ticked boxes. All data obtained in the recruitment process is unambiguous and freely given
For the purpose of GDPR recruitment compliance, all data acquisition and storage mechanisms must be reviewed and adjusted to meet the new requirements.
Penalties for GDPR recruitment non-compliance
You must implement the right means of detecting and reporting any instances of breach which are a result of GDPR recruitment non-compliance. Please note that all data breaches must be reported within 72 hours. According to the regulation, “Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”.
Failure to notify
Non-compliance with technical and organizational requirements (e.g. breach communications, impact assessments) may lead to fines up to 10,000,000EUR or 2% of annual global turnover (whichever is greater).
Failure to abide by the core principles of data processing, including conditions for consent, infringement, transfer of data to other organizations who don’t ensure the right level of data protection may lead to fines up to 20,000,000 EUR or 4% of annual global turnover (whichever is greater).
The stakes are high and 25 May 2018 is quickly approaching. Is your organization ready for the GDPR?
Please note: we’re not a law firm and the information provided in this post and infographic should be treated as general information only. It is not intended to constitute legal advice.
As usual, here’s a list of resources we’ve used while creating the infographic.