An admin burden, indeed, but ultimately a blessing for every business – the General Data Protection Regulation, or GDPR in short, is drawing nearer and unless you have a spare €20 million to spend on non-compliance fines, the time to review your practice is NOW!
We sat down with Invenias CFO Andy Warren, to condense the 88-page legislation into three key points that in-house executive search teams need to be aware of and the action to take if they are to be compliant.
1. Clean up your talent database!
The GDPR prohibits the use of personal data for purposes that would impinge or impact upon individuals’ rights, freedoms and interests. In the case of recruitment, such data can relate to candidates’ age, address, education, skill sets, references and interview performance.
Until now, recruiters would gather this data from LinkedIn, job boards, official registries, or from past interviews. But arguably, their ever-growing talent database may include outdated, false or harmful information. The GDPR will force in-house recruitment teams to review all this information and make sure they only keep what is necessary, accurate and verifiable.
2. Know what constitutes ‘harmful data’
Harmful data, in this case, can refer to previous employers’ extreme or negative opinion regarding a candidate’s suitability for a role. If such opinion is based on personal views, not reasonable facts, and can damage the candidate’s reputation as a result, it constitutes harmful data and should not be used moving forward.
3. Clearly demonstrate all methods of compliance
The first step is to go through all your data and find a lawful reason for holding it. The three most relevant lawful reasons to hold and process personal data are:
- Legitimate interest: it’s in the interest of the business to hold it and is not outweighed by the rights, freedoms and interests of the candidate.
- Candidate consent: the candidate has been well-informed on the use of their data and has freely given their consent to it as a result. However, they can just as easily withdraw their consent at any time.
- Contractual necessity: the processing of data is necessary to enter into or perform a contract with the candidate.
The next step is to review and update your technical and organisational measures including your internal policies and procedures to ensure you comply with the new legislation. Under the GDPR you must be able to demonstrate how you comply so keep a record of every measure you take, and be prepared to show it to authorities in the event of an audit.