It’s only 6 months to go until GDPR deadline - when all businesses must have implemented the changes to their data protection. If you have not started your strategy yet, we would recommend that you start to give it sincere consideration.
Although GDPR will touch every department and element of your business, we are concerned about your candidate data and what you need to do, to stay within the law. However, there are elements in this article that may be useful across the board.
Here are 10 tips to help you nail your recruitment GDPR strategy:
1. Get in the know with GDPR and what you need to do from a recruitment perspective
We have been running webinars on GDPR - Recruitment Essentials, and we will be hosting another one in January 2018. If you would like to attend, please email and we will send you the invite. There is also a great GDPR Recruitment Diagnostic document to complement this event too. In the meantime, start googling!
2. Establish who is responsible in the company for implementing the GDPR
Is it the Director, Manager or a designated Data Protection Officer? The responsibility for GDPR seams to be landing in either the HR or the IT camp. Decide and allocate an individual who will have overall responsibility. Many organisations are putting together work groups of staff members from all departments across their business. This can enable a more joined up approach to auditing and implementing changes.
3. Audit your recruitment process
Review every aspect of your attraction and recruitment process. Where do you generate CV’s from, how many CV’s come into your business, what type of personal data do you receive, how does it come into your business, where is it stored and how is it processed? Who processes it, who else has access to it, how does the hiring manager remove it, what routines are in place and how do you communicate all this to candidates?
4. Identify any potential breaches of security
Look at your current recruitment practices and storage of candidate data. Where could data be leaked or hacked? E.g. a Hiring Manager with a CV folder on their PC has a much higher risk of being hacked than a recruitment system in a secure data centre.
5. Outline your ideal recruitment process
How do you want to see recruitment data handled? Think about the applicant journey, reasonable timescales and use of data. Consider how you can standardize and automate the process so that candidates are aware of your GDPR statement when they apply and you gain consent to keep and process their CV. Who is involved in the recruitment process and what access rights do they need?
6. Start writing your GDPR statement
Even if you just start with the bare bones of a statement and deal with elements like consent, storage, security, communication, portability and how applicants will be able to withdraw their application, it’s a start and something to build your blocks on. We are happy to share our GDPR statement with you if it helps?
7. Think about recruitment systems
Applicant Tracking Systems and other recruitment software platforms can help you automate and control candidate data with the click of a button. Many of the challenges GDPR has created, can be quickly resolved with the right software and the right supplier in place. This is proving to be one of the most cost-effective ways to get compliant and it will also help to line up your employer brand and direct hiring strategy – now is a good time to think about change and getting it right could have real measurable benefits to your business.
8. Consider training and development needs of your staff
Everyone that touches the application process must be aware of their obligations and the company policy of GDPR and DPR. E.g. If you have hiring managers in your business who are posting adverts on Indeed or Facebook and receiving all CV’s into their inbox, do they know the law and how to process/remove that data to be compliant? If you are rolling out a new recruitment system is everyone aware of the why and how? How are you going to roll this out and how are you going to monitor and manage compliance?
9. Know where everything is
Where is your email server? Where is the web server if you are using contact forms? Where are the data centres for your ATS? Get supplier contracts in place that outline what is where and document it.
10. Nail your disaster recovery plan
What is your disaster recovery plan? What does that look like for all the places you store personal data – email, website and ATS? What will happen if there is a breach? You will need to inform the Information Commissioners Office and take appropriate action. Document and communicate.
Start talking to your Staff, Managers and Directors. Outline what needs to be reviewed, recorded and actioned. Understanding GDPR is probably the easy bit, the challenges will come with auditing, changing ways of working, monitoring and managing it.
There is a lot to think about, which is why we suggest you start the journey now. Keep Calm and Get Prepared for GDPR!
If you liked this, you may also like: