Getting Ready for GDPR: What Recruitment Firms Need to Know
Understanding the Basics of GDPR
Enforcement of Europe’s new General Data Protection Regulation (GDPR) begins May 25, 2018 and businesses across the globe are tasked with being compliant in just a few short months.
This new set of data privacy laws is intended to give European citizens increased control over how their data is collected, processed, stored, and transferred and data collectors who aren’t compliant by the deadline risk facing significant financial penalties. (Up to €20 million or 4% of annual global turnover, whichever is higher.)
Even if your business is based in the United States, GDPR could still impact you. If your firm is placing candidates who are residents of the EU, making placements on behalf of customers located in the EU, or have employees who are EU citizens, the GDPR applies to you.
How GDPR Impacts External Staffing & Recruitment Firms
At their core, recruitment businesses rely on collecting and utilizing the personal data of potential candidates including contact information, resume databases, applications, public job boards, and social media profiles. Optimization and management of this personal data is critical to both maintaining compliance with the GDPR. Three important things to remember are:
Transparency Matters: The GDPR requires you to be transparent and honest about the data you are collecting and how that data will be used. Whether you’re using data for placements, marketing, automated processing - the reason for collecting, storing, and using this data needs to be made clear your data subjects.
You’re More Liable for Data Management: Recruitment companies will be required to appoint a Data Protection Officer (DPO), report a data breach to GDPR authorities within 72 hours of discovery, and provide proof that your firm has a legal reason for collecting data on a particular subject or person.
Consent is King: The best way to prove the legality for retaining data is through active consent. Consent needs to be informed, specific, explicit, and in writing.
GDPR has the potential to completely disrupt and redefine how staffing and recruitment firms interact with candidates and customers. It is also an opportunity for firms to create data management practices that promote transparency and will ultimately lead to making quicker, better placements.
How GDPR Impacts Data Processors like Talent Rover
Under the GDPR, data processors like Talent Rover will also be directly obligated to notify our customers about breaches as well as implementing technical and organizational measures to protect personal data. At Talent Rover, we’ve opted to appoint a Data Protection Office (even though we’re not required to do so) to help support our customers as they prepare for and navigate the GDPR.
The Definition of Data Processing
Under the GDPR the definition of “processing” is very broad. It essentially means anything that is done to or with personal data. This includes collecting, storing, deleting, or even viewing that data. In other terms, EU data protection law is likely to apply wherever an organization does anything that involves personal data.
*COMING SOON* Talent Rover’s GDPR Consent Tool
To help our customers become and stay compliant with the GDPR, we’re building a consent tool into our platform that automatically requests consent to collect, use, and store newly-parsed candidate data. The tool will also retroactively request consent from candidates already in your system. This consent tool also tracks when consent was requested and given for each record - critical to your GDPR compliance narrative. Contact your Account Executive to get on the list for a demo of this tool as soon as it's ready!
Additional GDPR Information, Resources, and Training
- Talent Rovers GDPR Page
- Talent Rovers Security Page
- Information Commissioner’s Office Guide to the GDPR
- Salesforce GDPR Trailheads
As always, Talent Rover strives to keep our customers up-to-date about all important security and compliance-related information. Talent Rover is SOC2 compliant. To request a full copy of our SOC2 report please contact us at firstname.lastname@example.org.