Since its implementation in 2018, GDPR regulations have affected a majority of organisations, not least companies that recruit talent. Assembling and processing voluminous and sensitive data requires companies to act as role models when it comes to GDPR compliance.
Let’s decipher what GDPR means for online recruitment in terms of Fundamental rules, goals, specifics, and sanctions.
On May 25, 2018, the GDPR (General Data Protection Regulation) emerged in the digital world. This regulation aims at monitoring personal data processing within the European Union.
1. LEGITIMACY, LOYALTY AND TRANSPARENCY: THE GDPR’S MAIN PRINCIPLES
"Lawful, fair and transparent: these are the three obligations that data processing organisations must meet, according to the GDPR."
Before extracting and exploiting data, an HR company must therefore ask itself three questions:
- How is this data useful to my recruitment process?
- What data do I really need?
- Do I have the user's consent to collect and use this data?
In addition to these elements, any company wishing to harness user data must also:
- Provide a limited retention period for this information.
When it comes to HR data, this duration is naturally short: experience, skills or qualifications of a candidate are bound to evolve regularly.
- Ensure the safety of collected data
- Be able to demonstrate day-to-day compliance, in terms of collecting and using personal data.
2. THE CONSEQUENCES IN THE EVENT OF NON-COMPLIANCE WITH OBLIGATIONS
Companies may be fined from 2 to 4% of their worldwide turnover (depending on GDPR violations, with thresholds of €10 or €20 million).
In practice: if the 2% of the incriminated company's turnover is less than 10 million euros, the CNIL will choose the highest amount, i.e. a fine of 10 million euros.
These main principles are nothing new. They were already included in the Data Protection Act of 1978. The European regulation simply provides more severe sanctions and adapts to the widespread use of digital tools.
3. THE USER HAS TO REMAIN IN CONTROL OF HIS DATA
The user benefits from the European regulation in two ways:
- Understanding data processing
When engaging in a recruitment process, the candidate has the assurance that his data will be used only for recruitment purposes. He also has the guarantee that they will not be passed onto other companies.
- Having the right of access, but also of deletion, modification, and transferability of one’s data. The user can also decide to withdraw his consent or to oppose his data processing.
Upon request, the company has one month to respond. Failing that, the user can file a complaint with the CNIL, report the company to the regulators and to possible sanctions.
4. INCREASING VIGILANCE DURING AN HR PROCEDURE
Collection of personal data is the lifeblood of any HR procedure. It’s therefore essential for the collecting company to be in compliance with the GDPR obligations.
All-the-more as collecting such data implies processing rather sensitive information (such as disability, criminal records or union member status). In that case, the company is obligated to secure and make sure collecting such information is necessary to the recruitment process.
Another reason to pay utmost attention is in the event of an infringement, the CNIL may make the sanction or formal notice public. This can be damaging for the company and its employer brand, which they so strive to highlight for candidate attraction. This type of event could be detrimental to the employer brand and damage the trust with future employees.
5. ENSURING THE LAWFULNESS OF COLLECTED HR DATA
Whether carried out by the company or by third parties, HR data collection implies setting up several measures to ensure lawfulness.
- Carrying out an audit through a lawyer
The goal is to ensure that data processing set up complies with the main GDPR principles: reasonable retention period, implementation of information documents for the collection of consent, completion of contracts with every third-party provider, etc.
- Ensuring that internally collected data is secure and that employees have limited access rights
- Implementing procedures for each employee to respect during data processing, in order to prevent data leakage.
- Raising awareness amongst employees regarding the importance of securing data and respecting procedures.
- Designating a DPO (Data Protection Officer) in charge of controlling processing and compliance with security procedures within the company.
6. DATA PROCESS REGISTER: MANDATORY AND PREVENTIVE
Maintaining a processing register (as dictated by the GDPR) is also an effective method to ensure data processing stays within the confound of the Law.
This simple file allows to track and document data processing, involve people, and put security measures in place as well as make data transfer across countries possible.
Companies can also create other registers to better manage their data. Amongst them is the data breach register. In the event of hacking, it makes it possible to date the incident and steps taken to solve the problem. Note that this is not a GDPR obligation.
You can also set up a listing register to track and date all user requests. A useful measure to answer any possible complaints accurately and to justify the actions undertaken to the CNIL if needs be.
7. HR SPECIFICITIES
The main principles of the GDPR are the same for all companies, whether or not they are in HR.
There are however specific terms known as "benchmarks", specific to the HR sector.
It’s goal is to deepen certain guidelines such as the retention period, the type of data companies can collect from candidates, etc.
The simplified 46 standard, published by the CNIL, is one of these. To this day, it still makes up a solid basis for HR data processing to be considered lawful.
8. LEGISLATION IS EVOLVING
Two major changes are expected in the coming months:
In parallel, the CNIL presented a draft recommendation on consent collection, in terms of cookie storage and personal data processing from tracers.
These much awaited provisions will definitely have an impact on the big data economy. There is no doubt the market has what it takes to adapt.
On the same topic: