GDPR or General Data Protection Regulation was set out by the EU to enhance user control and rights over their personal information and to streamline the regulatory process for international businesses. It gives the users a choice and informs them how companies are using their data. And if the user does not give them consent to use their data, they’d need to delete all personal information about them. However, a lot of businesses do not comply and end up paying fines. Do not worry, you are not alone here. Google, Amazon, H&M and a lot more brands have paid millions of dollars in fines for not complying with the GDPR rules and regulations.
We have created a checklist to help you understand and build the foundations:
Appoint a Data Protection Officer – A data protection officer is required, by law, to make sure that GDPR requests are replied to, and handled properly. A data protection officer can be someone internally from the team or appointed through an external agency, depending on your organization.
Send consent emails from time to time – If you are adding a candidate’s personal information manually, you need to contact them via email and get their consent. You could also get their consent on call but please make sure to record the call for record-keeping purposes. Did you know that Recruitly can automatically track the calls, record and store them against the relevant records? Check out https://recruitly.io/aircall/ and https://recruitly.io/dialpad/ or talk to us for more information.
Delete candidate data if they deny your consent request – If a candidate denies giving you consent, it is probably a good idea to delete their information immediately to avoid any legal and or compliance issues. If you are using Recruitly, instead of deleting candidate data, you can simply use Data Anonymization. This will make sure that all of the candidate’s personal information is deleted but you can still see them when you generate reports or anonymously do analytics.
Include your privacy policy, data protection officer details in the email – When you send a GDPR consent request, it is mandatory to include information about how you handle their data and who is your data protection officer.
Update your privacy policy to match your organization’s needs – A lot of businesses do not check their privacy policy/update it from time to time. This can lead to the non-inclusion of new laws or newer provisions. Make sure that you are reviewing your privacy policy every 6 months or once a year to make sure you are covering all the aspects of how your business collects, stores, and uses the candidate’s data.
Automating GDPR emails/consent requests – Automation can help reduce human error and improve efficiency. It is probably a good idea to automate your GDPR emails so that you can make sure that all your candidates’ consent request has been obtained. You could also automate certain triggers that can delete the candidates’ information, should they not give us their consent. This can be helpful and can save a lot of time.
Data Cleansing – Though strictly not part of GDPR compliance, it will help you reduce the risk if you cleanse the data regularly and remove candidates that are no longer working with you or with very old/expired CVs.
Although this is obvious, we would also recommend keeping a record of all the consent requests that you have and storing them someplace should there be an audit. Speaking about audits, we would also suggest following this checklist if you want to get ready for an external audit. This will help you avoid roadblocks and get you a GDPR compliance certification. And if you are in the market to be GDPR compliant, we would suggest Vanta. They provide other compliance certifications like ISO 27001 and SOC2, along with GDPR certification.
To conclude, GDPR policies are much more sophisticated and for a reason. I hope this checklist helps you understand the basic measures companies should take to kick off their compliance journey. But if you are just starting to tighten the lever around your GDPR compliance, this might be a good place to start.
If you are a recruiting agency, Recruitly has a way to configure all the steps mentioned above automatically. Recruitly can help you send out automated GDPR consent requests, assign a Data Protection Officer within the organization to which the emails will be forwarded, send bulk emails to candidates/candidates asking them to give us consent and have pre-made templates if you want to manually send out the GDPR consent request emails.
This is just part of what we do to help recruitment agencies streamline their work and increase productivity. For more information about how we can help recruiting agencies, check us out on recruitly.io
