GDPR: What should you do first?
‘The GDPR is on its way!’ It’s been the refrain of the summer, hasn’t it?
Already there are a wealth of resources out there to help in-house recruitment teams prepare for the new legislation, from our GDPR hub to the ICO’s range of excellent templates and guidance.
But with checklists and guides, webinars and conferences, it can be easy to find yourself wading through information and wondering: Where do I start?
- Familiarise yourself with the key principles
For a simple run-down of the six key principles, our infographic for in-house recruiters might also be useful.
It would be sensible to begin saving checklists, guides and helpful documents in a shared Dropbox or other file sharing application, so you and your colleagues can read up on the new regulation and share knowledge throughout your organisation.
Two key points you should be aware of are transparency and accountability. Throughout all your steps to GDPR compliance, you need to keep these points in mind.
- Create an internal steering group
This point links to the principle of ‘accountability’ we mentioned above. Who in your organisation is going to take responsibility for progressing your actions to GDPR compliance?
No matter what size your organisation, you should establish a person, or team of people, to lead your GDPR actions. Some organisations, such as those in the public sector, will also need to appoint a dedicated Data Protection Officer.
Your steering group should meet regularly to ensure all departments are progressing the necessary actions for GDPR compliance. You should also add GDPR to board report agendas, and ensure it remains a topic of ongoing discussion and strategic importance in your organisation.
3. Start your data mapping exercise
Data mapping is the process of identifying, understanding and documenting the flow of data that comes in and out of your organisation.
For an in-house recruitment team, this could include when and how you collect data from your candidates. This could be from direct applications, through agencies or via referral schemes. You should also look at when you source candidates directly from social media, when candidates register for job alerts or when you add them to a talent pool, and so on. You’ll then need to review how much of that information constitutes ‘personal data’, and document how you process and store it.
This is a lengthy task, and may require the involvement of all stakeholders. Your GDPR steering group should ensure that your data mapping exercise is a business priority and is completed comprehensively and satisfactorily.
Check the ICO for a data mapping template to help you get started with this exercise.
- Define (and document) your legal bases
A legal basis is your justification for why you are processing personal data in a particular way.
The GDPR sets out legal bases in Article 6 of the regulation. During your data mapping process, you should identify the legal basis (or multiple bases) that justify how and why you collect, process and store personal data in your organisation.
You may find different legal bases are applicable to different stages of your data collection or retention.
- Review your privacy notices
Earlier we referenced that key principle of ‘transparency’.
Part of GDPR compliance is being utterly open about how you intend to process (use) and store people’s data, and what your legal basis is for doing so.
You should communicate these points in your privacy notice.
Your privacy notice should also include information such as whether you intend to share that data with third parties, how long you will store it for, and your organisation’s identity and contact details.
Ensure you review your existing privacy notices and update them accordingly, including as much of the above detail as possible.
You should also check whether the notices are easily accessible (in this context, let’s say a link needs to be clearly visible on your careers site), and whether candidates can access your privacy notice at every stage when you gather their information.
- Seek legal advice!
As you’ll see from the disclaimer below, we are not qualified to legally advise you ahead of the GDPR.
As such, we would always recommend that you speak to a suitably qualified lawyer who can help ensure you are meeting your obligations as a responsible and diligent data controller.
Find out more
GDPR: What should you expect from your ATS provider?
Do you know the 6 key principles of the GDPR?
Should the GDPR affect how you choose an ATS?
Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.