By now, we’ve all witnessed the collective panic that is the recruiting industry’s response to the General Data Protection Regulation (GDPR). Despite advance notice of the 25 May launch date, many recruiting teams are only just drawing up the lines between legal and HR. They’re far from ready.
But the truth is, if you haven’t begun to action your GDPR checklist, it’s unlikely you’ll be ready when GDPR finally arrives. So what should you consider as a matter of urgency?
Carry out a data risk assessment
Start by reviewing how you manage personal data across your organisation. From understanding the data you’re requesting, to how that data is stored and what you’re using it for, a data risk assessment identifies any data protection, information security and privacy risks.
Risk assessments also help organisations classify processing activities according to the risks to the individual. Everyone who accesses and holds data is accountable. Assessments bring compliance to the fore and help teams devise appropriate mitigations. “But we’ve always done it this way” is not a good excuse. The old ways of working are no longer valid.
It’s likely you’ll uncover all manner of horrors at this stage; no, it’s not ok that your desk drawer is full of old resumes. And that folder on your desktop labelled ‘Good ones to keep for later’ might also need attention.
Choose the right hiring tool
Risk assessment complete, now’s the time to evaluate your recruiting software. You might find that your current tools aren’t quite cutting it. All the good will in the world won’t help if you’re storing your data in a leaky bucket. Using a robust recruiting tool—whether it’s a Candidate Relationship Management tool or an Applicant Tracking System (ATS)—is a great foundation for GDPR compliance.
The best tools will be GDPR-compliant. They will add efficiencies to your organisation’s recruiting processes and be flexible enough to support future compliance obligations. Better to prepare and embed change now than wait until 25 May and hope everyone can make the quick switch.
But your responsibility to regulation doesn’t stop there. Whatever tools you choose to implement, they should augment a compliant culture.
Build a GDPR compliant culture
Communications theorist and sociologist Everett Rogers argues that “diffusion is the process by which an innovation is communicated over time”. He identifies four main elements which influence the spread of a new idea: the innovation itself, the communication channels, time, and a social system. While the GDPR will mandate change, the compliance departments that want to make this happen should acknowledge the need to change behaviour.
For Rogers, the adoption of any new system across an organisation can be split into different adopter groups: innovators, early adopters, early majority, late majority, and laggards. The GDPR must become part of corporate culture—organisations are both the aggregate of its individuals and its own system with a set of procedures and norms. Adopting new behaviours where data and privacy are concerned is important for the whole organisation. GDPR compliant organisations simply can’t afford to have late adopters or “laggards”.
By 25 May, recruiters and human resources professionals will need everyone on the team to understand their own role in data gathering and processing. And new processes and expected behaviours will need to be written down as policy. It’s the responsibility of everyone in the organisation to take on board the regulations, adopt them as behaviours and embed them as culture. With clear standards set, everyone can align with updated expectations, from established members of the team to new recruits.
Don’t wait to take action
Changing to a modern, GDPR compliant ATS is now relatively painless. Making a cultural change can take a lot longer. Perhaps it’s finally time to sort through that folder full of resumes? However you plan to start, the time to act is now.
To find out more, watch a video of our Q&A with a leading lawyer in the field of data privacy and security:
- What you need to know about GRPR and recruiting if you’re based in the EU or UK
- What you need to know about GDPR and recruiting in the USA and outside Europe.